Skip to Main content Skip to Navigation
Conference papers

A Compiled Memory Analysis Tool

Abstract : The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities.
Document type :
Conference papers
Complete list of metadata

Cited literature [18 references]  Display  Hide  Download

https://hal.inria.fr/hal-01060619
Contributor : Hal Ifip <>
Submitted on : Tuesday, November 28, 2017 - 12:41:04 PM
Last modification on : Thursday, March 5, 2020 - 4:46:43 PM

File

OkolicaP10.pdf
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

James Okolica, Gilbert Peterson. A Compiled Memory Analysis Tool. 6th IFIP WG 11.9 International Conference on Digital Forensics (DF), Jan 2010, Hong Kong, China. pp.195-204, ⟨10.1007/978-3-642-15506-2_14⟩. ⟨hal-01060619⟩

Share

Metrics

Record views

193

Files downloads

221