Difference between pages "Memory analysis" and "Windows Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (Updated to include info on Volatility)
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Tools:Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:
+
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
  
* [[Windows Memory Analysis]]
+
== Sample Memory Images ==
* [[Linux Memory Analysis]]
+
  
== Encryption Keys ==
+
Getting started with memory analysis can be difficult without some known images to practice with.
  
Various types of encryption keys can be extracted during memory analysis.
+
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
You can use [[AESKeyFinder]] to extract 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] to extract all private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/]. [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py] ([[List of Volatility Plugins|plugin for the Volatility memory analysis framework]]) scans a memory image for [[TrueCrypt]] passphrases.
+
  
== See Also ==
+
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
  
* [[Tools:Memory Imaging]]
+
== See Also ==
* [[Tools:Memory Analysis]]
+
* [[Pagefile.sys]]
 +
 
 +
== History ==
 +
 
 +
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
 +
 
 +
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[kntlist]].
 +
 
 +
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
 +
 
 +
== External Links ==
 +
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
 +
: http://cyberspeak.libsyn.com/index.php?post_id=98104
 +
; Memory Analysis Bibliography
 +
: http://www.4tphi.net/fatkit/#links

Revision as of 10:39, 30 June 2008

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

See Also

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced kntlist.

At the Blackhat Federal conference in March 2007, AAron Walters and Nick Petroni released a suite called volatools. Although it only worked on Windows XP Service Pack 2 images, it was able to produce a number of useful data. volatools was updated and re-released as Volatility in August 2007, and is now maintained and distributed by Volatile Systems.

External Links

Jesse Kornblum Memory Analysis discussion on Cyberspeak
http://cyberspeak.libsyn.com/index.php?post_id=98104
Memory Analysis Bibliography
http://www.4tphi.net/fatkit/#links