Live Memory Acquisition for Windows Operating Systems, Naja Davis

8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis

1/24

Live Memory Acquisition

for Windows Operating

Systems:

CoverPageandAbstract

ToolsandTechniquesforAnalysis

Theliveacquisitionofvolatilememory(RAM)isanarea

indigitalforensicsthathasnotgarneredmuchattention

untilmostrecently. Theimportanceofthecontentsof

physicalmemoryhasalwaystakenabackseattowhatis

consideredmoreimportantthecontentsofphysical

media. However,agreatdealofinformationcanbe

acquiredfromRAManalysiswhichisunavailableduring

mosttypical

forensic

acquisition

and

analysis.

This

paperwilltakealookatthedifferenttoolsavailableto

theforensicexaminerformemoryacquisitionandhow

toanalyzetheresultingdata.

NajaDavis

EasternMichiganUniversity

IA328


2/24

2

TableofContents

CoverPageandAbstract............................................................................................................................... 1

I. Introduction ............................................................................................................................... ............... 3

II. Scope........................................................................................................................................................3

III. Toolsforlivememoryacquisition...........................................................................................................4

Hardwarebasedsolutions ........................................................................................................................ 4

Tribble ............................................................................................................................... ................. 4

Firewire ................................................................................................................................................. 4

Softwarebasedsolutions ......................................................................................................................... 5

Limitationsofsoftwarebasedacquisition............................................................................................ 5

DD(data

dumper)..............................................................................................................................5

Nigilant32 ............................................................................................................................... ............... 6

ProDiscoverIR ............................................................................................................................... ........ 6

KntDD ............................................................................................................................... ..................... 6

MicrosoftCrashDump .......................................................................................................................... 7

IV. MemoryAnalysis............................................................................................................................... ..... 7

Basics: Whatdoesaninvestigatorneedtoknow? ..................................................................................7

Tools..........................................................................................................................................................8

V. Acquisition .............................................................................................................................................10

SuggestedProceduresforLiveAcquisition:............................................................................................11

VI.TestCase,StepbyStep .........................................................................................................................11

VII.Conclusion.............................................................................................................................................21

AppendixA..................................................................................................................................................22

References ..................................................................................................................................................23


3/24

3

I. Introduction

Untilrecently,theacquisitionofvolatilememory(RAM)hasbeenpracticedmainlyby

thoseinvolvedinliveincidentresponseandlargelyignoredbythoseinthefield. Memory

acquisitionfrom

alive

system

requires

specialized

hardware

or

software

not

all

forensic

utilitiescanaccessthe\\.\PhysicalMemoryobjectinWindows. Theanalysisoftheresulting

imagefilealsorequiresspecializedscriptsandknowledgetobeabletointerpretthedata.

Thesetwofactorsmakememoryacquisitionandanalysismoredifficultthantraditionalforensic

harddriveexaminations;itrequiresagreateramountofcarethanthecommonmethodof

pullingthepowerandpreservingthecrimescene.

However,withtheadventofMicrosoftVistaandBitLockerMicrosoftsanswertofull

diskencryptionandtheincreasingsophisticationofmalware,rootkits,andotherviruses,live

memoryanalysis

has

become

even

more

important

to

the

field

of

computer

forensics.

Importantdatasuchaspasswords,IPaddresses,whatprocesseswererunning,andotherdata

thatmightnotbestoredontheharddrivecanberetrievedfromamemorydumporimage.

Malwareandrootkitsoftenleavetracesinresidentmemorythatcannotbefoundbyanalyzing

aharddriveimage.

TheDigitalForensicResearchWorkshop(DFRWS)[1],issuedamemoryanalysis

challengeinthesummerof2005,toencourageresearchandtooldevelopmentinlivememory

acquisition. Thischallengeproducedtwowinners,ChrisBetzandtheteamofGeorgeM.

Garner,Jr.andRobertJanMora,whodevelopedtoolstocompletethechallenge. Memparser

[2],Chris

Betzs

winning

entry,

reconstructs

processes

lists

and

extracts

information

from

processmemory. GarnerandMoradevelopedkntlist,whichenablesanexaminertodumpthe

physicalmemoryfromWindowsandextractinformationfromtheresultingfile. Thesetwo

workshavespurredinterestinthefieldoflivememoryacquisitionandtheissuessurrounding

it.

