Hi all I'm currently doing a project on RAM analysis in which i took a dd image of my RAM using Helix and then analyzed it with EnCase. With EnCase I've found some of the basic information such as Internet history, email addresses and some files that i created and deleted.
Asides from EnCase I've also used something called PTFinder which is a perl script. With this I was able to find the system processes at the time of capture.
However I've got to the stage were I don't know what else to look for. I've heard that other information can be pulled from physical memory such as User sessions, usernames and passwords, network connections, etc, but I don't know were to look and i'm not sure whether this type of info can be pulled from EnCase.
Basically I'm just curious can EnCase can retrieve this type of information? Are there other tools better suited for RAM analysis? And do you know of any blogs, websites, books, etc that might help?
Any sort of feedback would be much appreciated as I seem to have hit a wall! ?
Thanks guys
Treebeard
Well, if you system is XP, the Volatility would be a great resource…if not, you could use Mandiant's Memoryze tool.
I've heard that other information can be pulled from physical memory such as User sessions, usernames and passwords, network connections, etc, but I don't know were to look and i'm not sure whether this type of info can be pulled from EnCase.
This is basically a question of knowing about kernel data structures and where they can be located. I rather doubt that there is any official documentation – if there is, it can probably be found in MSDN – , but I'm sure there is information to be found in MSDN and the SDK/DDK distributions, and only need to be found and puzzled together, probably with lots of help of kernel debuggers and disassemblers.
Debug version of Windows (part of the MSDN CD distribution) are also a useful source of information. (I see there's a listing of Vista kernel structures at nirsoft.net, for instance. Not sure if there's anything f immdiate value here, though.)
Hibernation files are also a useful resource to complement RAM dumps.
Supporting tools and a very good knowledge of kernel architecture are probably basic requirements for this area of computer forensics.
As far as I know, there's no built-in support in EnCase for this type of analysis – it probably needs to be done by custom EnScripts.
Well, if you system is XP, the Volatility would be a great resource…if not, you could use Mandiant's Memoryze tool.
This is basically a question of knowing about kernel data structures and where they can be located. I rather doubt that there is any official documentation – if there is, it can probably be found in MSDN – , but I'm sure there is information to be found in MSDN and the SDK/DDK distributions, and only need to be found and puzzled together, probably with lots of help of kernel debuggers and disassemblers.
Debug version of Windows (part of the MSDN CD distribution) are also a useful source of information. (I see there's a listing of Vista kernel structures at nirsoft.net, for instance. Not sure if there's anything f immdiate value here, though.)
Hibernation files are also a useful resource to complement RAM dumps.
Supporting tools and a very good knowledge of kernel architecture are probably basic requirements for this area of computer forensics.
As far as I know, there's no built-in support in EnCase for this type of analysis – it probably needs to be done by custom EnScripts.
Yeah the OS i'm using is XP, i'll check out those resources and see what i can find. Thanks for the help! D