Difference between revisions of "Memory analysis"

From ForensicsWiki
Jump to: navigation, search
(External Links)
 
(18 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
+
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divided into the following pages:
  
* [[Windows Memory Analysis]]
 
 
* [[Linux Memory Analysis]]
 
* [[Linux Memory Analysis]]
 +
* [[Mac OS X Memory Analysis]]
 +
* [[Windows Memory Analysis]]
  
 
== OS-Independent Analysis ==
 
== OS-Independent Analysis ==
Line 21: Line 22:
  
 
== External Links ==
 
== External Links ==
 +
* [http://wiki.yobi.be/wiki/RAM_analysis YobiWiki: RAM analysis]
 
* [http://cryptome.org/0003/RAMisKey.pdf RAM is Key - Extracting Disk Encryption Keys From Volatile Memory], by [[Brian Kaplan]], May 2007
 
* [http://cryptome.org/0003/RAMisKey.pdf RAM is Key - Extracting Disk Encryption Keys From Volatile Memory], by [[Brian Kaplan]], May 2007
 +
* [https://docs.google.com/presentation/d/1KsZGF6cQ-N8ngABFGCZf8pTQQ5CZ19VoAHq5cO5ZPdE/edit Memory Forensics With Volatility (Technology Preview)], by [[Michael Cohen]], October 2012
 +
* [http://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html Finding the Kernel Debugger Block], by [[Michael Cohen]], November 18, 2012
 +
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-11.pdf An Evaluation Platform for Forensic Memory Acquisition Software] by Stefan Voemel and Johannes Stuettgen, DFRWS 2013
 +
* [http://rekall-forensic.blogspot.com/2014/02/do-we-need-kernel-debugging-block.html Do we need the Kernel Debugging Block?], by [[Michael Cohen]], February 21, 2014
 +
 +
=== Anti-forensics ===
 +
* [https://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf Integrating Volatile Memory Forensics into the Digital Investigation Process], by [[AAron Walter]], [[Nick Petroni]], Blackhat 2007
 +
* [http://blog.handlerdiaries.com/?p=363 Forensic Analysis of Anti-Forensic Activities], by [[Jack Crook]], January 29, 2014
 +
* [http://volatility-labs.blogspot.com/2014/02/add-next-big-threat-to-memory.html ADD: The Next Big Threat To Memory Forensics....Or Not], by [[Michael Hale Ligh]], February 3, 2014
 +
* [http://scudette.blogspot.com/2014/02/anti-forensics-and-memory-analysis.html Anti-forensics and memory analysis], by [[Michael Cohen]], February 7, 2014
 +
* [http://takahiroharuyama.github.io/blog/2014/04/21/memory-forensics-still-aborted/ Memory Forensics: Still Aborted], by Takahiro Haruyama, April 21, 2014
 +
 +
=== Computer architecture ===
 +
* [http://en.wikipedia.org/wiki/64-bit_computing Wikipedia: 64-bit computing]
 +
* [http://www.unix.org/version2/whatsnew/lp64_wp.html 64-Bit Programming Models: Why LP64?], The Open Group, 1997
  
 
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
 
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
Line 47: Line 65:
 
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
 
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
 
* [http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit]
 
* [http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit]
* [http://volatility-labs.blogspot.ca/2012/10/solving-grrcon-network-forensics.html Solving the GrrCon Network Forensics Challenge with Volatility]
+
* [http://volatility-labs.blogspot.com/2012/10/solving-grrcon-network-forensics.html Solving the GrrCon Network Forensics Challenge with Volatility]
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analyzing-linux-kernel.html OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-analyzing-linux-kernel.html OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility]
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-datalore-android-memory.html OMFW 2012: Datalore: Android Memory Analysis]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-datalore-android-memory.html OMFW 2012: Datalore: Android Memory Analysis]
* [http://volatility-labs.blogspot.ca/2012/10/movp-for-volatility-22-and-omfw-2012.html MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-for-volatility-22-and-omfw-2012.html MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up]
* [http://volatility-labs.blogspot.ca/2012/10/reverse-engineering-poison-ivys.html Reverse Engineering Poison Ivy's Injected Code Fragments]
+
* [http://volatility-labs.blogspot.com/2012/10/reverse-engineering-poison-ivys.html Reverse Engineering Poison Ivy's Injected Code Fragments]
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
 +
* [http://volatility-labs.blogspot.com/2014/01/truecrypt-master-key-extraction-and.html TrueCrypt Master Key Extraction And Volume Identification], by [[Michael Hale Ligh]], January 14, 2014
  
 
=== Volatility Videos ===
 
=== Volatility Videos ===
 
* [http://sketchymoose.blogspot.com/2011/10/set-up-to-more-memory-forensics.html Set Up to More Memory Forensics!], October 2011
 
* [http://sketchymoose.blogspot.com/2011/10/set-up-to-more-memory-forensics.html Set Up to More Memory Forensics!], October 2011
 
* [http://www.youtube.com/watch?v=8HsZLge0wWc Using Volatility: Suspicious Process (1/2)]
 
* [http://www.youtube.com/watch?v=8HsZLge0wWc Using Volatility: Suspicious Process (1/2)]
* [http://www.youtube.com/watch?v=XTZPNk-Esok Using Volatility: Suspicious Process (Part 2/2)]
+
* [http://www.youtube.com/watch?v=XTZPNk-Esok Using Volatility: Suspicious Process (2/2)]
 +
 
 +
=== WinDBG ===
 +
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html Getting Started with WinDBG - Part 1], by [[Brad Antoniewicz]], December 17, 2013
 +
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html Getting Started with WinDBG - Part 2], by [[Brad Antoniewicz]], December 24, 2013
 +
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html Getting Started with WinDBG - Part 3], by [[Brad Antoniewicz]], December 31, 2013
 +
* [http://www.msuiche.net/2014/01/12/extengcpp-part-1/ Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1], by [[Matt Suiche]], January 12, 2014
 +
* [http://www.msuiche.net/2014/01/15/developing-windbg-extengcpp-extension-in-c-com-interface/ Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2], by [[Matt Suiche]], January 15, 2014
 +
* [http://www.msuiche.net/2014/01/20/developing-windbg-extengcpp-extension-in-c-memory-debugger-markup-language-dml-part-3/ Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3], by [[Matt Suiche]], January 20, 2014
  
 
[[Category:Memory Analysis]]
 
[[Category:Memory Analysis]]

Latest revision as of 01:10, 8 July 2014

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divided into the following pages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Anti-forensics

Computer architecture

Volatility Labs

Volatility Videos

WinDBG