%0 Conference Proceedings
%T A Compiled Memory Analysis Tool
%+ Air Force Institute of Technology
%A Okolica, James
%A Peterson, Gilbert
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 6th IFIP WG 11.9 International Conference on Digital Forensics (DF)
%C Hong Kong, China
%Y Kam-Pui Chow; Sujeet Shenoi
%I Springer
%3 Advances in Digital Forensics VI
%V AICT-337
%P 195-204
%8 2010-01-04
%D 2010
%R 10.1007/978-3-642-15506-2_14
%K Live response
%K memory analysis
%K rootkit detection
%Z Computer Science [cs]/Digital Libraries [cs.DL]Conference papers
%X The analysis of computer memory is becoming increasingly important in digital forensic investigations. Volatile memory analysis can provide valuable indicators on what to search for on a hard drive, help recover passwords to encrypted hard drives and possibly refute defense claims that criminal activity was the result of a malware infection. Historically, digital forensic investigators have performed live response by executing multiple utilities. However, using a single tool to capture and analyze computer memory is more efficient and has less impact on the system state (potential evidence). This paper describes CMAT, a self-contained tool that extracts forensic information from a memory dump and presents it in a format that is suitable for further analysis. A comparison of the results obtained with utilities that are commonly employed in live response demonstrates that CMAT provides similar information and identifies malware that is missed by the utilities.
%G English
%2 https://inria.hal.science/hal-01060619/document
%2 https://inria.hal.science/hal-01060619/file/OkolicaP10.pdf
%L hal-01060619
%U https://inria.hal.science/hal-01060619
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-AICT
%~ IFIP-AICT-337
%~ IFIP-TC
%~ IFIP-WG
%~ IFIP-TC11
%~ IFIP-DF
%~ IFIP-WG11-9