II. Scope

Alltools

and

procedures

in

this

document

apply

only

to

the

Windows

family

of

operating

systems,includingWindows2000,XP,Vista,andServer2003.


4/24

4

III. Toolsforlivememoryacquisition

Hardware-basedsolutions

Tribble

TheTribble[3]wasintroducedinFebruary2004intheDigitalInvestigationJournalbyBrianCarrierandJoeGrand,ofGrandIdeaStudio,Inc. TheTribbleisahardwareexpansion

cardwhichcanbeusedtoretrievethecontentsofphysicalmemory. ItisaPCIexpansioncard

designedtobeinstalledonaserverbeforetheevent,withaswitchthatisenabledwhenthe

investigatorwantstocapturedata.

Thismethodofacquisitionhasitsstrengthsandlimitations. Asahardwaredevice,the

Tribblecan

access

physical

memory

without

introducing

any

software

onto

the

target

system,

minimizingtheimpactonthedatabeingretrieved. However,itmustbeinstalledpriortothe

incident,makingitsomewhatinconvenientforontheflyacquisition. Itisalsostillaproofof

conceptdeviceandnotwidelyavailable.

Firewire

Thesecondhardwaresolutionavailableforlivememoryacquisitionisthroughtheuse

ofaFirewire

device.

Firewire

devices

use

direct

memory

access

(DMA),

without

having

to

go

throughtheCPU. Thememorymappingisperformedinhardwarewithoutgoingthroughthe

hostoperatingsystem,whichallowsnotonlyforhighspeedtransfersbutalsobypassesthe

problemwithsomeversionsofWindowsthatdonotallowmemorytobeaccessedfromUser

mode.

AdamBoileau[4]developedsoftwareusingPythontoextractphysicalmemoryfroma

systemonLinux. ThistoolcanbeusedonWindowssystemsaswell,bytrickingWindowsinto

givingtheuserDMAbymasqueradingasaniPod. Thismethodismoreconvenientthanthe

aforementionedTribble

device,

as

most

systems

today

have

Firewire

ports

available

(usually

builtrightintothemotherboard). Thecurrentproblemwiththismethodisanissuewiththe

UpperMemoryArea(UMA)whichcausessomesystemstosuffercrashesduringtheacquisition

process[5].


5/24

5

Software-basedsolutions

Limitationsofsoftware-basedacquisition

WiththereleaseofServicePack2forWindowsXPthe\\.\PhysicalMemoryobjectisno

longeraccessiblefromusermode. ThisisalsotrueforWindowsVistaandWindowsServer

2003(ServicePack1) itcanonlybeaccessedviakernelmodedrivers. Assuch,someutilities

whichmayhaveworkedinthepastwillnolongerworkonversionsofWindows. Theymaystill

applytoearlierorunpatchedversions,however.

Oneissuethattheforensicinvestigatorneedstoremainmindfulofduringlivememory

acquisitionwithsoftwarebasedtoolsisthepotentialchangetodataduringtheacquisition

process. DuetothevolatilenatureofRAM,introducinganynewsoftwareontothesystemmay

changethe

data

which

currently

resides

in

memory.

The

memory

introduced

to

the

system

will

displacethedatathatpreviouslyoccupiedthatspace. Theimageacquiredmayalsopresenta

smearedpictureofthedata,sincethesystemisliveandpagesarechangingastheacquisition

progresses.Thisiscertainlynotidealforforensicallysoundacquisitionandsubsequentanalysis

andmustbegivendueconsideration,particularlywhenevidentiaryrulesandstandardsapply.

DD(datadumper)

DD,betterknownasthedatadumpertoolfromUNIX,isprobablyfamiliartomost

forensicinvestigatorsasatoolforcreatingforensicimagesofharddrivesandisincludedin

manyopensourceforensicutilitiessuchasHelix(http://www.efense.com/helix/). TheDD

formatisalsosupportedbymostmajorforensicapplications. ForensicAcquisitionUtilities

(FAU)[6]usesamodifiedversionofthedatadumpertoolwhichiscapableofaccessingthe

\\.\PhysicalMemoryobjectinWindows. UnfortunatelyFAUwillonlyworkonversionsearlier

thanWindowsXPServicePack2,WindowsVista,orServer2003ServicePack1,asitaccesses

thePhysicalMemoryfromusermode. (Note: ThemostrecentversionofFAUdoesnotinclude

aversionofDDthatworksformemoryacquisitionpreviousversionsarestillviablehowever).

