Category "Memory analysis"

Timers and Times

Microsoft Windows timer objects provide a means to execute code at a certain time or in a periodic interval. From analyzing timers we can make some assumptions about a system's future.

Recent Advances in Memory Forensics

My slides from the ZISC Workshop 2010 on Digital Forensics and Security are now available. The speaker notes, unfortunately, are not. I hope my presentation on Recent Advances in Memory Forensics will be interesting anyway.

ZISC Workshop on Digital Forensics 2010

I'm excited to announce that I will speak at the ZISC 2010 Workshop on Digital Forensics and Security. I will report on the latest advancements in forensic memory analysis on Linux, Mac OS X and Microsoft Windows.The workshop will be held on September 13, 2010 at armasuisse in Berne, Switzerland.

Cross-view Analysis with Volatility

A cross-view analysis compares sets of objects that were enumerated at different API layers or using different techniques. Differences justify a closer examination, though they do not inevitably indicate malicious activity. The Volatility memory analysis framework provides different enumeration methods, like list-walking and scanning, for quite a while. Comparing these lists, however, can be tedious at times. But it's easy to copy&paste some code into a new plugin and let the computer do all the hard work for you.

Memory Analysis with FTK 3

Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.

More PTFinders

Csaba Barta has developed PTFinders for Windows Server 2003 SP2, Windows Server 2008 SP1 and the public beta version of Windows 7. Don't miss to check out the other parts of his website.

Update of objtypescan plugin

My objtypescan plugin for Volatility crashed when it was unable to determine an object's virtual address in kernel space. This is fixed from version 0.4 on. Thanks to Vte. Javier Garcia Mayen for reporting the bug and providing me with extensive test data!

Reading Passwords from the Keyboard Buffer

| 1 Comment

The PC's BIOS among many other functions also provides a simple routine to read data in from the keyboard. Information about the keys pressed are stored in a ring buffer that provides space for about 16 characters. As Jonathan Brossard has shown in a paper and presented at DEFCON 16, the buffer's contents may be availlable for a while after it has been read by the BIOS. Chances are that passwords of the BIOS or disk encryption software can be recovered.

Searching for Mutants

I feel somewhat sorry for posting such a creepy title in spring. But don't worry, "mutant" is just how a mutex is called in the Windows kernel. A mutex helps to serialize access to a resource. Some applications employ a mutex to ensure that only a single instance is running. And that way, a mutex may lead us directly into the dark realms of some malware. Scary, isn't it?

Symbolic Link Objects

The concept of symbolic links is widely implemented in file systems. But there is also a symbolic link object for kernel objects. Generally, a symbolic link will make an object accessible under a different and probably much shorter name. But symbolic link objects also provide some forensic value.

 1 2 3 4 5 6 7 8 9 10 



This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.