SANS Digital Forensics and Incident Response Blog: Category - Memory Analysis

Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)

In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY's Mac Memory Reader, and did some simple analysis using strings and grep searches. Today I'll provide a few more examples of what evidence can be found in a Mac OS X memory dump and how to extract it using file carving techniques. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)


Extracting Event Logs or Other Memory Mapped Files from Memory Dumps

Since Windows Event Logs are actually mapped into the memory space of the services.exe process, it's relatively simple, now that appropriate analysis tools such as Memoryze/Auditviewer from Mandiant, or Volatility from Volatile Systems are available, to extract them from a memory dump for analysis. This can come in quite handy if the data from the HD is unavailable for some reason.

You can do this in either Volatility or in Auditviewer. I'll cover the Volatility method to start. (If you need to get and install Volatility from scratch, I recommend Jamie

...


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)

A simple how-to on capturing contents of physical RAM on Mac OS computer using Mac Memory Reader. I will demonstrate how incident responders can do a simple analysis on the resulting binary file using strings, a hex-editor and foremost. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)


Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel

This week's edition of Case Leads features new and updated forensics tools, a report on changes in attack patterns, a novel from what may seem like an unlikely source and thoughts on timestamp manipulations. The ability to create a memory image on OS X has been lacking until now. A recently released report suggests that … Continue reading Digital Forensics Case Leads: Capturing Mac Memory, the Shifting Threat Landscape, Forensics Tool Updates, and Zero Day: A Novel


A Quick Look at Volatility 1.4 RC1 - What's New?

Volatility is a popular framework for memory forensics. The upcoming 1.4 release introduces a number of changes, including support for Windows 7 and enhanced plugins for malware analysis. Continue reading A Quick Look at Volatility 1.4 RC1 - What's New?