Professional Documents
Culture Documents
Live Memory Acquisition For Windows Operating Systems, Naja Davis
Live Memory Acquisition For Windows Operating Systems, Naja Davis
Live Memory Acquisition For Windows Operating Systems, Naja Davis
forWindowsOperating
Systems:
ToolsandTechniquesforAnalysis
Theliveacquisitionofvolatilememory(RAM)isanarea
indigitalforensicsthathasnotgarneredmuchattention
untilmostrecently.Theimportanceofthecontentsof
physicalmemoryhasalwaystakenabackseattowhatis
consideredmoreimportantthecontentsofphysical
media.However,agreatdealofinformationcanbe
acquiredfromRAManalysiswhichisunavailableduring
mosttypicalforensicacquisitionandanalysis.This
paperwilltakealookatthedifferenttoolsavailableto
theforensicexaminerformemoryacquisitionandhow
toanalyzetheresultingdata.
NajaDavis
EasternMichiganUniversity
IA328
CoverPageandAbstract
TableofContents
CoverPageandAbstract............................................................................................................................... 1
I.Introduction .............................................................................................................................................. 3
II.Scope ........................................................................................................................................................ 3
III.Toolsforlivememoryacquisition........................................................................................................... 4
Hardwarebasedsolutions ........................................................................................................................ 4
Tribble................................................................................................................................................ 4
Firewire ................................................................................................................................................. 4
Softwarebasedsolutions ......................................................................................................................... 5
Limitationsofsoftwarebasedacquisition............................................................................................ 5
DD(datadumper) .............................................................................................................................. 5
Nigilant32.............................................................................................................................................. 6
ProDiscoverIR ....................................................................................................................................... 6
KntDD .................................................................................................................................................... 6
MicrosoftCrashDump .......................................................................................................................... 7
IV.MemoryAnalysis.................................................................................................................................... 7
Basics:Whatdoesaninvestigatorneedtoknow? .................................................................................. 7
Tools.......................................................................................................................................................... 8
V.Acquisition ............................................................................................................................................. 10
SuggestedProceduresforLiveAcquisition:............................................................................................ 11
VI.TestCase,StepbyStep ......................................................................................................................... 11
VII.Conclusion............................................................................................................................................. 21
AppendixA .................................................................................................................................................. 22
References .................................................................................................................................................. 23
I.Introduction
Untilrecently,theacquisitionofvolatilememory(RAM)hasbeenpracticedmainlyby
thoseinvolvedinliveincidentresponseandlargelyignoredbythoseinthefield.Memory
acquisitionfromalivesystemrequiresspecializedhardwareorsoftwarenotallforensic
utilitiescanaccessthe\\.\PhysicalMemoryobjectinWindows.Theanalysisoftheresulting
imagefilealsorequiresspecializedscriptsandknowledgetobeabletointerpretthedata.
Thesetwofactorsmakememoryacquisitionandanalysismoredifficultthantraditionalforensic
harddriveexaminations;itrequiresagreateramountofcarethanthecommonmethodof
pullingthepowerandpreservingthecrimescene.
However,withtheadventofMicrosoftVistaandBitLockerMicrosoftsanswertofull
diskencryptionandtheincreasingsophisticationofmalware,rootkits,andotherviruses,live
memoryanalysishasbecomeevenmoreimportanttothefieldofcomputerforensics.
Importantdatasuchaspasswords,IPaddresses,whatprocesseswererunning,andotherdata
thatmightnotbestoredontheharddrivecanberetrievedfromamemorydumporimage.
Malwareandrootkitsoftenleavetracesinresidentmemorythatcannotbefoundbyanalyzing
aharddriveimage.
TheDigitalForensicResearchWorkshop(DFRWS)[1],issuedamemoryanalysis
challengeinthesummerof2005,toencourageresearchandtooldevelopmentinlivememory
acquisition.Thischallengeproducedtwowinners,ChrisBetzandtheteamofGeorgeM.
