Difference between pages "Websites" and "Memory analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Digital Forensics: added one site and placed in alphabetical order)
 
 
Line 1: Line 1:
'''Websites''' about [[digital forensics]] and related topics.
+
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
  
= Digital Forensics =
+
* [[Windows Memory Analysis]]
 +
* [[Linux Memory Analysis]]
  
* [http://www.lnx4n6.be/ Belgian Computer Forensic Website] - Linux oriented.
+
== OS-Independent Analysis ==
* [http://digitalforensics.ch/ Bruce Nikkel's Computer Forensics Homepage]
+
* [http://certified-computer-examiner.com/ Certfied Computer Examiner Website] - Open certification process for digital forensics.
+
* [http://www.multimediaforensics.com/ Digital Forensics Discussion Forum] - A forum for the discussion of computer and digital forensics examinations, certified and non-certified investigators welcome
+
* [[Cyberspeak podcast]] - Computer forensics, network security, and computer crime podcast.
+
* [http://www.iacis.info/ International Association of Computer Investigative Specialists] - Volunteer non-profit corporation composed of law enforcement professionals.
+
* [http://www.dfrws.org/ Official Website for Digital Forensic Research Workshop] - Open forum for research in digital forensic issues, hosting annual meeting and annual forensics challenge.
+
* [http://128.175.24.251/forensics/default.htm University of Delaware] Computer Forensics Lab Resource Site.
+
  
= Non-Digital Forensics =
+
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
  
* [http://fingerprint.nist.gov/ NIST Image Group] - Many reports, including the [[NIST]] report on [[AFIS]] [[fingerprint]] testing.
+
== Encryption Keys ==
 +
 
 +
Various types of encryption keys can be extracted during memory analysis.
 +
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
 +
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
 +
 
 +
== See Also ==
 +
 
 +
* [[Memory Imaging]]
 +
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
 +
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
 +
 
 +
== External Links ==
 +
=== Volatility Labs ===
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
 +
 
 +
[[Category:Memory Analysis]]

Revision as of 14:40, 20 September 2012

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Volatility Labs