Error message

  • Deprecated function: TYPO3\PharStreamWrapper\Manager::initialize(): Implicitly marking parameter $resolver as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 19 of /home/b4gint3h/public_html/includes/file.phar.inc).
  • Deprecated function: TYPO3\PharStreamWrapper\Manager::initialize(): Implicitly marking parameter $collection as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 19 of /home/b4gint3h/public_html/includes/file.phar.inc).
  • Deprecated function: TYPO3\PharStreamWrapper\Manager::__construct(): Implicitly marking parameter $resolver as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 19 of /home/b4gint3h/public_html/includes/file.phar.inc).
  • Deprecated function: TYPO3\PharStreamWrapper\Manager::__construct(): Implicitly marking parameter $collection as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 19 of /home/b4gint3h/public_html/includes/file.phar.inc).
  • Deprecated function: Return type of DatabaseStatementBase::execute($args = [], $options = []) should either be compatible with PDOStatement::execute(?array $params = null): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in require_once() (line 2244 of /home/b4gint3h/public_html/includes/database/database.inc).
  • Deprecated function: Return type of DatabaseStatementEmpty::current() should either be compatible with Iterator::current(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in require_once() (line 2346 of /home/b4gint3h/public_html/includes/database/database.inc).
  • Deprecated function: Return type of DatabaseStatementEmpty::next() should either be compatible with Iterator::next(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in require_once() (line 2346 of /home/b4gint3h/public_html/includes/database/database.inc).
  • Deprecated function: Return type of DatabaseStatementEmpty::key() should either be compatible with Iterator::key(): mixed, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in require_once() (line 2346 of /home/b4gint3h/public_html/includes/database/database.inc).
  • Deprecated function: Return type of DatabaseStatementEmpty::valid() should either be compatible with Iterator::valid(): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in require_once() (line 2346 of /home/b4gint3h/public_html/includes/database/database.inc).
  • Deprecated function: Return type of DatabaseStatementEmpty::rewind() should either be compatible with Iterator::rewind(): void, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in require_once() (line 2346 of /home/b4gint3h/public_html/includes/database/database.inc).
  • Deprecated function: session_set_save_handler(): Providing individual callbacks instead of an object implementing SessionHandlerInterface is deprecated in drupal_session_initialize() (line 242 of /home/b4gint3h/public_html/includes/session.inc).
  • Deprecated function: strlen(): Passing null to parameter #1 ($string) of type string is deprecated in drupal_random_bytes() (line 2268 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: SelectQueryInterface::getArguments(): Implicitly marking parameter $queryPlaceholder as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: SelectQueryInterface::preExecute(): Implicitly marking parameter $query as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: SelectQueryExtender::getArguments(): Implicitly marking parameter $queryPlaceholder as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: SelectQueryExtender::preExecute(): Implicitly marking parameter $query as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: SelectQuery::getArguments(): Implicitly marking parameter $queryPlaceholder as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: SelectQuery::preExecute(): Implicitly marking parameter $query as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: DrupalEntityControllerInterface::resetCache(): Implicitly marking parameter $ids as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: DrupalDefaultEntityController::resetCache(): Implicitly marking parameter $ids as nullable is deprecated, the explicit nullable type must be used instead in include_once() (line 3492 of /home/b4gint3h/public_html/includes/bootstrap.inc).
  • Deprecated function: Creation of dynamic property SelectQuery::$alterTags is deprecated in SelectQuery->addTag() (line 978 of /home/b4gint3h/public_html/includes/database/select.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: rtrim(): Passing null to parameter #1 ($string) of type string is deprecated in url() (line 2349 of /home/b4gint3h/public_html/includes/common.inc).
  • Deprecated function: Creation of dynamic property SelectQuery::$alterTags is deprecated in SelectQuery->addTag() (line 978 of /home/b4gint3h/public_html/includes/database/select.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: strpos(): Passing null to parameter #1 ($haystack) of type string is deprecated in url_is_external() (line 2393 of /home/b4gint3h/public_html/includes/common.inc).
  • Deprecated function: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in url_is_external() (line 2395 of /home/b4gint3h/public_html/includes/common.inc).
  • Deprecated function: ltrim(): Passing null to parameter #1 ($string) of type string is deprecated in url() (line 2311 of /home/b4gint3h/public_html/includes/common.inc).
  • Deprecated function: Creation of dynamic property SelectQuery::$alterTags is deprecated in SelectQuery->addTag() (line 978 of /home/b4gint3h/public_html/includes/database/select.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property SelectQuery::$alterTags is deprecated in SelectQuery->addTag() (line 978 of /home/b4gint3h/public_html/includes/database/select.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property SelectQuery::$alterTags is deprecated in SelectQuery->addTag() (line 978 of /home/b4gint3h/public_html/includes/database/select.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).
  • Deprecated function: Creation of dynamic property DatabaseCondition::$stringVersion is deprecated in DatabaseCondition->compile() (line 1865 of /home/b4gint3h/public_html/includes/database/query.inc).