Garner,Jr.andRobertJanMora,whodevelopedtoolstocompletethechallenge.Memparser
[2],ChrisBetzswinningentry,reconstructsprocesseslistsandextractsinformationfrom
processmemory.GarnerandMoradevelopedkntlist,whichenablesanexaminertodumpthe
physicalmemoryfromWindowsandextractinformationfromtheresultingfile.Thesetwo
workshavespurredinterestinthefieldoflivememoryacquisitionandtheissuessurrounding
it.
II.Scope
AlltoolsandproceduresinthisdocumentapplyonlytotheWindowsfamilyofoperating
systems,includingWindows2000,XP,Vista,andServer2003.
III.Toolsforlivememoryacquisition
Hardwarebasedsolutions
Tribble
TheTribble[3]wasintroducedinFebruary2004intheDigitalInvestigationJournalby
BrianCarrierandJoeGrand,ofGrandIdeaStudio,Inc.TheTribbleisahardwareexpansion
cardwhichcanbeusedtoretrievethecontentsofphysicalmemory.ItisaPCIexpansioncard
designedtobeinstalledonaserverbeforetheevent,withaswitchthatisenabledwhenthe
investigatorwantstocapturedata.
Thismethodofacquisitionhasitsstrengthsandlimitations.Asahardwaredevice,the
Tribblecanaccessphysicalmemorywithoutintroducinganysoftwareontothetargetsystem,
minimizingtheimpactonthedatabeingretrieved.However,itmustbeinstalledpriortothe
incident,makingitsomewhatinconvenientforontheflyacquisition.Itisalsostillaproofof
conceptdeviceandnotwidelyavailable.
Firewire
Thesecondhardwaresolutionavailableforlivememoryacquisitionisthroughtheuse
ofaFirewiredevice.Firewiredevicesusedirectmemoryaccess(DMA),withouthavingtogo
throughtheCPU.Thememorymappingisperformedinhardwarewithoutgoingthroughthe
hostoperatingsystem,whichallowsnotonlyforhighspeedtransfersbutalsobypassesthe
problemwithsomeversionsofWindowsthatdonotallowmemorytobeaccessedfromUser
mode.
AdamBoileau[4]developedsoftwareusingPythontoextractphysicalmemoryfroma
systemonLinux.ThistoolcanbeusedonWindowssystemsaswell,bytrickingWindowsinto
givingtheuserDMAbymasqueradingasaniPod.Thismethodismoreconvenientthanthe
aforementionedTribbledevice,asmostsystemstodayhaveFirewireportsavailable(usually
builtrightintothemotherboard).Thecurrentproblemwiththismethodisanissuewiththe
UpperMemoryArea(UMA)whichcausessomesystemstosuffercrashesduringtheacquisition
process[5].
Softwarebasedsolutions
Limitationsofsoftwarebasedacquisition
WiththereleaseofServicePack2forWindowsXPthe\\.\PhysicalMemoryobjectisno
longeraccessiblefromusermode.ThisisalsotrueforWindowsVistaandWindowsServer
2003(ServicePack1)itcanonlybeaccessedviakernelmodedrivers.Assuch,someutilities
whichmayhaveworkedinthepastwillnolongerworkonversionsofWindows.Theymaystill
applytoearlierorunpatchedversions,however.
Oneissuethattheforensicinvestigatorneedstoremainmindfulofduringlivememory
acquisitionwithsoftwarebasedtoolsisthepotentialchangetodataduringtheacquisition
process.DuetothevolatilenatureofRAM,introducinganynewsoftwareontothesystemmay
changethedatawhichcurrentlyresidesinmemory.Thememoryintroducedtothesystemwill
displacethedatathatpreviouslyoccupiedthatspace.Theimageacquiredmayalsopresenta
smearedpictureofthedata,sincethesystemisliveandpagesarechangingastheacquisition
progresses.Thisiscertainlynotidealforforensicallysoundacquisitionandsubsequentanalysis
andmustbegivendueconsideration,particularlywhenevidentiaryrulesandstandardsapply.
