A Compiled Memory Analysis Tool

Authors

James S. Okolica, Air Force Institute of TechnologyFollow
Gilbert L. Peterson, Air Force Institute of TechnologyFollow

Document Type

Conference Proceeding

Publication Date

1-1-2010

Abstract

The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities. Abstract © Springer

Comments

The "Link to Full Text" on this page loads the PDF of the chapter, furnished through the Springer Nature SharedIt content-sharing initiative. The publisher retains permissions to re-use and distribute this chapter in IFIP vol. 337.

© International Federation for Information Processing 2010

DOI

10.1007/978-3-642-15506-2_14

Source Publication

IFIP Advances in Information and Communication Technology, vol. 337

Recommended Citation

Okolica, J., & Peterson, G. (2010). A Compiled Memory Analysis Tool. In K. P. Chow & S. Shenoi (Eds.), Advances in Digital Forensics VI. DigitalForensics 2010 (IFIP vol. 337, pp. 195–204). Berlin: Springer. https://doi.org/10.1007/978-3-642-15506-2_14