0
2.3kviews
Explain any two memory analysis tool in detail.

Subject: Digital Forensics

Topic: System Investigation

Difficulty: High

1 Answer
0
47views

1) Autopsy

Autopsy is a GUI-based open source digital forensic program to analyze hard drives and smart phones effectively. Autospy is used by thousands of users worldwide to investigate what actually happened in the computer.

• -It’s widely used by corporate examiners, military to investigate and some of the features are.

• -Email analysis

• -File type detection

• -Media playback

• -Registry analysis

• -Photos recovery from memory card

• -Extract geolocation and camera information from JPEG files

• -Extract web activity from browser

• -Show system events in graphical interface

• -Timeline analysis

• -Extract data from Android – SMS, call logs, contacts, etc.

• -It has extensive reporting to generate in HTML, XLS file format.

Memory forensics tools are used to acquire and/or analyze a computer's volatile memory (RAM). They are often used in incident response situations to preserve evidence in memory that would be lost when a system is shutdown, and to quickly detect stealthy malware by directly examining the operating system and other running software in memory.

2) MoonSols Windows Memory Toolkit It supports memory acquisition from 32-bit and 64-bit versions of Windows XP, 2003, 2008, Vista, 2008 R2, 7, and 8. Version 1.4 of the software is free. At the time of this writing, the most recent version is 2.0, which is available in Consultant, Enterprise, and Enterprise Plus licensing schemes. Here are a few of the features of the

• It supports hashing with MD5, SHA-1, and SHA-256.

• It includes a server component so you can transmit memory dumps across the network, with optional RC4 encryption and/or LZNT1 compression.

• It can map memory in three different ways, including the well-known use of \Device\PhysicalMemory.

• It can convert full memory dumps to Microsoft crash dumps, which you can then analyze using one of the Microsoft debuggers.

• It can convert hibernation files and crash dumps into raw memory dumps.

• DumpIt.exe combines win32dd.exe and win64dd.exe to provide memory dumps in a single-click. You can still control options via command-line if you desire.

Please log in to add an answer.