Difference between pages "Windows Memory Analysis" and "Windows Forensic Toolchest"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(substantial revisions)
 
(Initial Stub)
 
Line 1: Line 1:
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
+
{{Expand}}
  
== Sample Memory Images ==
+
== External Links ==
  
Getting started with memory analysis can be difficult without some known images to practice with.
+
[http://www.foolmoon.net/security/wft/ Official website]
 
+
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
+
 
+
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
+
 
+
== See Also ==
+
* [[Pagefile.sys]]
+
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
+
 
+
== History ==
+
 
+
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
+
 
+
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].
+
 
+
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
+
 
+
==Bibliography==
+
== Memory Analysis Bibliography ==
+
===Windows Memory Analysis===
+
 
+
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
+
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
+
* [http://www.dfrws.org/2008/proceedings/p58-schuster.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics], Andreas Schuster, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf [slides]]
+
* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Finding Digital Evidence In Physical Memory], Mariusz Burdach, Black Hat Federal, 2008
+
 
+
 
+
 
+
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
+
 
+
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
+
* [http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf Forensic Memory Analysis: Files mapped in memory], Ruud van Baar, DFRWS 2008, [http://www.dfrws.org/2008/proceedings/p52-vanBaar_pres.pdf [slides]]
+
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
 
+
 
+
[[Category:Bibliographies]]
+
 
+
== External Links ==
+
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
+
: http://cyberspeak.libsyn.com/index.php?post_id=98104
+
; Memory Analysis Bibliography
+
: http://www.4tphi.net/fatkit/#links
+

Revision as of 22:25, 28 February 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

External Links

Official website