Lecture 16 - CS4920: Automated Document and Media Exploitation (Fall 2008)

Naval Postgraduate School
Fall 2008

CS4920: Automated Document and Media Exploitation

Mon Nov 24, 2008

Memory Analysis

Seminar 15 << Seminar 16 >> Seminar 17

Today's outline:

What's up?

USB stuff
iRedact
Sector Discrimination
NIST test hard drives
tskmount
Timeline viewer
bulk_extractor:
- Unzip
- carving
Disk images

Today's Class:

Slides on Memory Analysis
Mapped file paper.
- Why is this useful? Caching.
Volatility
Volatile Systems Papers

Readings

Forensic Memory Analysis: Files mapped in memory, Ruud van Baar, DFRWS 2008, [slides]
The impact of Microsoft Windows pool allocation strategies on memory forensics, Andreas Schuster, DFRWS 2008 [slides]

Optional Readings

Forensic Memory Analysis: From Stack and Code to Execution History, Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software, Bradley Schatz, DFRWS 2007
The VAD Tree: A Process-Eye View of Physical Memory, Brendan F Dolan-Gavitt, DFRWS 2007
Forensic Analysis of the Windows Registry in Memory, Brendan Dolan-Gavitt, DFRWS 2008 [slides]
Searching for Processes and Threads in Microsoft Windows Memory Dumps, Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006

Hot Links

http://volatility.tumblr.com/
http://www.cert.org/archive/pdf/08tn017.pdf