Monday, September 12, 2005

Memory analysis

I mentioned this in an earlier post about using dd for memory dumping and analyzing it with strings and how Harlan Carvey was blogging about using the MS Debugging Tools. Well....how far do you think I got with the debugging tools? Yep, practically nowhere. The tools weren't intuitive, I'm not a programmer and you have to have the machine preconfigured to make the dump that the debugging tools can read. LAME!

So, where I am going with this? The Digital Forensic Research Workshop (DFRWS.org) held their conference in Aug where they put on a forensic challenge based on memory analysis. Two entries received top showing on their website and each contained custom programmed tools to parse memory. The real question is will they be releasing these tools. Kntlist looks like it might be a commercial tool written by George M. Garner, but the more interesting tool (or possibly easier) is memparser which rips through a memory dump and pulls out process lists and detailed info about individual processes. Check out the DFRWS site and look for the memory challenge results.

No comments: