Abstract : The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities.
Kam-Pui Chow; Sujeet Shenoi. 6th IFIP WG 11.9 International Conference on Digital Forensics (DF), Jan 2010, Hong Kong, China. Springer, IFIP Advances in Information and Communication Technology, AICT-337, pp.195-204, 2010, Advances in Digital Forensics VI. 〈10.1007/978-3-642-15506-2_14〉
https://hal.inria.fr/hal-01060619
Contributeur : Hal Ifip
<>
Soumis le : mardi 28 novembre 2017 - 12:41:04
Dernière modification le : vendredi 29 décembre 2017 - 01:10:30
James Okolica, Gilbert Peterson. A Compiled Memory Analysis Tool. Kam-Pui Chow; Sujeet Shenoi. 6th IFIP WG 11.9 International Conference on Digital Forensics (DF), Jan 2010, Hong Kong, China. Springer, IFIP Advances in Information and Communication Technology, AICT-337, pp.195-204, 2010, Advances in Digital Forensics VI. 〈10.1007/978-3-642-15506-2_14〉. 〈hal-01060619〉
