Difference between pages "Category:Live CD" and "Memory analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#dddddd; align:center;">
+
'''Memory Analysis''' is the science of using a [[Tools:Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:
'''Note:''' We're trying to use the same [[tool template]] for all devices. Please use this if possible.
+
</div>
+
  
==See Also==
+
* [[Windows Memory Analysis]]
* [[:Category:VMWare Appliances]]
+
* [[Linux Memory Analysis]]
  
[[Category:Tools]]
+
== Encryption Keys ==
 +
 
 +
Various types of encryption keys can be extracted during memory analysis.
 +
You can use [[AESKeyFinder]] to extract 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] to extract all private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/]. [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py] ([[List of Volatility Plugins|plugin for the Volatility memory analysis framework]]) scans a memory image for [[TrueCrypt]] passphrases.
 +
 
 +
== See Also ==
 +
 
 +
* [[Tools:Memory Imaging]]
 +
* [[Tools:Memory Analysis]]

Revision as of 13:04, 24 January 2009

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:

Encryption Keys

Various types of encryption keys can be extracted during memory analysis. You can use AESKeyFinder to extract 128-bit and 256-bit AES keys and RSAKeyFinder to extract all private and public RSA keys from a memory dump [1]. cryptoscan.py (plugin for the Volatility memory analysis framework) scans a memory image for TrueCrypt passphrases.

See Also