Difference between pages "Memory analysis" and "Talk:Carver 2.0 Planning Page"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Encryption Keys)
 
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
+
License: have we even discussed a license yet?  Who chose it?  I'm not terribly opposed to a 3-clause BSD, but...? - [[User:RB|RB]] 00:39, 30 October 2008 (UTC)
  
* [[Windows Memory Analysis]]
+
[[User:Joachim Metz|Joachim]] I prefer the LPGL it's restricts the usage of the code somewhat more. When its integrated in other (closed source) tooling which is published, they must publish that the tool uses this code.
* [[Linux Memory Analysis]]
+
  
== OS-Independent Analysis ==
+
:: LGPL?
 
+
:: [[User:.FUF|.FUF]] 19:40, 31 October 2008 (UTC)
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
+
:: [[User:Joachim Metz|Joachim]] GNU Library or "Lesser" General Public License (LGPL) (http://www.opensource.org/licenses/alphabetical)
 
+
:::: ''Joachim I prefer the LPGL'' :) [[User:.FUF|.FUF]] 19:51, 31 October 2008 (UTC)
== Encryption Keys ==
+
:::::: [[User:Joachim Metz|Joachim]] To quote Homer Simpson "Doh!"
 
+
Various types of encryption keys can be extracted during memory analysis.
+
You can use [[AESKeyFinder]] to extract 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] to extract all private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
+
 
+
[http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py] ([[List of Volatility Plugins|plugin for the Volatility memory analysis framework]]) scans a memory image for [[TrueCrypt]] passphrases.
+
 
+
== See Also ==
+
 
+
* [[Memory Imaging]]
+
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
+
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
+
 
+
[[Category:Memory Analysis]]
+

Revision as of 14:53, 31 October 2008

License: have we even discussed a license yet? Who chose it? I'm not terribly opposed to a 3-clause BSD, but...? - RB 00:39, 30 October 2008 (UTC)

Joachim I prefer the LPGL it's restricts the usage of the code somewhat more. When its integrated in other (closed source) tooling which is published, they must publish that the tool uses this code.

LGPL?
.FUF 19:40, 31 October 2008 (UTC)
Joachim GNU Library or "Lesser" General Public License (LGPL) (http://www.opensource.org/licenses/alphabetical)
Joachim I prefer the LPGL :) .FUF 19:51, 31 October 2008 (UTC)
Joachim To quote Homer Simpson "Doh!"