Difference between pages "Memory Imaging" and "Programming"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
+
Although this is a wiki largely about digital forensics, understanding how code came to be and the challenges involved can be considered good practice and can help in understanding how an attacker was able to compromise the computer systems of an organization, why the software you're analyzing behaves in a certain way.
 
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
+
 
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
+
 
+
== Methods ==
+
 
+
=== Reading from the Physical Memory Object ===
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
+
 
+
=== MmMapIoSpace ===
+
 
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
+
 
+
== Also see ==
+
[[:Tools:Memory_Imaging|Memory Imaging Tools]]
+
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
+
=== C Programming ===
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]] and [[Michael Cohen]], DFRWS 2013
+
* [http://blog.llvm.org/2011/05/what-every-c-programmer-should-know.html What Every C Programmer Should Know About Undefined Behavior #1/3], by Chris Lattner, May 13, 2011
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
+
* [http://blog.llvm.org/2011/05/what-every-c-programmer-should-know_14.html What Every C Programmer Should Know About Undefined Behavior #2/3], by Chris Lattner, May 14, 2011
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
+
* [http://blog.llvm.org/2011/05/what-every-c-programmer-should-know_21.html What Every C Programmer Should Know About Undefined Behavior #3/3], by Chris Lattner, May 21, 2011
  
[[Category:Memory Analysis]]
+
[[Category:Programming]]

Revision as of 15:14, 14 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Although this is a wiki largely about digital forensics, understanding how code came to be and the challenges involved can be considered good practice and can help in understanding how an attacker was able to compromise the computer systems of an organization, why the software you're analyzing behaves in a certain way.

External Links

C Programming