DD(datadumper)
DD,betterknownasthedatadumpertoolfromUNIX,isprobablyfamiliartomost
forensicinvestigatorsasatoolforcreatingforensicimagesofharddrivesandisincludedin
manyopensourceforensicutilitiessuchasHelix(http://www.efense.com/helix/).TheDD
formatisalsosupportedbymostmajorforensicapplications.ForensicAcquisitionUtilities
(FAU)[6]usesamodifiedversionofthedatadumpertoolwhichiscapableofaccessingthe
\\.\PhysicalMemoryobjectinWindows.UnfortunatelyFAUwillonlyworkonversionsearlier
thanWindowsXPServicePack2,WindowsVista,orServer2003ServicePack1,asitaccesses
thePhysicalMemoryfromusermode.(Note:ThemostrecentversionofFAUdoesnotinclude
aversionofDDthatworksformemoryacquisitionpreviousversionsarestillviablehowever).
Also,notallversionsofDDwillallowaccesstothe\\.\PhysicalMemoryobject.
Nigilant32
Nigilant32[7]isatooldevelopedbyAgileRiskManagementthatallowsaninvestigator
topreviewaharddisk,imagememory,andtakeasnapshotofcurrentrunningprocessesand
openportsonthetargetsystem.Nigilant32hasasmallfootprint,usinglessthan1MBin
memorywhenloaded,supportingAgilesclaimofminimalimpactduringacquisition.The
programiscurrentlyinbeta,however,itisfreetodownloadanduseoffoftheirwebsite.
ProDiscoverIR
TechnologyPathwaysforensicacquisitiontool,ProDiscover[8],isanincidentresponse
toolthatallowsinvestigationofalivesystemanywhereonthenetwork.Theinvestigationcan
includeimagingofphysicalmediaormemory,however,useofthistoolrequiresaserverapplet
tobeinstalledonthetargetsystempriortoacquisitionviaremovablestoragemediasuchasa
USBdriveorCD.Thisrequirementmakesthisparticulartoolnotasdesirableachoiceforfield
acquisitionandperhapsbettersuitedtoacorporatenetworkenvironment.(Note:Thistoolis
restrictedbythekernelmodedriverrequirementforaccessing\\.\PhysicalMemoryincertain
versionsofWindows).
KntDD
KntDDisamemoryacquisitiontooldevelopedbyGeorgeGarner(alsoresponsiblefor
theForensicAcquisitionToolkit)asapartofKntTools[9].GarnerdevelopedKntToolsin
responsetotherestrictionofaccessing\\.\PhysicalMemoryfromUsermodeandsupports
Windows2000throughVista.Imagescanbeacquiredtoalocalremovabledriveoracrossthe
network.ItalsoallowstheinvestigatortoconvertarawimagetoMicrosoftcrashdump
format,sothedatacanbeanalyzedusingtheMicrosoftDebuggingTools.Thistoolisonly
availabletolawenforcementorsecurityprofessionals.
MicrosoftCrashDump
AnalyzingcrashdumpsisanotherwaytoobtaininformationonthecontentsofRAM.
Unlikeothersoftwaremethodsofmemoryacquisition,theimageobtainedbyacrashdumpis
anunalteredcopyofthecontentsofasystemsmemoryatthetimethecrashoccurred.There
isnointroductionofsoftwaretothesystemthatwillalterthecontentsofmemory.The
drawbacktothismethodisthatcrashdumpsonlyoccurwhenthereisaproblemwiththe
system.Thereisamethodtoinduceacrashdump;however,itrequiresanentryintheregistry
alongwitharebootbeforeitisuseable[10],renderingitineffectiveforfieldacquisition.
Despitethisshortcoming,itisstillimportantforaninvestigatortofamiliarwithcrash
dumpsastheycanprovidevaluableinformationaboutasystem.NotallversionsofWindows
generatefullcrashdumpsandmaygeneratesmallersizeddumps.Thesefilescanbeanalyzed
withtheWindowsDebuggingTools[11]andcangivetheinvestigatorameanstopracticeand
becomefamiliarwithmemoryanalysis.
IV.MemoryAnalysis
Basics:Whatdoesaninvestigatorneedtoknow?
