Difference between pages "Memory analysis" and "Tsk-cp"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Tools:Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, we have broken it into subpages:
+
Tsk-cp is a set of [[LibCarvPath]] aware versions of [[Sleuthkit]] tools, that are for use together with the
 +
normal versions of the other sleuthkit tools in the process of doing [[zero storage carving]].
  
* [[Windows Memory Analysis]]
+
The tools are:
* [[Linux Memory Analysis]]
+
  
== OS-Independent Analysis ==
+
* mmls-cp : A CarvPath based version of mmls for listing a partitioned carvpath disk images as a list of partition carvpaths.
 +
* dls-cp : A CarvPath based version of dls for listing all continuous unallocated fragments of a carvpath partition holding a filesystem as a list of unallocated block carvpaths.
 +
* icat-cp : A CarvPath based version of icat that instead of copying out the data of an inode within a carvpath partition holding a filesystem as the carvpath of the file and the carvpath of the [[file slack]].
  
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
+
The carvpaths output by dls-cp can be used as the input of a CarvPath aware carving tool.
  
== Encryption Keys ==
+
== See Also ==
 
+
* [Open Computer Forensics Architecture]
Various types of encryption keys can be extracted during memory analysis.
+
You can use [[AESKeyFinder]] to extract 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] to extract all private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/]. [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py] ([[List of Volatility Plugins|plugin for the Volatility memory analysis framework]]) scans a memory image for [[TrueCrypt]] passphrases.
+
 
+
== See Also ==  
+
 
+
* [[Memory Imaging]]
+
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
+
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
+
 
+
[[Category:Memory Analysis]]
+

Revision as of 00:30, 11 August 2012

Tsk-cp is a set of LibCarvPath aware versions of Sleuthkit tools, that are for use together with the normal versions of the other sleuthkit tools in the process of doing zero storage carving.

The tools are:

  • mmls-cp : A CarvPath based version of mmls for listing a partitioned carvpath disk images as a list of partition carvpaths.
  • dls-cp : A CarvPath based version of dls for listing all continuous unallocated fragments of a carvpath partition holding a filesystem as a list of unallocated block carvpaths.
  • icat-cp : A CarvPath based version of icat that instead of copying out the data of an inode within a carvpath partition holding a filesystem as the carvpath of the file and the carvpath of the file slack.

The carvpaths output by dls-cp can be used as the input of a CarvPath aware carving tool.

See Also

  • [Open Computer Forensics Architecture]