Difference between pages "Fiwalk" and "Tools:Memory Analysis"

Revision as of 15:43, 9 June 2012

The following tools can be used to conduct memory analysis.

Memory Analysis Frameworks

Volatility Framework - A complete framework for analyzing Windows XP Service Pack 2 memory images.
WindowsSCOPE Pro, Ultimate - Comprehensive toolkit for the capture and analysis of Windows physical and virtual memory targeting cyber analysis, forensics/incident response, and education. Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard.
WindowsSCOPE Live live fetch and analysis of Windows computers on a network from Android smartphones and tablets.
Second Look from Raytheon Pikewerks Corporation - provides Linux memory forensics, including acquisition and analysis.

Browser Email Memory Tool

pdgmail is a python script to extract gmail artifacts from memory images. Made for images extracted with pdd, but works with any memory image.

Instant Messenger Memory Tool

Belkasoft Evidence Center is a tool by Belkasoft which allows for retrieving various Instant Messenger artifacts from an attached memory image.

@@ Line 1: / Line 1: @@
-fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
+The following tools can be used to conduct memory analysis.
-==XML Example==
+== Memory Analysis Frameworks ==
-<pre>
+* [[Volatility Framework]] - A complete framework for analyzing Windows XP Service Pack 2 memory images.
-<?xml version='1.0' encoding='ISO-8859-1'?>
+* [http://www.windowsscope.com WindowsSCOPE Pro, Ultimate] - Comprehensive toolkit for the capture and analysis of Windows physical and virtual memory targeting cyber analysis, forensics/incident response, and education. Software and hardware based acquisition with [http://www.windowsscope.com/index.php?option=com_virtuemart&Itemid=34    CaptureGUARD PCIe and ExpressCard].
-<fiwalk xmloutputversion='0.2'>
+* [http://www.windowsscope.com WindowsSCOPE Live] live fetch and analysis of Windows computers on a network from Android smartphones and tablets.
-  <metadata
+* [http://secondlookforensics.com/ Second Look] from [http://www.pikewerks.com Raytheon Pikewerks Corporation] - provides Linux memory forensics, including acquisition and analysis.
-  xmlns='http://example.org/myapp/'
-  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
-  xmlns:dc='http://purl.org/dc/elements/1.1/'>
-    <dc:type>Disk Image</dc:type>
-  </metadata>
-  <creator>
-    <program>fiwalk</program>
-    <version>0.5.7</version>
-    <os>Darwin</os>
-    <library name="tsk" version="3.0.1"></library>
-    <library name="afflib" version="3.5.2"></library>
-    <command_line>fiwalk -x /dev/disk2</command_line>
-  </creator>
-  <source>
-    <imagefile>/dev/disk2</imagefile>
-  </source>
-<!-- fs start: 512 -->
-  <volume offset='512'>
-    <Partition_Offset>512</Partition_Offset>
-    <block_size>512</block_size>
-    <ftype>2</ftype>
-    <ftype_str>fat12</ftype_str>
-    <block_count>5062</block_count>
-    <first_block>0</first_block>
-    <last_block>5061</last_block>
-    <fileobject>
-      <filename>README.txt</filename>
-      <id>2</id>
-      <filesize>43</filesize>
-      <partition>1</partition>
-      <alloc>1</alloc>
-      <used>1</used>
-      <inode>6</inode>
-      <type>1</type>
-      <mode>511</mode>
-      <nlink>1</nlink>
-      <uid>0</uid>
-      <gid>0</gid>
-      <mtime>1258916904</mtime>
-      <atime>1258876800</atime>
-      <crtime>1258916900</crtime>
-      <byte_runs>
-       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
-      </byte_runs>
-      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
-      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
-    </fileobject>
-  </volume>
-<!-- end of volume -->
-<!-- clock: 0 -->
-  <runstats>
-    <user_seconds>0</user_seconds>
-    <system_seconds>0</system_seconds>
-    <maxrss>1814528</maxrss>
-    <reclaims>546</reclaims>
-    <faults>1</faults>
-    <swaps>0</swaps>
-    <inputs>56</inputs>
-    <outputs>0</outputs>
-    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
-  </runstats>
-</fiwalk>
-</pre>
-==Availability==
+== Browser Email Memory Tool ==
-fiwalk can be downloaded from http://afflib.org/fiwalk
+* [http://www.jeffbryner.com/code/pdgmail pdgmail] is a python script to extract gmail artifacts from memory images. Made for images extracted with pdd, but works with any memory image.
-==See Also==
+== Instant Messenger Memory Tool ==
-* [[fileobject]]
+* [http://belkasoft.com Belkasoft Evidence Center] is a tool by [[Belkasoft]] which allows for retrieving various Instant Messenger artifacts from an attached memory image.
-* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
-[[Category:Digital Forensics XML]]

Difference between pages "Fiwalk" and "Tools:Memory Analysis"

Revision as of 15:43, 9 June 2012

Memory Analysis Frameworks

Browser Email Memory Tool

Instant Messenger Memory Tool

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox