|
|
| Line 1: |
Line 1: |
| − | Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
| + | {{Expand}} |
| | | | |
| − | == Sample Memory Images ==
| + | The '''Incident Response Collection Report''' is a script based incident response tool by [[John McLeod]]. |
| | | | |
| − | Getting started with memory analysis can be difficult without some known images to practice with.
| + | The latest release was version 2.3 and was intended to work with [[Helix]] version 1.8. |
| − | | + | |
| − | * The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
| + | |
| − | | + | |
| − | * The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
| + | |
| | | | |
| | == See Also == | | == See Also == |
| − | * [[Pagefile.sys]]
| |
| | | | |
| − | == History ==
| + | * [[FRED]] |
| | | | |
| − | During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
| + | == External Links == |
| | | | |
| − | In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].
| + | * [http://tools.phantombyte.com/ Official website] |
| − | | + | |
| − | At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
| + | |
| − | | + | |
| − | == External Links ==
| + | |
| − | ; Jesse Kornblum Memory Analysis discussion on Cyberspeak
| + | |
| − | : http://cyberspeak.libsyn.com/index.php?post_id=98104
| + | |
| − | ; Memory Analysis Bibliography
| + | |
| − | : http://www.4tphi.net/fatkit/#links
| + | |
Revision as of 06:38, 2 March 2007
|
|
Please help to improve this article by expanding it.
Further information might be found on the discussion page.
|
The Incident Response Collection Report is a script based incident response tool by John McLeod.
The latest release was version 2.3 and was intended to work with Helix version 1.8.
See Also
External Links
