Difference between pages "Encryption" and "Windows Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Added sample memory images)
 
Line 1: Line 1:
'''Encryption''' is a means to obfuscate data an entity wishes to protect to the point it will take a third party considerable time to access (decrypt) it. The methods of encryption vary from substitution ciphers to more modern methods such as digital ciphers which use an algorithm to obfuscate the data. Once the data is encrypted it is then referred to as cipher text.
+
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
  
== Also see ==
+
== Sample Memory Images ==
  
* [[Application Specific Encryption]]
+
Getting started with memory analysis can be difficult without some known images to practice with.
* [[Full Disk Encryption]]
+
* [[Operating System Password Encryption]]
+
  
[[Category:Encryption]]
+
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
 +
 
 +
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
 +
 
 +
== History ==
 +
 
 +
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during incident response. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
 +
 
 +
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[kntlist]].

Revision as of 12:34, 26 February 2007

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced kntlist.