Difference between revisions of "Tools:Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
(Added Reloc a tool to be used with any memory dumper to find/manage and support converting a relocated memory image (typical of PE's) back into and original state (to match disk file before loader altered it).)
 
(3 intermediate revisions by 3 users not shown)
Line 2: Line 2:
  
 
== Memory Analysis Frameworks ==
 
== Memory Analysis Frameworks ==
* [[Volatility Framework]] - A complete framework for analyzing Windows XP Service Pack 2 memory images.
+
* [[Volatility Framework]] - A complete framework for analyzing Windows, Linux and Mac OSX memory images.
 
* [http://www.windowsscope.com WindowsSCOPE Pro, Ultimate] - Comprehensive toolkit for the capture and analysis of Windows physical and virtual memory targeting cyber analysis, forensics/incident response, and education. Software and hardware based acquisition with [http://www.windowsscope.com/index.php?option=com_virtuemart&Itemid=34    CaptureGUARD PCIe and ExpressCard].  
 
* [http://www.windowsscope.com WindowsSCOPE Pro, Ultimate] - Comprehensive toolkit for the capture and analysis of Windows physical and virtual memory targeting cyber analysis, forensics/incident response, and education. Software and hardware based acquisition with [http://www.windowsscope.com/index.php?option=com_virtuemart&Itemid=34    CaptureGUARD PCIe and ExpressCard].  
 
* [http://www.windowsscope.com WindowsSCOPE Live] live fetch and analysis of Windows computers on a network from Android smartphones and tablets.  
 
* [http://www.windowsscope.com WindowsSCOPE Live] live fetch and analysis of Windows computers on a network from Android smartphones and tablets.  
Line 12: Line 12:
 
== Instant Messenger Memory Tool ==
 
== Instant Messenger Memory Tool ==
 
* [http://belkasoft.com Belkasoft Evidence Center] is a tool by [[Belkasoft]] which allows for retrieving various Instant Messenger artifacts from an attached memory image.
 
* [http://belkasoft.com Belkasoft Evidence Center] is a tool by [[Belkasoft]] which allows for retrieving various Instant Messenger artifacts from an attached memory image.
 +
 +
== Platform Independent Tools ==
 +
A list of tools which should work regardless of future incremental OS / hardware updates.
 +
* [https://github.com/ShaneK2/inVtero.net inVtero.net] Open Source Hypervisor/Process/Kernel detection for Windows, FreeBSD, OpenBSD and NetBSD.  inVtero.net is based on interpreting low-level hardware defined constructs which change little over time.  See github for details.
 +
* [http://www.techipick.com/forensics-memdump-extractor Forensics MemDump Extractor], is a tool by Gem George which can extract any kind of files residing in memory dump based on file signature. For example, if we put signature of a JPG file, it will extract all JPGs residing in memory dump.
 +
 +
== Analysis support libraries/tools ==
 +
Additional tools/libraries that are meant to be used in combination with existing frameworks or tools.
 +
* [https://github.com/ShaneK2/Reloc] Reloc interfaces with a hosted server that has compiled over 200000 fragments of PE relocation data that can be used to transform executable's extracted from memory back into their original state.  This means an exact recovery from any dump can be built.  This will allow you to validate a secure hash (SHA256, etc...) to have total confidence there exists no backdoor or other malicious patch to a code in memory.

Latest revision as of 02:24, 28 November 2015

The following tools can be used to conduct memory analysis.

Memory Analysis Frameworks

Browser Email Memory Tool

  • pdgmail is a python script to extract gmail artifacts from memory images. Made for images extracted with pdd, but works with any memory image.

Instant Messenger Memory Tool

Platform Independent Tools

A list of tools which should work regardless of future incremental OS / hardware updates.

  • inVtero.net Open Source Hypervisor/Process/Kernel detection for Windows, FreeBSD, OpenBSD and NetBSD. inVtero.net is based on interpreting low-level hardware defined constructs which change little over time. See github for details.
  • Forensics MemDump Extractor, is a tool by Gem George which can extract any kind of files residing in memory dump based on file signature. For example, if we put signature of a JPG file, it will extract all JPGs residing in memory dump.

Analysis support libraries/tools

Additional tools/libraries that are meant to be used in combination with existing frameworks or tools.

  • [1] Reloc interfaces with a hosted server that has compiled over 200000 fragments of PE relocation data that can be used to transform executable's extracted from memory back into their original state. This means an exact recovery from any dump can be built. This will allow you to validate a secure hash (SHA256, etc...) to have total confidence there exists no backdoor or other malicious patch to a code in memory.