SANS Digital Forensics and Incident Response Blog: Category - Memory Analysis

Live Memory Forensic Analysis

As memory forensics has become better understood and more widely accomplished, tools have proliferated. More importantly, the capabilities of the tools have greatly improved. Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner. Better interfaces, documentation, and built-in … Continue reading Live Memory Forensic Analysis


Digital Forensics Case Leads: Pwn2Own 2011 underway

Last week I was in Boston teaching SANS FOR 408: Computer Forensic Essentials, now renamed to Windows Forensics In-Depth. Thank you to all those in my class, it was fun. Huge thanks to my facilitator, Mike. I mention the course here, because I had a mix of students from experienced veterans to those brand new … Continue reading Digital Forensics Case Leads: Pwn2Own 2011 underway


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)

In Part 1 of this post, I showed you how to acquire the contents of physical RAM of a Mac OS X computer using ATC-NY's Mac Memory Reader, and did some simple analysis using strings and grep searches. Today I'll provide a few more examples of what evidence can be found in a Mac OS X memory dump and how to extract it using file carving techniques. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 2)


Extracting Event Logs or Other Memory Mapped Files from Memory Dumps

Since Windows Event Logs are actually mapped into the memory space of the services.exe process, it's relatively simple, now that appropriate analysis tools such as Memoryze/Auditviewer from Mandiant, or Volatility from Volatile Systems are available, to extract them from a memory dump for analysis. This can come in quite handy if the data from the HD is unavailable for some reason.

You can do this in either Volatility or in Auditviewer. I'll cover the Volatility method to start. (If you need to get and install Volatility from scratch, I recommend Jamie

...


Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)

A simple how-to on capturing contents of physical RAM on Mac OS computer using Mac Memory Reader. I will demonstrate how incident responders can do a simple analysis on the resulting binary file using strings, a hex-editor and foremost. Continue reading Mac OS Forensics How-To: Simple RAM Acquisition and Analysis with Mac Memory Reader (Part 1)