Difference between pages "Vendors" and "Windows Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Hardware Vendors)
 
m (External Links: Added link to AAron's memory analysis bibliography)
 
Line 1: Line 1:
= Software Vendors =
+
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
  
; [[AccessData]] - [[Forensic Toolkit]] ([[FTK]])
+
== Sample Memory Images ==
: http://www.accessdata.com/products/
+
  
; [[ASR Data]] - [[SMART]]
+
Getting started with memory analysis can be difficult without some known images to practice with.  
: http://www.asrdata.com/SMART/
+
  
; [[BlackBag Technologies]]
+
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
: http://www.blackbagtech.com/software.html
+
  
; [[Computer Forensic Analysis]]
+
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
: http://www.porcupine.org/forensics/
+
  
; [[Computer Cop Forensic Examiner]]
+
== See Also ==
: http://www.computercop.com/examiner.html
+
* [[Pagefile.sys]]
  
; [[CPR Tools]]
+
== History ==
: http://www.cprtools.net
+
: Data Recovery, Data Security and Development Tools
+
  
; [[Forensic and Security Services, Inc.]] - [[Rainbow Tables]]
+
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.  
: http://www.For-Sec.com
+
; Hub/MO/VO VAR for
+
  
: AccessData
+
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[kntlist]].
: Paraben
+
: Wetstone
+
: DiskJockey forensic
+
: Objectif Securite - Rainbow Tables for - LM and NT hashes and MS Office documents
+
  
; [[Guidance Software]] - [[EnCase]]
+
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data.
: http://www.guidancesoftware.com/products/index.asp
+
  
; [[MaresWare Software]]
+
== External Links ==
: http://www.maresware.com/maresware/software.htm
+
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
 
+
: http://cyberspeak.libsyn.com/index.php?post_id=98104
; [[NTI - Forensics International]] Division of Armor Forensics
+
; Memory Analysis Bibliography
: http://www.forensics-intl.com/tools.html
+
: http://www.4tphi.net/fatkit/#links
 
+
; [[Nuix Pty Ltd]] - [[FBI]]
+
: http://www.nuix.com.au
+
 
+
; [[Paraben Forensics]]
+
: http://www.paraben-forensics.com/
+
 
+
; [[PyFlag]]
+
: http://pyflag.sourceforge.net/
+
 
+
; Steganography Analysis and Research Center / Backbone Security
+
: General Product Information http://www.sarc-wv.com/products.aspx
+
: Backbone Security http://www.backbonesecurity.com
+
: Steganography Application Fingerprint Database (SAFDB) http://www.sarc-wv.com/safdb.aspx
+
: Steganography Analyzer Artifact Scanner (StegAlyzerAS) http://www.sarc-wv.com/stegalyzeras.aspx
+
: Steganography Analyzer Signature Scanner (StegAlyzerSS) http://www.sarc-wv.com/stegalyzerss.aspx
+
 
+
; [[Tech Assist, Inc.]]
+
: http://www.toolsthatwork.com/
+
 
+
; [[Technology Pathways]] - [[Pro Discover]]
+
: http://www.techpathways.com/
+
 
+
; [[Wetstone Technologies]]
+
:http://www.wetstonetech.com/page/page/3004314.htm
+
 
+
; [[X-Ways Software]]
+
: http://www.x-ways.net/
+
 
+
= Hardware Vendors =
+
; [[BlackBag Technologies]]
+
: http://www.blackbagtech.com/hardware.html
+
: [[Write Blockers]]
+
 
+
; [[CPR Tools]]
+
: [[Media Research and Data Recovery]]
+
: http://www.cprtools.net
+
: [[Adapters]], [[Imaging Hardware]], [[Field Kits]], [[Data Recovery tools]]
+
 
+
; [[Digital Intelligence]]
+
: http://www.digitalintelligence.com/forensichardware.php
+
: [[Write Blockers]], [[forensic field kit]]s, etc.
+
 
