Difference between revisions of "Memory analysis"

From ForensicsWiki
Jump to: navigation, search
(Volatility Labs)
Line 30: Line 30:
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 
* [http://volatility-labs.blogspot.ch/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 +
* [http://volatility-labs.blogspot.ch/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
  
 
[[Category:Memory Analysis]]
 
[[Category:Memory Analysis]]

Revision as of 13:40, 20 September 2012

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Volatility Labs