ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Memory analysis"

From ForensicsWiki
Jump to: navigation, search
(Volatility Labs)
Line 30: Line 30:
* [ MoVP 2.2 Malware In Your Windows]
* [ MoVP 2.2 Malware In Your Windows]
* [ MoVP 2.3 Event Logs and Service SIDs]
* [ MoVP 2.3 Event Logs and Service SIDs]
* [ MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
[[Category:Memory Analysis]]
[[Category:Memory Analysis]]

Revision as of 18:40, 20 September 2012

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Volatility Labs