• The Value of Physical Memory Analysis for Incident Response
• Collecting Evidence From a Running Computer - www.SEARCH.org link

Legal Precedent for Memory Preservation and Analysis

• TorrentSpy judge decides RAM is stored information

• Active Reversing slide presentation (BlackHat 2007) (PDF)
• Active Reversing: The Next Generation of Reverse Engineering, BlackHat 2007 USA/Europe
• Exploiting Online Games, Addison Wesley, 2007
• Rootkits, Exploiting the Windows Kernel, ISBN-10: 0321294319, ISBN-13: 9780321294319 (Related book page)
• Hacking World of Warcraft®: An Exercise in Advanced Rootkit Design, BlackHat 2005/2006 USA/Europe/Asia)
• Exploiting Software, Addison Wesley, 2004, ISBN: 0-201-78695-8 (official book page)
  
• VICE - Catch the Hookers!, BlackHat 2004 USA
• Runtime Decompilation, BlackHat Windows Security 2003 Asia
• Exploiting Parsing Vulnerabilities, BlackHat 2002 USA/Asia
• Application Testing Through Fault Injection Techniques, BlackHat Windows Security 2002 USA/Asia
• Kernel Mode Rootkits, BlackHat 2001 USA/Europe/Asia, (Hoglund)
  
• Advanced Buffer Overflow Techniques, BlackHat 2000 USA/Asia, (Hoglund)
  
• A *REAL* NT Rootkit, patching the NT Kernel, 1999, Phrack magazine, (Phrack Magazine article)
  

• Watch: Physical RAM Acquisition and Analysis (watch now)
• Watch: Runtime Analysis of Optix Pro Trojan (watch now)
• Watch: Short demonstration of Responder Field Edition (watch now)

Inspector

• Watch: Behavioral set collection and layering
• Watch: Tracing data buffers (powerful)
• Watch: Sniffing decrypted packets (useful)
• Watch: Dynamic reconstruction of data structures
• Watch: Dynamic reconstruction of C++ classes
• Watch: Dynamic discovery of WoW player XYZ coordinate (fun with 3rd party ArtMoney)
• Watch: Phase Space Analysis in 3D