TheEProcessstructureiswhatrepresentsaprocessonaWindowssystem.Itincludes
informationonthedifferentattributesoftheprocessalongwithpointerstootherattributes
anddatastructureswhicharerelatedtoit.However,EProcessblockstructurevariesbetween
operatingsystems,includingbetweendifferentversionsofWindows.Typically,theoffsetsvary
fromversiontoversion.ItisimportanttomakenoteoftheversionofWindowsthatthe
memoryimageordumpistakenfrom,asthiswillaffectwhattoolsyoumaybeabletouseto
extractinformation.Thiscanbedonemanually,however,itrequiresabitmoreindepth
knowledgeofWindowsmemorymanagementthanthispapercovers.HarlanCarveyhas
writtenaPerlscript[12],osid.pl,whichwillidentifytheoperatingsystemofanimage.
TheEProcessblockcontainstheprocessenvironmentblock(PEB)whichisveryvaluable
toaforensicinvestigatorinthatitincludespointerstotheloaderdata,suchasmodulesused
bytheprocess.Thisisparticularlyusefulinmalwareorrootkitanalysis,butcanalsohelp
presentaclearerpictureastowhatexactlywasgoingoninthesystematthetimeinquestion.
ThePEBalsoshowsuswheretheimageoftheexecutablelies,theDLLpaths,andthecommand
lineusedtolaunchtheprocess.
Oneissuethatinvestigatorsneedtobeawareofwhenexamininganimageofmemory,
isthatmostlikelyitisnotacompletepicture.Windowsmemorymanagementusesvirtual
addressingwhichassignspointerstothetruelocationofthephysicaldata.AccordingtoJesse
KornbluminhisUsingeverypartofthebuffaloinWindowsmemoryanalysis[13],most
memoryanalysistoolsuseanaveformoftranslationwherepageswithinvalidpointersare
ignored.Memorypageswhichhavebeenswappedoutduetopagingwillnotshowupina
memorydump,althoughtheyareonthesysteminthepagefile.Allthetoolstestedinthis
paperdonot(asfarasthisauthorisaware),includethepagefile.Therearetoolsin
developmenttoaddressthisissue,althoughnonearepubliclyavailable(yet).
Tools
Duetothediligenceofthecomputerforensicscommunity,therearequiteafewtools
availabletotheinvestigatorwithwhichtoanalyzememorydumps.Sometechnicalknowledge
orfamiliaritywithcommandlineinteractionisrecommendedasmanyoftheavailabletoolsare
scriptswhichmustbeexecutedfromacommandprompt.Thereareonlyafewtoolswhich
haveaGUIinterface.
Thefollowingisalistoftoolswhichcanbeusedtoextractprocessandother
informationfrommemorydumps(linkstodownloadlocationswillbeincludedinAppendixAof
thisdocument):
Tool
Operating
System
Whatitdoes
Requirements
Lsproc.pl
Windows
2k
Locatesprocesses
Perl(http://www.perl.org)
Lspd.pl
Windows
2k
Listsdetailsof
processes
Perl(http://www.perl.org)
Osid.pl
Any
IdentifiesOSof
Perl(http://www.perl.org)
Windows
memoryimage.
PoolFinder(part
ofPoolTools)
Windows
2k,XP
Findsallocationsof Perl(http://www.perl.org)
OSkernelin
memorydumpand
pagefile.
PoolGrep(partof
PoolTools)
Windows
2k,XP
Findsstringsinpool Perl(http://www.perl.org)
allocations
PoolDump(part
ofPoolTools)
Windows
2k,XP
Hexdumpofall
allocationsfora
selectedclass.
Perl(http://www.perl.org)
PTFinder
Windows
2k,XP
Includesallscripts
inPoolToolsaswell
asosid.pl,buthasa
GUI.Produces
graphicaloutputof
processesand
threads.
Perl(http://www.perl.org)
Graphviz(http://www.graphviz.org/)
and
ZGRViewer
(http://zvtm.sourceforge.net/zgrviewer.ht
ml)toviewthegeneratedgraphicfile.
FTimes
Windows
NT,XP,2K
Comprehensive
toolkitwithvarious
memoryanalysis
functions.
IfrunninginaWindowsenvironment,you
willneedVisualStudioinordertocompile
andrunthecode.Requiresadvanceduser
knowledge.
