Difference between pages "Blogs" and "Windows Memory Analysis"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(Added sample memory images)
 
Line 1: Line 1:
[[Computer forensics]] related '''blogs''', '''fora''' and '''tweets'''.
+
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
  
= Blogs =
+
== Sample Memory Images ==
  
== English ==
+
Getting started with memory analysis can be difficult without some known images to practice with.
  
* [http://www.appleexaminer.com/ The Apple Examiner]
+
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
* [http://computer.forensikblog.de/en/ Computer Forensics Blog], by [[Andreas Schuster]]
+
* [http://www.niiconsulting.com/checkmate/ Checkmate - e-zine on Digital Forensics and Incident Response]
+
* [http://www.infosecinstitute.com/blog/ethical_hacking_computer_forensics.html Jack Koziol - Ethical Hacking and Computer Forensics]
+
* [http://windowsir.blogspot.com/ Windows Incident Response Blog], by [[Harlan Carvey]]
+
* [http://geschonneck.com/ Computer Forensics Blog], by [[Alexander Geschonneck]]
+
* [http://forensicblog.org/ Computer Forensics Blog], by [[Michael Murr]]
+
* [http://forenshick.blogspot.com/ Forensic news, Technology, TV, and more], by [[Jordan Farr]]
+
* [http://unixsadm.blogspot.com/ UNIX, OpenVMS and Windows System Administration, Digital Forensics, High Performance Computing, Clustering and Distributed Systems], by [[Criveti Mihai]]
+
* [http://intrusions.blogspot.com/ Various Authors - Intrusions and Malware Analysis]
+
* [http://chicago-ediscovery.com/education/computer-forensics-glossary/ Computer Forensic Glossary Blog, HOWTOs and other resources], by [[Andrew Hoog]]
+
* [http://secureartisan.wordpress.com/ Digital Forensics with a Focus on EnCase], by [[Paul Bobby]]
+
* [http://www.crimemuseum.org/blog/ National Museum of Crime and Punishment-CSI/Forensics Blog]
+
* [http://forensicsfromthesausagefactory.blogspot.com/ Forensics from the sausage factory]
+
* [http://integriography.wordpress.com Computer Forensics Blog], by [[David Kovar]]
+
* [http://jessekornblum.livejournal.com/ A Geek Raised by Wolves], by [[Jesse Kornblum]]
+
* [http://computer-forensics.sans.org/blog SANS Computer Forensics and Incident Response Blog by SANS Institute]
+
* [http://www.digitalforensicsource.com Digital Forensic Source]
+
* [http://dfsforensics.blogspot.com/ Digital Forensics Solutions]
+
* [http://forensicaliente.blogspot.com/ Forensicaliente]
+
* [http://www.ericjhuber.com/ A Fistful of Dongles]
+
* [http://gleeda.blogspot.com/ JL's stuff]
+
* [http://4n6k.blogspot.com/ 4n6k]
+
  
== Dutch ==
+
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
  
* [http://stam.blogs.com/8bits/ 8 bits], by [[Mark Stam]] (also contain English articles otherwise use [http://translate.google.com/translate?u=http%3A%2F%2Fstam.blogs.com%2F8bits%2Fforensisch%2Findex.html&langpair=nl%7Cen&hl=en&ie=UTF-8 Google translation])
+
== History ==  
  
== French ==
+
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during incident response. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
  
* [http://forensics-dev.blogspot.com Forensics-dev] ([http://translate.google.com/translate?u=http%3A%2F%2Fforensics-dev.blogspot.com%2F&langpair=fr%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[kntlist]].
 
+
== German ==
+
 
+
* [http://computer.forensikblog.de/ Computer Forensik Blog Gesamtausgabe], by [[Andreas Schuster]] ([http://computer.forensikblog.de/en/ English version])
+
* [http://computer-forensik.org computer-forensik.org], by [[Alexander Geschonneck]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.computer-forensik.org&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
* [http://henrikbecker.blogspot.com Digitale Beweisführung], by [[Henrik Becker]] ([http://translate.google.com/translate?u=http%3A%2F%2Fhenrikbecker.blogspot.com&langpair=de%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
 
+
== Spanish ==
+
 
+
* [http://www.forensic-es.org/blog forensic-es.org] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.forensic-es.org%2Fblog&langpair=es%7Cen&hl=en&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
* [http://www.inforenses.com InForenseS], by [[Javier Pages]] ([http://translate.google.com/translate?u=http%3A%2F%2Fwww.inforenses.com&langpair=es%7Cen&hl=es&ie=UTF-8&oe=UTF-8&prev=%2Flanguage_tools Google translation])
+
* [http://windowstips.wordpress.com El diario de Juanito]
+
* [http://conexioninversa.blogspot.com Conexión inversa]
+
 
+
== Russian ==
+
 
+
* Group-IB: [http://notheft.ru/blogs/group-ib blog at notheft.ru], [http://www.securitylab.ru/blog/company/group-ib/ blog at securitylab.ru]
+
 
+
= Related blogs =
+
 
+
* [http://www.c64allstars.de C64Allstars Blog]
+
* [http://www.emergentchaos.com/ Emergent Chaos], by [[Adam Shostack]]
+
* [http://jeffjonas.typepad.com/ Inventor of NORA discusses privacy and all things digital], by [[Jeff Jonas]]
+
* [http://www.cs.uno.edu/~golden/weblog Digital Forensics, Coffee, Benevolent Hacking], by [[Golden G. Richard III]]
+
 
+
= Fora =
+
* [http://forensicfocus.com/ Forensic Focus]
+
 
+
[[Category:Further information]]
+
 
+
= Tweets =
+
* [http://twitter.com/#!/search/%23DFIR?q=%23DFIR #DFIR]
+
* [http://twitter.com/#!/search/%23forensics #forensics]
+

Revision as of 12:34, 26 February 2007

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced kntlist.