Difference between revisions of "Memory analysis"

From ForensicsWiki
Jump to: navigation, search
Line 9: Line 9:
 
Various types of encryption keys can be extracted during memory analysis.
 
Various types of encryption keys can be extracted during memory analysis.
 
You can use [[AESKeyFinder]] to extract 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] to extract all private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/]. [http://jessekornblum.com/research/volatility-plugins/cryptoscan.py cryptoscan.py] (plugin for the Volatility memory analysis framework) scans a memory image for [[TrueCrypt]] passphrases.
 
You can use [[AESKeyFinder]] to extract 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] to extract all private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/]. [http://jessekornblum.com/research/volatility-plugins/cryptoscan.py cryptoscan.py] (plugin for the Volatility memory analysis framework) scans a memory image for [[TrueCrypt]] passphrases.
 
== Browser Email Memory Tool ==
 
[http://www.jeffbryner.com/code/pdgmail pdgmail] is a python script to extract gmail artifacts from memory images. Made for images extracted with pdd, but works with any memory image.
 
  
 
== See Also ==  
 
== See Also ==  
  
 
* [[Tools:Memory Imaging]]
 
* [[Tools:Memory Imaging]]
 +
* [[Tools:Memory Analysis]]

Revision as of 13:23, 3 December 2008

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:

Encryption Keys

Various types of encryption keys can be extracted during memory analysis. You can use AESKeyFinder to extract 128-bit and 256-bit AES keys and RSAKeyFinder to extract all private and public RSA keys from a memory dump [1]. cryptoscan.py (plugin for the Volatility memory analysis framework) scans a memory image for TrueCrypt passphrases.

See Also