Difference between pages "User:RPD001" and "Memory analysis"

Revision as of 16:00, 14 January 2014

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

• Windows Memory Analysis
• Linux Memory Analysis

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

• AESKeyFinder extracts 128-bit and 256-bit AES keys and RSAKeyFinder and private and public RSA keys from a memory dump [1].
• cryptoscan.py, which is a plugin for the Volatility framework, scans a memory image for TrueCrypt passphrases

See Also

• Memory Imaging
• Memory Imaging Tools
• Memory Analysis Tools

External Links

• Discovering ephemeral evidence with Live RAM analysis by Oleg Afonin and Yuri Gubanov, 2013
• RAM is Key - Extracting Disk Encryption Keys From Volatile Memory, by Brian Kaplan, May 2007
• Memory Forensics With Volatility (Technology Preview), by Michael Cohen, October 2012
• An Evaluation Platform for Forensic Memory Acquisition Software by Stefan Voemel and Johannes Stuettgen, DFRWS 2013

Computer architecture

• Wikipedia: 64-bit computing
• 64-Bit Programming Models: Why LP64?, The Open Group, 1997

Volatility Labs

• MoVP 1.1 Logon Sessions, Processes, and Images
• MoVP 1.2 Window Stations and Clipboard Malware
• MoVP 1.3 Desktops, Heaps, and Ransomware
• MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes
• MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs
• MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection
• MoVP 2.2 Malware In Your Windows
• MoVP 2.3 Event Logs and Service SIDs
• MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD
• MoVP 2.5: Investigating In-Memory Network Data with Volatility
• MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem
• HowTo: Scan for Internet Cache/History and URLs
• MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes
• MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti
• MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?
• MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility
• MoVP 4.1 Detecting Malware with GDI Timers and Callbacks
• MoVP 4.2 Taking Screenshots from Memory Dumps
• MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory
• MoVP 4.4 Cache Rules Everything Around Me(mory)
• OMFW 2012: Malware In the Windows GUI Subsystem
• OMFW 2012: Reconstructing the MBR and MFT from Memory
• Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit
• Solving the GrrCon Network Forensics Challenge with Volatility
• OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility
• OMFW 2012: Datalore: Android Memory Analysis
• MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up
• Reverse Engineering Poison Ivy's Injected Code Fragments
• OMFW 2012: The Analysis of Process Token Privileges
• OMFW 2012: Mining the PFN Database for Malware Artifacts
• TrueCrypt Master Key Extraction And Volume Identification

Volatility Videos

• Set Up to More Memory Forensics!, October 2011
• Using Volatility: Suspicious Process (1/2)
• Using Volatility: Suspicious Process (2/2)

WinDBG

• Getting Started with WinDBG - Part 1, by Brad Antoniewicz, December 17, 2013
• Getting Started with WinDBG - Part 2, by Brad Antoniewicz, December 24, 2013
• Getting Started with WinDBG - Part 3, by Brad Antoniewicz, December 31, 2013