Volatility
Windows
NT,XP,2K
Comprehensive
NeedsPythontorun.Thiscanbe
toolkitwithvarious accomplishedintheWindowsenvironment
memoryanalysis
byinstallingCygwin
functions.
(http://www.cygwin.com/)
Theabovetoolsmainlydealwithprocessinformation,whichiswherethebulkof
memoryforensicanalysishasbeenfocused.Otherdatacanbeextractedfromamemoryimage
aswell,suchasusernames,passwords,andemailaddresses.Agoodstringsearchutility,such
asfind.exeorstrings.exeisessential.ForensicToolssuchasAccessDatasForensicToolkit[14]
canbeusedtodatacarvetoretrievedocuments,graphicfiles,orwebpages.Oneimportant
noteaboutdatacarvedfrommemoryimagesistokeepinmindthatthedatawasretrieved
undervolatileconditions.Assuch,filesretrievedfrommemorymaybedegradedduetothe
datanotbeingstatic.Thisisillustratedbythefollowingpicture,carvedfromatestmemory
image:
V.Acquisition
Duetothevolatilenatureofliveforensics,aninvestigatorneedstodevelopastandard
setofprocedures.Thisisimportantnotonlytoinsurethattheinvestigatorknowsexactlywhat
10
todowhenarrivingonthescene,butalsosotherearenounexpectedconsequencessincethe
systemisliveunintentionallychangingdataonthetargetsystemcouldinvalidatetheacquired
evidenceandalsocauseittobeinadmissibleinacourtoflaw.Beforeattemptingalive
acquisition,aninvestigatorshouldtesttheirtoolset(s)extensively,undervaryingconditions
(VMware[15]isexcellentforthis).
SuggestedProceduresforLiveAcquisition:
1. Documentallsteps.Thisisnotonlyimportantforevidentiaryreasons,butalsoforthe
investigatorsownreference.
2. Isthesystemlocked?Ifso,thatwillchangetheacquisitionprocess.Ifyoucannot
obtainapasswordforaccess,thenliveacquisitionmaynotbepossible.Currently,no
softwareutilitiescanimage\\.\PhysicalMemorywithoutfullaccess.
3. Donotcloseanywindowsorcloseanydocuments/programsleavethemrunning.By
closingawindoworprogramyoumaybeterminatingaprocess,whichwillaffectwhatis
occurringonthesystematthattime.
4. Limittheacquisitionprocesstoasfewstepsaspossible,whenitcomestointeracting
withthetargetsystemfewersteps=lessimpactonthesystem.
5. Usetoolsthathaveassmallafootprintaspossible.Nigilant32(thisauthors
recommendedchoice)useslessthan1MBofmemory;Helixuses17MB.
VI.TestCase,StepbyStep
Testsystem:
VMWare,WindowsXPProfessionalServicePack2
IntelDualCoreProcessor2.6MHz
512MBRAM
Toolusedforimageacquisition:Nigilant32
11
Desktopbeforeliveacquisition:
AOLInstantMessengercanbeseenrunning.
1. ForthisacquisitionIchosetouseaUSBthumbdriveforstoringtheimage.
Investigatorsshouldremembertowipemediathoroughlybeforeeachacquisition,so
remnantsofdatafrompreviousimagesarenotafactorinanalysis.
AfterinsertingyourCDwiththeNigilantsoftwareonit,browsetoMyComputerand
explorethedrive(ifitdoesntalreadyopenduetoAutoRun).RuntheNigilant32
executableandgotoToolsSnapshotComputer.Thisoptionwillenumeratethe
currentlyrunningprocesses,users,andopenportsandallowtheinvestigatortosave
thisdatatoaplaintextfile.Savethetextfiletoyourthumbdrive,namingit
appropriately.Youcanalsoenumerateprocessesviaotherscriptsafterimage
acquisition,ifyouwishtovalidatethisoutput.
12
Note:YoucanputtheNigilantexecutableonthethumbdriveandrunitfromthere,
however,bemindfulifyourdatawillbeusedasevidence.Itmaybebesttoburnittoa
CDwithyourothermemoryacquisitiontools,sothereisnoquestionastotheintegrity
ofyourimage.
