int for(ensic){blog;}

I was quite surprised to actually see parts of the main memory survive a reboot for the first time. Well, Farmer and Venema were not the first to describe this. Here are two more interesting papers on that topic.

By Andreas Schuster at 04/24/2006, 08:30 PM | Permalink

If you followed through the first part of this tutorial, you might wonder if there shouldn't be a simpler way to extract the binary. Of course there is one.

By Andreas Schuster at 04/17/2006, 04:10 PM | Permalink

Over the weekend Harlan Carvey has released two tools to analyze full memory dumps of computers running Microsoft Windows 2000.

By Andreas Schuster at 04/10/2006, 08:35 PM | Permalink

The Netherlands Forensic Institute has just released a new version of TULP2G. This program acquires and analyzes data from mobile phones.

By Andreas Schuster at 04/06/2006, 01:00 PM | Permalink

In their book Forensic Discover Dan Farmer and Wietse Venema talk about the persistence of information in the main memory. However I haven't seen traces of a process surviving a reboot - until I analyzed the images of the DFRWS Memory Analysis Challenge.

By Andreas Schuster at 04/05/2006, 01:30 PM | Permalink

It is possible to reconstruct the program binary of process from a memory dump. This enables you to scan a binary for viruses even if it has been deleted from the disk. This article outlines the process.

By Andreas Schuster at 04/03/2006, 07:20 PM | Permalink

For certain examinations it might be helpful to be able to extract the memory of a single process from the full dump. If the dump was obtained with "dd" the reconstruction of the process' memory is quite simple.

By Andreas Schuster at 04/02/2006, 11:50 AM | Permalink