Forums
Main Category
General (Technical,...
Memory analysis too...
 
Notifications
Clear all

Memory analysis tools what do you expect?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by SteakAndEggs 14 years ago
6 Posts
4 Users
0 Reactions
557 Views
RSS
 MuNk
(@munk)
Active Member
Joined: 16 years ago
Posts: 9
Topic starter 16/02/2011 6:45 pm  

Currently im working on my final year project for university, and im making a tool that can read Windows 7 x64 + SP1 memory dumps, from which it produces a list of processes, DLLs per process and just implementing sockets per process at the moment.

My question is a simple one, what information do you expect such a tool to provide? additionally here is a link to the information my tool currently gathers, is there any other information that is not there you'd expect to see?

http//kurosaru.com/output.txt


   
Quote
erowe
 erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
16/02/2011 7:34 pm  

I believe the EnCase EnScript "Memory Forensic Toolkit" Version 1.42 does much of this already - although it would be interesting to have a different tool & approach.

http//cci.cocolog-nifty.com/blog/2010/02/encase-enscri-1.html

Personally, I would like to have a tool that helps me extract the data being used by a process and export it in a form that I could easily open and examine. I've had a good amount of success exporting spreadsheets from process VAD dumps as well as extracting password hashes, but exporting web pages and cloud based documents (e.g. google docs & Microsoft office online) has been a bit messy. A tool that extracts the meta-data (e.g. google docs revision data) as well would be nice too. Again, I've had success carving it out but it's always nice to have a tool that makes it easier.

So that is my wish - a tool that does a nice job locating and extracting the data being used by a process. Oh yeah, and maybe a tool that extracts the registry files from a memory dump - if anyone knows how to do this with Volatility (e.g. using hivescan, hivelist, etc.) I'd love to know how.

EDIT - just found the registry extraction info http//www.slideshare.net/mooyix/sans-forensics-2009-memory-forensics-and-registry-analysis


   
ReplyQuote
 Xennith
(@xennith)
Estimable Member
Joined: 15 years ago
Posts: 177
16/02/2011 7:44 pm  

I expect it to work just like volatility

https://www.volatilesystems.com/default/volatility


   
ReplyQuote
erowe
 erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
16/02/2011 8:04 pm  

Actually, when you read the EnScript code, it mentions that it is essentially Volatility re-written for EnCase.

Interestingly, I've found that Volatility will occasionally work when the EnScript won't on some memory dumps.


   
ReplyQuote
 MuNk
(@munk)
Active Member
Joined: 16 years ago
Posts: 9
Topic starter 16/02/2011 8:46 pm  

Ideally id like to add support to auto-export reg hivs but to be honest ive not looked at that yet, so thank for mentioning it. as for auto-dumping process working memory/VAD etc.. ive been looking into that and hoping to have support for it finished soon.

Thank for your replys.


   
ReplyQuote
 SteakAndEggs
(@steakandeggs)
Active Member
Joined: 17 years ago
Posts: 12
18/02/2011 4:09 am  

EDIT - just found the registry extraction info http//www.slideshare.net/mooyix/sans-forensics-2009-memory-forensics-and-registry-analysis

Thanks for posting that. It's just what I needed. I've been trying to do this for the last week.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: