Hello,
Im currently looking for a few helpful people who would be able to test my memory analysis tool for windows 7/XP x64bit and give some feedback, if there is any kinda souls who would be willing to do this.
Additionally before anyone asks, the tool is python based and the .py files for it will be provided.Although i'm aware now there are tool for this e.g. FTK 3.2 for example when i started the project this wasn't the case and volatility didn't support 64bit not along win7 when i started.
Features of the tool
Detects Windows 7/SP1 and Windows XP 64bit memory images
list of all processes
list of Dlls per process
output is generated as a XML allows for dumping a process from memory.
Requirements
Python 2.7
Tested on Windows 7 32bit & 64bit, Ubuntu 10.10 32bit & 64bit
Link
Project http//
Test image http//
Please note although i've tested it best i can with 4 different systems, im not 100% sure i've caught all bugs, if i haven't please let me know as such information is also useful to me.
–
If you do fill out the feedback form, can you send it to 08022151 [at] glam.ac.uk. otherwise please make a post here.
Regards
A final slightly stressed final year uni student.
I can help you out with this, i have a win7 x64 box that i can try this on when i get back home at the end of the week.
Thank Muirner, sorry for my own delayed reply my router went bang not shortly after posting this thread. ive decided to put a link in the above post so anyone else who is kind enough to review it, if they could fill out the feedback form that be great.
Are you aware of the Volatility project?
I am aware of Volatility project but as of starting my project back in 2010 and even to presetn, Volatility dose not support 64bit. which is what my project is based upon.
Indeed,
I guess my point was, have you considered contributing to the Volatility project )
Aaron from Volatility asked me that as well, but sadly when i started the project i didn't know enough about Python so decided to make a tool from scratch plus allowed me to learn about virtual to physical memory address translation for both 32bit and 64bit within windows.
Good work, I can test this for you but I am not in work again for another week. If thats ok?
Are you a university student, if so it is nice to see someone producing something other than a Facebook chatlog parser!
Thank CaptainF, that would be a great help.
And in reference to your question yes I'm a university student, I've been studying computer forensics this is last piece of work before my exam.
I've been hoping more be able to test my tool and provide feedback but its been hard to find people, id though here be a good place to look for testing but unfortunately ive only been lucky enough to get yours and another offer.
Hopfully a few more will be willing to test it, as all i require is them to fill out the feedback form and send it to me, ive even provided a copy of win64dd in it to make aquiring a memory dump and testing just require them to own a copy of windows XP 64bit or Windows 7 SP0 or SP1. but here is fingers crossed for more help )
I spotted you were a Uni student after I read the thread title for a second time, sorry for the stupid question!