The upcoming issue of Digital Investigation (Vol. 3, Issue 4) will contain an interesting article by Nick L.Petroni, AAron Walters, Timothy Fraser and William A. Arbaugh about their memory analysis tool FATKit. A preprint is available free of charge at the FATKit website.

FATKit, the name stands for Forensic Analysis Toolkit, is a framework to build memory analysis applications. The modularized toolkit provides the examiner with a layered view on volatile data: from the physical memory dump to virtual memory and data structures of the operating system's kernel.

FATKit is driven by profiles of the operating system under examination. Such profiles exist for certain versions of Microsoft Windows and Linux. The framework is capable of generating profiles from C source files. Obviously this powerful feature is a big time-saver: According to the paper the sources of the Linux 2.4.32 kernel span about 530,000 lines of code. FATKit extracts 1100 data structures, described in about 11,000 lines.

I don't know if a similar function already exists for closed source operating systems like Microsoft Windows. Even without access to the sources one still could pull lots of structure definitions from debug symbols (also known as Program Databases, PDB).

In my opinion FATKit has the potential to boost the development of sophisticated and user-friendly memory analysis tools. Let's hope it'll become publicly available soon.



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.