Difference between revisions of "Memory analysis"

From Forensics Wiki
Jump to: navigation, search
(Volatility Labs)
Line 31: Line 31:
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-25-investigating-in-memory-network.html MoVP 2.5: Investigating In-Memory Network Data with Volatility]
  
 
[[Category:Memory Analysis]]
 
[[Category:Memory Analysis]]

Revision as of 14:08, 21 September 2012

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

Contents

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Volatility Labs