Also,notallversionsofDDwillallowaccesstothe\\.\PhysicalMemoryobject.
http://www.e-fense.com/helix/http://www.e-fense.com/helix/http://www.e-fense.com/helix/http://www.e-fense.com/helix/


6/24

6

Nigilant32

Nigilant32[7]isatooldevelopedbyAgileRiskManagementthatallowsaninvestigator

topreviewaharddisk,imagememory,andtakeasnapshotofcurrentrunningprocessesand

openports

on

the

target

system.

Nigilant32

has

asmall

footprint,

using

less

than

1MB

in

memorywhenloaded,supportingAgilesclaimofminimalimpactduringacquisition. The

programiscurrentlyinbeta,however,itisfreetodownloadanduseoffoftheirwebsite.

ProDiscoverIR

TechnologyPathwaysforensicacquisitiontool,ProDiscover[8],isanincidentresponse

toolthatallowsinvestigationofalivesystemanywhereonthenetwork. Theinvestigationcan

includeimagingofphysicalmediaormemory,however,useofthistoolrequiresaserverapplet

tobeinstalledonthetargetsystempriortoacquisitionviaremovablestoragemediasuchasa

USBdriveorCD. Thisrequirementmakesthisparticulartoolnotasdesirableachoiceforfield

acquisitionandperhapsbettersuitedtoacorporatenetworkenvironment. (Note: Thistoolis

restrictedbythekernelmodedriverrequirementforaccessing\\.\PhysicalMemoryincertain

versionsofWindows).

KntDD

KntDDisamemoryacquisitiontooldevelopedbyGeorgeGarner(alsoresponsiblefor

theForensicAcquisitionToolkit)asapartofKntTools[9]. GarnerdevelopedKntToolsin

responsetotherestrictionofaccessing\\.\PhysicalMemoryfromUsermodeandsupports

Windows2000throughVista. Imagescanbeacquiredtoalocalremovabledriveoracrossthe

network. ItalsoallowstheinvestigatortoconvertarawimagetoMicrosoftcrashdump

format,sothedatacanbeanalyzedusingtheMicrosoftDebuggingTools. Thistoolisonly

availabletolawenforcementorsecurityprofessionals.


7/24

7

MicrosoftCrashDump

AnalyzingcrashdumpsisanotherwaytoobtaininformationonthecontentsofRAM.

Unlikeothersoftwaremethodsofmemoryacquisition,theimageobtainedbyacrashdumpis

anunaltered

copy

of

the

contents

of

asystems

memory

at

the

time

the

crash

occurred.

There

isnointroductionofsoftwaretothesystemthatwillalterthecontentsofmemory. The

drawbacktothismethodisthatcrashdumpsonlyoccurwhenthereisaproblemwiththe

system. Thereisamethodtoinduceacrashdump;however,itrequiresanentryintheregistry

alongwitharebootbeforeitisuseable[10],renderingitineffectiveforfieldacquisition.

Despitethisshortcoming,itisstillimportantforaninvestigatortofamiliarwithcrash

dumpsastheycanprovidevaluableinformationaboutasystem. NotallversionsofWindows

generatefullcrashdumpsandmaygeneratesmallersizeddumps. Thesefilescanbeanalyzed

withtheWindowsDebuggingTools[11]andcangivetheinvestigatorameanstopracticeand

becomefamiliarwithmemoryanalysis.

IV. MemoryAnalysis

Basics: Whatdoesaninvestigatorneedtoknow?

