Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am currently writing a thesis about digital forensics which includes a chapter

ID: 660666 • Letter: I

Question

I am currently writing a thesis about digital forensics which includes a chapter about memory forensics. Besides the tools and the methods of acquiring various data with them, I am kind of desperate to find information about how these tools (eg Volatility) are actually working in theory. For example, how they identify offsets, processes, connections, differences in memory depending on the OS by looking at the raw dump or any other way.

How do memory analysis tools work? What method do they use? I can't seem to find much information about this.

Explanation / Answer

A lot of analysis tools look for known data structures (i.e., patterns) in memory that indicate a particular type of information.

For instance, malloc'd memory has header (and sometimes trailer) data that point forward and backward in memory to adjacent memory. Free'd memory pointers can jump around in memory if they aren't consolidated/coalesced.

Windows C++ applications have the notion of classes and a "this" pointer, which points to a class. The structure of C++ classes is known, so when one of these pointers is found a lot of information about the class can be derived. If it is a known class/data-type then it can be parsed relatively easily.

File's open in memory can be discovered by their "file signatures" (usually the first 3 or so bytes of the file). If those are found, some quick analysis can be done to determine if it's actually a legitimate file of that type or if it was dumb luck that those bytes occurred.

So, in general, many memory analysis tools look for known patterns in memory and/or hook into key datastructures within the kernel and then parse memory from there. Once you find code areas, you can "disassemble" them and find references (pointers) to other regions of memory. And following those you can find other data structures.

I hope that helps some.

Related Questions

I am currently reviewing the potentials of cloud computing regarding energy effi
Question #649002
I am currently sitting on step 1 of a project for digital electronics class and
Question #1834198
I am currently sitting on step 1 of a project for digital electronics class and
Question #1923275
I am currently studding OpengGL with OpenGL Supebible 5th edition. I\'ve found i
Question #655567
I am currently studying Simple Harmonicmotion I have a take home assigment that
Question #1738160
I am currently studying experimental analytical assays such as: 1. deletion anal
Question #3165705
I am currently studying kinetics and i missed these two questions on a test: 1.
Question #812789
I am currently taking a watson analytics online course and I got the following q
Question #3885713

Navigate

Previous
I am currently writing a project in C#, the only header file we could include is
Next
I am currently writing an essay and one part is a discussion about the effects o

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.