Abstract: A method to circumvent malicious software via a system configured to bypass a device driver stack and, consequently, also bypass the malicious software that may be adversely affecting the device driver stack by using an alternative stack such as a crash dump I/O stack. The crash dump I/O stack is poorly documented relative to the device driver stack and functions independently from the device driver stack.

Abstract: The method of the present inventive concept is configured to utilize Operating System data structures related to memory-mapped binaries to reconstruct processes. These structures provide a system configured to facilitate the acquisition of data that traditional memory analysis tools fail to identify, including by providing a system configured to traverse a virtual address descriptor, determine a pointer to a control area, traverse a PPTE array, copy binary data identified in the PPTE array, generate markers to determine whether the binary data is compromised, and utilize the binary data to reconstruct a process.

Abstract: A system and method for gathering data from a plurality of computer environments. The computer environments are authenticated, data is copied from the plurality of authenticated computer environments to a memory location, and access to the memory location is provided to a plurality of authenticated users. The data may be marked so that a user may determine which computer environment provided the data.

Abstract: A system and method for analyzing data from a plurality of computer environments. The computer environments are authenticated and data is imported to a memory location. The data is converted into a uniform format to enable expedited searching by one or more authenticated users. The data may be marked so that a user may determine which computer environment provided the data. The system may also create one or more indexes of the data to assist one or more users in searching the data.

Abstract: A system and method for employing memory forensic techniques to determine operating system type, memory management configuration, and virtual machine status on a running computer system. The techniques apply advanced techniques in a fashion to make them usable and accessible by Information Technology professionals that may not necessarily be versed in the specifics of memory forensic methodologies and theory.

Abstract: A system and method for searching for computer environments, authenticating the computer environments, and copying data from the authenticated computer environments to a memory location. The data is marked or bound to the computer system it was copied from which provides a user with assurance that the data was obtained from a specific, authenticated source. The computer environments and the memory location may be coupled over a network.

Abstract: Detecting executable machine instructions in a data is accomplished by accessing a plurality of values representing data contained within a memory of a computer system and performing pre-processing on the plurality of values to produce a candidate data subset. The pre-processing may include determining whether the plurality of values meets (a) a randomness condition, (b) a length condition, and/or (c) a string ratio condition. The candidate data subset is inspected for computer instructions, characteristics of the computer instructions are determined, and a predetermined action taken based on the characteristics of the computer instructions.

Abstract: A system and method for searching for computer environments, authenticating the computer environments, and copying data from the authenticated computer environments to a memory location. The data is marked or bound to the computer system it was copied from which provides a user with assurance that the data was obtained from a specific, authenticated source. The computer environments and the memory location may be coupled over a network.