TheEProcessstructureiswhatrepresentsaprocessonaWindowssystem. Itincludes

informationonthedifferentattributesoftheprocessalongwithpointerstootherattributes

anddatastructureswhicharerelatedtoit. However,EProcessblockstructurevariesbetween

operatingsystems,includingbetweendifferentversionsofWindows. Typically,theoffsetsvary

fromversiontoversion. ItisimportanttomakenoteoftheversionofWindowsthatthe

memoryimageordumpistakenfrom,asthiswillaffectwhattoolsyoumaybeabletouseto

extractinformation. Thiscanbedonemanually,however,itrequiresabitmoreindepth

knowledgeofWindowsmemorymanagementthanthispapercovers. HarlanCarveyhas

written

a

Perl

script

[12],

osid.pl,

which

will

identify

the

operating

system

of

an

image.

TheEProcessblockcontainstheprocessenvironmentblock(PEB)whichisveryvaluable

toaforensicinvestigatorinthatitincludespointerstotheloaderdata,suchasmodulesused

bytheprocess. Thisisparticularlyusefulinmalwareorrootkitanalysis,butcanalsohelp

presentaclearerpictureastowhatexactlywasgoingoninthesystematthetimeinquestion.


8/24

8

ThePEBalsoshowsuswheretheimageoftheexecutablelies,theDLLpaths,andthecommand

lineusedtolaunchtheprocess.

Oneissuethatinvestigatorsneedtobeawareofwhenexamininganimageofmemory,

isthatmostlikelyitisnotacompletepicture. Windowsmemorymanagementusesvirtual

addressingwhich

assigns

pointers

to

the

true

location

of

the

physical

data.

According

to

Jesse

KornbluminhisUsingeverypartofthebuffaloinWindowsmemoryanalysis[13],most

memoryanalysistoolsuseanaveformoftranslationwherepageswithinvalidpointersare

ignored. Memorypageswhichhavebeenswappedoutduetopagingwillnotshowupina

memorydump,althoughtheyareonthesysteminthepagefile. Allthetoolstestedinthis

paperdonot(asfarasthisauthorisaware),includethepagefile. Therearetoolsin

developmenttoaddressthisissue,althoughnonearepubliclyavailable(yet).

Tools

Duetothediligenceofthecomputerforensicscommunity,therearequiteafewtools

availabletotheinvestigatorwithwhichtoanalyzememorydumps. Sometechnicalknowledge

orfamiliaritywithcommandlineinteractionisrecommendedasmanyoftheavailabletoolsare

scriptswhichmustbeexecutedfromacommandprompt. Thereareonlyafewtoolswhich

haveaGUIinterface.

Thefollowingisalistoftoolswhichcanbeusedtoextractprocessandother

informationfrommemorydumps(linkstodownloadlocationswillbeincludedinAppendixAof

thisdocument):

Tool OperatingSystem

Whatitdoes Requirements

Lsproc.pl Windows

2k

Locatesprocesses Perl(http://www.perl.org)

Lspd.pl Windows

2k

Listsdetailsof

processes

Perl(http://www.perl.org)

Osid.pl Any IdentifiesOSof Perl(http://www.perl.org)
http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/


9/24

9

Windows memoryimage.

PoolFinder(part

ofPoolTools)

Windows

2k,XP

Findsallocationsof

OSkernelin

memorydumpand

pagefile.


PoolGrep(partof

PoolTools)

Windows

2k,XP

Findsstringsinpool

allocations


PoolDump(part

ofPoolTools)

Windows

2k,XP

Hexdumpofall

allocationsfora

selectedclass.


PTFinder Windows

2k,XP

Includesallscripts

inPoolTools

as

well

asosid.pl,buthasa

GUI. Produces

graphicaloutputof

processesand

threads.


Graphviz(http://www.graphviz.org/)

and

ZGRViewer

(http://zvtm.sourceforge.net/zgrviewer.ht

ml)toviewthegeneratedgraphicfile.

FTimes

Windows

NT,XP,2KComprehensive

toolkitwithvarious

memoryanalysis

functions.

Ifrunning

in

aWindows

environment,

you

willneedVisualStudioinordertocompile

andrunthecode. Requiresadvanceduser

knowledge.

Volatility Windows

NT,XP,2K

Comprehensive

toolkitwithvarious

memoryanalysis

functions.

