Memory analysis

Microsoft Kernel Memory Space Analyzer

Microsoft has just released version 8.1 of its Kernel Memory Space Analyzers to the public. This program provides a lot help when analyzing Windows memory dumps in DMP format.

Two files are available for download: a software package and a PowerPoint presentation providing some documentation.

The presentation describes all the somewhat unusual steps to install the analyzer. First the debugger has to be installed. Then the analyzer archive is unpacked into a directory of its own. Now some files and subdirectories have to be copied into the debugger's directory.

The analyzer comes in two versions. kadbg.exe runs in text mode. Therefore it's best suited to be called from batch scripts. If you're running the analyzer for the first time then I recommend kanalyze.exe. This wizard will guide you through the process. First you'll have to select the dump file to be analyzed. Unfortunately dumps of systems running Windows Vista and Longhorn are not (yet) supported.

If you've worked with the debugger before then there's most likely a local symbol store located somewhere on your hard disk. Please press the "Symbol/Image..." button and point the analyzer to the proper directories. This will prevent the analyzer from downloading the symbols again and hence save you a lot of time and disk space.

Press "Next" to start the analysis. Depending on the CPU speed, available memory and the size of the dump file this might take from some minutes up to half an hour. Add some extra time if the analyzer has to fetch debug symbols from Microsoft's symbol server. At any time "Show Details" will inform you about the state of your analysis.

As soon as the automated analysis job ends, the analyzer offers you to browse the results or switch to the analyzer's console. Of course the results can also be saved to a "backing store file" for later review.

Microsoft's Kernel Memory Space Analyzer provides a clean overview over a memory dump's contents.

The detailed analysis provides a clean overview of the kernel memory. It lists all the kernel's objects, categorized by class. Please keep in mind that the analyzer aims at a developer's needs, not that of a forensic examiner. So it's unlikely that the analyzer will point you to any evidence of a terminated process or a closed file. However in my opinion it is still useful and a convenient way to explore a new memory dump.

Posted by Andreas Schuster on September 13, 2006 06:45 PM |

Comments

Mr. Andreas Schuster
Ptfinder is a great program!!! About two weeks ago I created a Front End to Ptfinder. I call it PtfinderFE. The program is a little large because I had to write it in Visual Basic (the only programming language I know well). Basically it creates a BAT file. The BAT file runs and eventually moves the PTFINDER Output files (.dot, jpg and .txt ) into the directory that you have your .dmp file in.

With your permission I*d like to post this program (for free) on the web (in a copule of weeks on a new url). I can also make a Front End in German

You program has already changed the way we collect forensic evidence at my work. Thank-you

Richard McQuown

Posted by: Richard McQuown | September 15, 2006 04:28 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)