Difference between pages "Memory analysis" and "Talk:Carver 2.0 Planning Page"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Encryption Keys)
 
(Consolidation: new section)
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
+
License: have we even discussed a license yet?  Who chose it?  I'm not terribly opposed to a 3-clause BSD, but...? - [[User:RB|RB]] 00:39, 30 October 2008 (UTC)
  
* [[Windows Memory Analysis]]
+
[[User:Joachim Metz|Joachim]] I prefer the LPGL it's restricts the usage of the code somewhat more. When its integrated in other (closed source) tooling which is published, they must publish that the tool uses this code.
* [[Linux Memory Analysis]]
+
  
== OS-Independent Analysis ==
+
:: LGPL?
 +
:: [[User:.FUF|.FUF]] 19:40, 31 October 2008 (UTC)
 +
:: [[User:Joachim Metz|Joachim]] GNU Library or "Lesser" General Public License (LGPL) (http://www.opensource.org/licenses/alphabetical)
 +
:::: ''Joachim I prefer the LPGL'' :) [[User:.FUF|.FUF]] 19:51, 31 October 2008 (UTC)
 +
:::::: [[User:Joachim Metz|Joachim]] To quote Homer Simpson "Doh!"
 +
:: Agreed.  I sit on the fence between BSD and GPL: the business half of me agrees that open licensing should place as few restrictions or qualifications as possible, whereas the idealist/OSS side wants to ensure the project's freedom.  The LGPL is a more reasonable balance, encouraging widespread use but ensuring modifications' freedom. [[User:RB|RB]] 16:59, 1 November 2008 (UTC)
  
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
+
== Consolidation ==
  
== Encryption Keys ==
+
We've got a '''lot''' of good ideas here, but in interest of not stepping on anyone's toes, it's getting rather disjointed and hard to read. Is anyone willing to (or allow me to) try to consolidate them into some sort of coherency?  I'd like at least one of the admins ([[User:.FUF|FUF]] or [[User:Simsong|Simsong]] to concur before anyone moves forward.  I know the wiki way is to just let it grow, but even watching each addition I'm starting to have trouble visualizing where we are.
 
+
Various types of encryption keys can be extracted during memory analysis.
+
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
+
 
+
== See Also ==
+
 
+
* [[Memory Imaging]]
+
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
+
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
+
 
+
[[Category:Memory Analysis]]
+

Revision as of 12:48, 1 November 2008

License: have we even discussed a license yet? Who chose it? I'm not terribly opposed to a 3-clause BSD, but...? - RB 00:39, 30 October 2008 (UTC)

Joachim I prefer the LPGL it's restricts the usage of the code somewhat more. When its integrated in other (closed source) tooling which is published, they must publish that the tool uses this code.

LGPL?
.FUF 19:40, 31 October 2008 (UTC)
Joachim GNU Library or "Lesser" General Public License (LGPL) (http://www.opensource.org/licenses/alphabetical)
Joachim I prefer the LPGL :) .FUF 19:51, 31 October 2008 (UTC)
Joachim To quote Homer Simpson "Doh!"
Agreed. I sit on the fence between BSD and GPL: the business half of me agrees that open licensing should place as few restrictions or qualifications as possible, whereas the idealist/OSS side wants to ensure the project's freedom. The LGPL is a more reasonable balance, encouraging widespread use but ensuring modifications' freedom. RB 16:59, 1 November 2008 (UTC)

Consolidation

We've got a lot of good ideas here, but in interest of not stepping on anyone's toes, it's getting rather disjointed and hard to read. Is anyone willing to (or allow me to) try to consolidate them into some sort of coherency? I'd like at least one of the admins (FUF or Simsong to concur before anyone moves forward. I know the wiki way is to just let it grow, but even watching each addition I'm starting to have trouble visualizing where we are.