NeedsPythontorun. Thiscanbe

accomplishedintheWindowsenvironment

byinstallingCygwin

(http://www.cygwin.com/)

Theabovetoolsmainlydealwithprocessinformation,whichiswherethebulkof

memoryforensicanalysishasbeenfocused. Otherdatacanbeextractedfromamemoryimage

aswell,suchasusernames,passwords,andemailaddresses. Agoodstringsearchutility,such
http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.graphviz.org/http://zvtm.sourceforge.net/zgrviewer.htmlhttp://zvtm.sourceforge.net/zgrviewer.htmlhttp://www.cygwin.com/http://www.cygwin.com/http://zvtm.sourceforge.net/zgrviewer.htmlhttp://zvtm.sourceforge.net/zgrviewer.htmlhttp://www.graphviz.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/


10/24

asfind.exeorstrings.exeisessential. ForensicToolssuchasAccessDatasForensicToolkit[14]

canbeusedtodatacarvetoretrievedocuments,graphicfiles,orwebpages. Oneimportant

noteaboutdatacarvedfrommemoryimagesistokeepinmindthatthedatawasretrieved

undervolatileconditions. Assuch,filesretrievedfrommemorymaybedegradedduetothe

data

not

being

static.

This

is

illustrated

by

the

following

picture,

carved

from

a

test

memory

image:

V.Acquisition

Duetothevolatilenatureofliveforensics,aninvestigatorneedstodevelopastandard

setofprocedures. Thisisimportantnotonlytoinsurethattheinvestigatorknowsexactlywhat

10


11/24

11

todowhenarrivingonthescene,butalsosotherearenounexpectedconsequencessincethe

systemislive unintentionallychangingdataonthetargetsystemcouldinvalidatetheacquired

evidenceandalsocauseittobeinadmissibleinacourtoflaw. Beforeattemptingalive

acquisition,aninvestigatorshouldtesttheirtoolset(s)extensively,undervaryingconditions

(VMware

[15]

is

excellent

for

this).

SuggestedProceduresforLiveAcquisition:

1. Documentallsteps. Thisisnotonlyimportantforevidentiaryreasons,butalsofortheinvestigatorsownreference.

2. Isthesystemlocked? Ifso,thatwillchangetheacquisitionprocess. Ifyoucannotobtain

apassword

for

access,

then

live

acquisition

may

not

be

possible.

Currently,

no

softwareutilitiescanimage\\.\PhysicalMemorywithoutfullaccess.

3. Donotcloseanywindowsorcloseanydocuments/programsleavethemrunning. Byclosingawindoworprogramyoumaybeterminatingaprocess,whichwillaffectwhatis

occurringonthesystematthattime.

4. Limittheacquisitionprocesstoasfewstepsaspossible,whenitcomestointeractingwiththetargetsystemfewersteps=lessimpactonthesystem.

5. Usetoolsthathaveassmallafootprintaspossible. Nigilant32(thisauthorsrecommendedchoice)useslessthan1MBofmemory;Helixuses17MB.

VI.TestCase,Step-by-Step

Testsystem:

VMWare,Windows

XP

Professional

Service

Pack

2

IntelDualCoreProcessor2.6MHz

512MBRAM

Toolusedforimageacquisition: Nigilant32


12/24

Desktopbeforeliveacquisition:

AOLInstantMessengercanbeseenrunning.

1. ForthisacquisitionIchosetouseaUSBthumbdriveforstoringtheimage.Investigatorsshouldremembertowipemediathoroughlybeforeeachacquisition,so

remnantsofdatafrompreviousimagesarenotafactorinanalysis.

AfterinsertingyourCDwiththeNigilantsoftwareonit,browsetoMyComputerand

explorethedrive(ifitdoesntalreadyopenduetoAutoRun). RuntheNigilant32

executableandgotoToolsSnapshotComputer. Thisoptionwillenumeratethe

currentlyrunningprocesses,users,andopenportsandallowtheinvestigatortosave

thisdatatoaplaintextfile. Savethetextfiletoyourthumbdrive,namingit

appropriately. Youcanalsoenumerateprocessesviaotherscriptsafterimage

acquisition,ifyouwishtovalidatethisoutput.