+
; [[Forensic and Security Services, Inc.]] - [[Field kits, write blockers]]
+
: http://www.For-Sec.com
+
; Hub/MO/VO VAR for
+
 
+
: AccessData
+
: Paraben
+
: Wetstone
+
: DiskJockey forensic
+
 
+
; [[Forensic-Computers]]
+
: http://www.forensic-computers.com/
+
: Various systems, [[Write Blockers]], [[forensic field kit]]s, etc.
+
 
+
; [[ForensicPC]]
+
: http://www.forensicpc.com/
+
: Various [[Write Blockers]], [[forensic field kit]]s, forensics software, etc.
+
 
+
; [[MyKey Tech]]
+
: http://www.mykeytech.com/
+
: [[Write Blockers]]
+
 
+
; [[Paraben Forensics]]
+
: http://www.paraben-forensics.com/catalog/index.php?cPath=26
+
: [[Write Blockers]], [[forensic field kit]]s, etc.
+
 
+
; [[Technology Pathways]]
+
: http://www.techpathways.com/
+
: [[Write Blockers]]
+
 
+
; [[Wiebetech]]
+
: http://wiebetech.com/
+
: Various [[Write Blockers]], [[forensic field kit]]s, etc.
+
 
+
= Training =
+
 
+
== Open for everyone ==
+
 
+
* [http://www.cprtools.net/training.php CPR Tools Training (Basic and Advanced Data Recovery)]
+
* [http://www.accessdata.com/training/ AccessData Training]
+
* [http://www.forensics-intl.com/training.html Armor Forensics (NTI - Forensics International)]
+
* [http://www.asrdata.com/training/ ASR Data Training]
+
* [http://www.blackbagtech.com/training.html BlackBag Tech Training]
+
* [http://www.cce-bootcamp.com/ Certified Computer Examiner BootCamp]
+
* [http://www.for-sec.com/p38.htm For-Sec Vendor classes, Cellphone/PDA seizure, and CFR 26 rules classes]
+
* [http://www.cftco.com/ Computer Forensics Training Center On-Line]
+
* [http://www.e-fense.com/training.html e-fense Inc]
+
* [http://www.nuix.com.au/screencasts.html FBI Screencast Training]
+
* [http://www.guidancesoftware.com/training/index.asp Guidance Software (EnCase) Training]
+
* [http://www.infosecinstitute.com/courses/security_training_courses.html InfoSec Institute]
+
* [http://www.crazytrain.com/training.html Linux Data Forensics Training]
+
* [http://www.maresware.com/maresware/training/maresware.htm Maresware Training]
+
* [http://www.paraben-training.com/ Paraben Forensics Training]
+
* [http://www.sarc-wv.com/training.aspx Steganography Analysis and Research Center / Backbone Security]
+
* [http://www.techpathways.com/DesktopDefault.aspx?tabindex=5&tabid=9 Technology Pathways Pro Discover Training]
+
* [http://www.vigilar.com/training.html Vigilar]
+
* [http://www.wetstonetech.com/page/page/3004314.htm Wetstone Technologies]
+
 
+
== Law enforcement only ==
+
 
+
* [http://www.fletc.gov/cfi/fy06tibsched.htm Federal Law Enforcement Training Center]
+
* [http://www.cops.org/ IACIS Computer Training/Certification]
+
* [http://nw3c.org/ocr/courses_desc.cfm National White Collar Crime Center]
+
* [http://www.search.org/programs/hightech/courses.asp Search.Org]
+

Revision as of 10:12, 30 June 2008

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

See Also

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced kntlist.

At the Blackhat Federal conference in March 2007, AAron Walters and Nick Petroni released a suite called volatools. Although it only worked on Windows XP Service Pack 2 images, it was able to produce a number of useful data.

External Links

Jesse Kornblum Memory Analysis discussion on Cyberspeak
http://cyberspeak.libsyn.com/index.php?post_id=98104
Memory Analysis Bibliography
http://www.4tphi.net/fatkit/#links