Skip to Main content Skip to Navigation
Conference papers

A Compiled Memory Analysis Tool

Abstract : The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities.
Document type :
Conference papers
Complete list of metadata

Cited literature [18 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Tuesday, November 28, 2017 - 12:41:04 PM
Last modification on : Thursday, March 5, 2020 - 4:46:43 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



James Okolica, Gilbert Peterson. A Compiled Memory Analysis Tool. 6th IFIP WG 11.9 International Conference on Digital Forensics (DF), Jan 2010, Hong Kong, China. pp.195-204, ⟨10.1007/978-3-642-15506-2_14⟩. ⟨hal-01060619⟩



Record views


Files downloads