12


13/24

Note: YoucanputtheNigilantexecutableonthethumbdriveandrunitfromthere,

however,bemindfulifyourdatawillbeusedasevidence. Itmaybebesttoburnittoa

CDwithyourothermemoryacquisitiontools,sothereisnoquestionastotheintegrity

ofyourimage.

2. Aftersavingthetextfile,browsetoToolsImagePhysicalMemory. ApromptwillappearclickonStart

13


14/24

Youwillbepromptedtochoosealocationandnameforyourimage.

14


15/24

Acquiringphysicalmemorytakesabitoftime,aswithnormaldataacquisition.Aprogress

indicatorwillappeartoletyouknowhowfaralongyouare:

3. Aftertheimageiscomplete,closetheNigilantsoftware. Unfortunately,Nigilantdoesnothaveanabilitytohashtheimagefileafteracquisitiontheinvestigatorwillhaveto

dothisbeforebeginninganalysis.

4. Beforebeginninganalysis,theinvestigatorshouldmakeanothercopyofthememoryimage

to

work

on

never

work

on

the

original

media!

Since

this

isnt

like

ahard

drive

acquisition,thereisnooriginalphysicalmediatheimagewejustmadeistheoriginal.

Forevidentiarypurposes,itisagoodpracticetohashtheoriginalmedia(thethumb

drive)andthememoryimageandmakeaworkingcopyofthememoryimagebefore

proceedingwithanalysis.

15


16/24

5. Asdiscussedearlier,memoryanalysisdiffersfromharddriveanalysisinthatevenslightchangesinoperatingsystemversion(Windows2kvs.WindowsXP)willdeterminewhich

toolswillbethemosteffective. Nigilant32hasdonealotoftheworkforusalready,by

providinguswithasnapshotoftheOSversion,runningprocesses,users,andopen

network

ports:

16


17/24

Aninvestigatorcouldverifyoutputbyrunninganotheranalysistoolandenumeratingthe

processes. IwilldemonstratethisherebyusingPTFinder:

PTFinderisaGUIinterfaceforAndreasSchustersPoolTools. Onceyouvechosenyour

dumpfileandoptions,itwillgenerateatextfileandagraphicfileoftherunningprocesses.

Weareonlyinterestedinthetextfileatthistime. AfterclickingExecuteyouwillbe

promptedtorunabatchfileclickYes.

17


18/24

ADOSpromptwillopenup:

Whentheanalysisiscomplete,PTFinderwillcloseonitsown.

18


19/24

Theresultingtextfilelookslikethis:

TheoutputfromPTFinderisnotascleanaswhatyouwillseefromNigilant,butprovides

morethanenoughinformationtocomparerunningprocesses. Note: PTFinderwillnot

providenetworkinformationorusers,onlyprocessinformation.

19


20/24

6. Nowthatwehaveprocessinformation,wecanproceedwithanalyzingtheimagefilewithothertools. Inthiscase,wewilluseForensicToolkit:

Afteranalyzingtheimagetheinvestigatorcanexaminecarveddataandperformstringsearches

aswithanormalimagefile.

20


21/24

21

VII.Conclusion

Whiletherearemanytoolsavailableforlivememoryacquisitionandanalysis,itisstilla

relativelynewendeavorintheareaofdigitalforensics;manyofthetoolsandtechniques

developedthus

far

are

still

in

the

growing

phase

and

require

refinement.

Todays

computer

forensicinvestigator,inordertobesuccessful,willneedtobewellinformedandbeintimately

familiarwiththeinternalworkingsofWindowsmemorymanagementinordertoacquirea

completepictureofmemoryfromanevidentiarystandpoint. Thankfullytherehavebeenmany

forensicinvestigators,suchasHarveyCarlan,AndreasSchuster,andMariuszBurdachwhohave

startedalongthepathandcreatedafoundationforotherstobuildupon. Asthetoolsbecome

betterandtheproceduresmoresound,examinerswillhaveanewweaponintheirarsenalto

utilizeduringforensicinvestigations.


