Difference between revisions of "Memory analysis"

From ForensicsWiki
Jump to: navigation, search
(OS-Independent Analysis)
(See Also)
Line 15: Line 15:
== See Also ==  
== See Also ==  
* [[Tools:Memory Imaging]]
* [[Memory Imaging]]
* [[Tools:Memory Analysis]]
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
[[Category:Memory Analysis]]
[[Category:Memory Analysis]]

Revision as of 11:04, 27 July 2012

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis. You can use AESKeyFinder to extract 128-bit and 256-bit AES keys and RSAKeyFinder to extract all private and public RSA keys from a memory dump [1]. cryptoscan.py (plugin for the Volatility memory analysis framework) scans a memory image for TrueCrypt passphrases.

See Also