Research

This page lists my published research, such as books and peer-reviewed papers. The Presentations page lists my public presentations.

Books
The Art of Memory Forensics, Wiley, August 2014
CompTIA Advanced Security Practitioner Certification Student Manual, Axzo Press, June 2012
Peer-Reviewed Papers
A Step in a New Direction: NVIDIA GPU Kernel Driver Memory Forensics, DFRWS, 2024
Assessing the threat of Rosetta 2 on Apple Silicon devices, Forensic Science International: Digital Investigation, 2023
Memory Analysis of .NET and .NET Core Applications, Forensic Science International: Digital Investigation, 2022
Modern macOS userland runtime analysis, DFRWS, 2021
Seance: Divination of Tool-Breaking Changes in Forensically Important Binaries, DFRWS, 2021, Best Paper Award
Hooktracer: Automatic Detection and Analysis of Keystroke Loggers Using Memory Forensics, Computers & Security, 2020
AmpleDroid Recovering Large Object Files from Android Application Memory, IEEE/IFIP International Conference on Dependable Systems and Networks, 2020
Memory Analysis of macOS Page Queues, DFRWS, 2020
Gaslight revisited: Efficient and powerful fuzzing of digital forensics tools, Computers & Security, 2020
HookTracer: A System for Automated and Accessible API Hooks Analysis, DFRWS, 2019
Memory Forensics and the Windows Subsystem for Linux, DFRWS, 2018, Best Student Paper Award
Gaslight: A Comprehensive Fuzzing Architecture for Memory Forensics Frameworks, DFRWS, 2017
Detecting Objective-C Malware Through Memory Forensics, DFRWS, 2016, Best Paper Award
Advancing Mac OS X Rootkit Detection, DFRWS, 2015
In Lieu of Swap: Analyzing Compressed RAM in Mac OS X and Linux, DFRWS, 2014, Best Paper Award
Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation, 2012
De-Anonymizing Live CDs through Physical Memory Analysis, Blackhat D.C. 2011
Treasure and Tragedy in kmem_cache Mining, DFRWS 2010
Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS, 2010
FACE: Automated Digital Evidence Discovery and Correlation, DFRWS, 2008
Technical Guides
HowTo: Privacy & Security Conscious Browsing, 2015
Recovering and Analyzing Deleted Registry Files, 2011
Workshops
De-Anonymizing Live CDs through Physical Memory Analysis, SANS Security East 2012, January 2012, New Orleans
Registry Decoder, SANS Security East 2012, January 2012, New Orleans
Linux Memory Analysis with Volatility, Blackhat Vegas 2011
Trade Publications
Forensic Investigation of Live CDs, Evidence Technology Magazine, December 2011 Edition
Notable Blog Posts
Memory Forensics R&D Illustrated: Detecting Mimikatz's Skeleton Key Attack, Volatility Labs
Incorporating Disk Forensics with Memory Forensics - Bulk Extractor, Volatility Labs
Building a Decoder for the CVE-2014-0502 Shellcode, Volatility Labs
Solving the GrrCon Network Forensics Challenge with Volatility, Volatility Labs
Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit, Volatility Labs
Recoving tmpfs from Memory with Volatility, Memory Forensics Blog