Difference between revisions of "Windows Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
 
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
 +
 +
== Data types ==
 +
Data types typical to the WINAPI are documented by Microsoft in MS-DTYP [http://msdn.microsoft.com/en-us/library/cc230273.aspx].
  
 
== Sample Memory Images ==
 
== Sample Memory Images ==
Line 10: Line 13:
  
 
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
 
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
 +
 +
* A number of RAM images can be downloaded from http://forensic.belkasoft.com/bfs/en/download.asp. Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs etc.
  
 
== See Also ==
 
== See Also ==
Line 26: Line 31:
  
 
==Bibliography==
 
==Bibliography==
 +
; 2012
 +
* [http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html Defeating Windows memory forensics], by Luka Milkovic, 29C3: 29th Chaos Communication Congress
 
; 2011
 
; 2011
 
* [http://prezi.com/goocmfeuiqdf/tracking-stuxnets-footprint-through-memory/ Tracking Stuxnet's Footprint Through Memory], Michael Ligh, Open Memory Forensics Workshop
 
* [http://prezi.com/goocmfeuiqdf/tracking-stuxnets-footprint-through-memory/ Tracking Stuxnet's Footprint Through Memory], Michael Ligh, Open Memory Forensics Workshop
Line 57: Line 64:
 
; Memory Analysis Bibliography
 
; Memory Analysis Bibliography
 
: http://www.4tphi.net/fatkit/#links
 
: http://www.4tphi.net/fatkit/#links
 +
 +
* [http://msdn.microsoft.com/en-us/library/cc230273.aspx MSDN: MS-DTYP]
  
 
[[Category:Bibliographies]]
 
[[Category:Bibliographies]]
 
[[Category:Memory Analysis]]
 
[[Category:Memory Analysis]]

Latest revision as of 04:53, 23 August 2014

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Data types

Data types typical to the WINAPI are documented by Microsoft in MS-DTYP [1].

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

See Also

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced KnTList.

At the Blackhat Federal conference in March 2007, AAron Walters and Nick Petroni released a suite called volatools. Although it only worked on Windows XP Service Pack 2 images, it was able to produce a number of useful data. volatools was updated and re-released as Volatility in August 2007, and is now maintained and distributed by Volatile Systems.

Bibliography

2012
2011
2010
2009
2008
2007
2006

External Links

Jesse Kornblum Memory Analysis discussion on Cyberspeak
http://cyberspeak.libsyn.com/index.php?post_id=98104
Memory Analysis Bibliography
http://www.4tphi.net/fatkit/#links