22/24

22

AppendixA

Lsproc.plhttp://sourceforge.net/project/showfiles.php?group_id=164158

Lspd.pl

http://sourceforge.net/project/showfiles.php?group_id=164158

Osid.plhttp://sourceforge.net/project/showfiles.php?group_id=164158

PoolTools(PoolFinder,PoolGrep,PoolDump)

http://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.html

PTFinderhttp://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html

FTimes http://ftimes.sourceforge.net/FTimes/

Volatility

https://www.volatilesystems.com/VolatileWeb/volatility.gsp
http://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158http://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.htmlhttp://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.htmlhttp://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.htmlhttp://ftimes.sourceforge.net/FTimes/http://ftimes.sourceforge.net/FTimes/https://www.volatilesystems.com/VolatileWeb/volatility.gsphttps://www.volatilesystems.com/VolatileWeb/volatility.gsphttp://ftimes.sourceforge.net/FTimes/http://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.htmlhttp://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.htmlhttp://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158


23/24

23

References

1. DigitalForensicsResearchWorkshop,DFRWS,http://www.dfrws.org/. [AccessedMarch15,2008]

2. C.Betz,Memparser,http://sourceforge.net/projects/memparser. [AccessedMarch15,2008]

3. B.D.CarrierandJ.Grand,AHardwareBasedMemoryAcquisitionProcedureforDigitalInvestigationsJournalofDigitalInvestigations,March2004.

4. A.Boileau,FirewireandDMA,March2008,http://www.storm.net.nz/projects/16.[AccessedMarch16,2008].

5. A.Vidstrom,MemorydumpingoverFirewireUMAIssues,http://www.ntsecurity.nu/onmymind/2006/20060902.html.[AccessedMarch16,

2008].

6. G.Garner,ForensicAcquisitionUtilities,November2007,http://gmgsystemsinc.com/fau/. [AccessedMarch20,2008].

7. AgileRiskManagement,Nigilant32, http://www.agilerm.net/publications_4.html.[Accessed

March

20,

2008].

8. TechnologyPathways,ProdiscoverIR,http://www.techpathways.com/ProDiscoverIR.htm.[AccessedMarch20,2008].

9. GMGSystems,Inc,KntToolswithKntList,http://www.gmgsystemsinc.com/knttools/.[AccessedMarch20,2008].

10.Microsoft,Inc.,Windowsfeatureletsyougeneratememorydumpfilebyusingthekeyboard,

December

2007,

http://support.microsoft.com/kb/244139.

[Accessed

March21,2008].
http://www.dfrws.org/http://sourceforge.net/projects/memparserhttp://www.storm.net.nz/projects/16http://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://gmgsystemsinc.com/fau/http://www.agilerm.net/publications_4.htmlhttp://www.techpathways.com/ProDiscoverIR.htmhttp://www.gmgsystemsinc.com/knttools/http://support.microsoft.com/kb/244139http://support.microsoft.com/kb/244139http://www.gmgsystemsinc.com/knttools/http://www.techpathways.com/ProDiscoverIR.htmhttp://www.agilerm.net/publications_4.htmlhttp://gmgsystemsinc.com/fau/http://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.storm.net.nz/projects/16http://sourceforge.net/projects/memparserhttp://www.dfrws.org/


24/24

24

11.Microsoft,Inc.,DebuggingToolsforWindowsOverview,http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx. [AccessedMarch

21,2008].

12.J.

Kornblum,

Using

every

part

of

the

buffalo

in

Windows

memory

analysis,

Digital

Investigation,vol.4,issue1,pp2429. March2007.

13.H.Carvey,WindowsForensicAnalysis,Burlington,MA: SyngressPublishing,2007.14.AccessData,ForensicToolkit2.0,http://www.accessdata.com/Products/ftk2test.aspx.

[AccessedMarch22,2008]

15.VMWare,VMWareServer,http://www.vmware.com/products/server/. [AccessedApril8,2008]
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspxhttp://www.accessdata.com/Products/ftk2test.aspxhttp://www.vmware.com/products/server/http://www.vmware.com/products/server/http://www.accessdata.com/Products/ftk2test.aspxhttp://www.microsoft.com/whdc/DevTools/Debugging/default.mspx

Live Memory Acquisition for Windows Operating Systems, Naja Davis

Documents

Transcript of Live Memory Acquisition for Windows Operating Systems, Naja Davis