2. Aftersavingthetextfile,browsetoToolsImagePhysicalMemory.Apromptwill
appearclickonStart
13
Youwillbepromptedtochoosealocationandnameforyourimage.
14
Acquiringphysicalmemorytakesabitoftime,aswithnormaldataacquisition.Aprogress
indicatorwillappeartoletyouknowhowfaralongyouare:
3. Aftertheimageiscomplete,closetheNigilantsoftware.Unfortunately,Nigilantdoes
nothaveanabilitytohashtheimagefileafteracquisitiontheinvestigatorwillhaveto
dothisbeforebeginninganalysis.
4. Beforebeginninganalysis,theinvestigatorshouldmakeanothercopyofthememory
imagetoworkonneverworkontheoriginalmedia!Sincethisisntlikeaharddrive
acquisition,thereisnooriginalphysicalmediatheimagewejustmadeistheoriginal.
Forevidentiarypurposes,itisagoodpracticetohashtheoriginalmedia(thethumb
drive)andthememoryimageandmakeaworkingcopyofthememoryimagebefore
proceedingwithanalysis.
15
5. Asdiscussedearlier,memoryanalysisdiffersfromharddriveanalysisinthatevenslight
changesinoperatingsystemversion(Windows2kvs.WindowsXP)willdeterminewhich
toolswillbethemosteffective.Nigilant32hasdonealotoftheworkforusalready,by
providinguswithasnapshotoftheOSversion,runningprocesses,users,andopen
networkports:
16
Aninvestigatorcouldverifyoutputbyrunninganotheranalysistoolandenumeratingthe
processes.IwilldemonstratethisherebyusingPTFinder:
PTFinderisaGUIinterfaceforAndreasSchustersPoolTools.Onceyouvechosenyour
dumpfileandoptions,itwillgenerateatextfileandagraphicfileoftherunningprocesses.
Weareonlyinterestedinthetextfileatthistime.AfterclickingExecuteyouwillbe
promptedtorunabatchfileclickYes.
17
ADOSpromptwillopenup:
Whentheanalysisiscomplete,PTFinderwillcloseonitsown.
18
Theresultingtextfilelookslikethis:
TheoutputfromPTFinderisnotascleanaswhatyouwillseefromNigilant,butprovides
morethanenoughinformationtocomparerunningprocesses.Note:PTFinderwillnot
providenetworkinformationorusers,onlyprocessinformation.
19
6. Nowthatwehaveprocessinformation,wecanproceedwithanalyzingtheimagefile
withothertools.Inthiscase,wewilluseForensicToolkit:
Afteranalyzingtheimagetheinvestigatorcanexaminecarveddataandperformstringsearches
aswithanormalimagefile.
20
VII.Conclusion
Whiletherearemanytoolsavailableforlivememoryacquisitionandanalysis,itisstilla
relativelynewendeavorintheareaofdigitalforensics;manyofthetoolsandtechniques
developedthusfararestillinthegrowingphaseandrequirerefinement.Todayscomputer
forensicinvestigator,inordertobesuccessful,willneedtobewellinformedandbeintimately
familiarwiththeinternalworkingsofWindowsmemorymanagementinordertoacquirea
completepictureofmemoryfromanevidentiarystandpoint.Thankfullytherehavebeenmany
forensicinvestigators,suchasHarveyCarlan,AndreasSchuster,andMariuszBurdachwhohave
startedalongthepathandcreatedafoundationforotherstobuildupon.Asthetoolsbecome
betterandtheproceduresmoresound,examinerswillhaveanewweaponintheirarsenalto
utilizeduringforensicinvestigations.
21
AppendixA
Lsproc.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
Lspd.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
Osid.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
PoolTools(PoolFinder,PoolGrep,PoolDump)
http://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.html
PTFinderhttp://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html
FTimeshttp://ftimes.sourceforge.net/FTimes/
Volatilityhttps://www.volatilesystems.com/VolatileWeb/volatility.gsp
22
References
1. DigitalForensicsResearchWorkshop,DFRWS,http://www.dfrws.org/.[Accessed
March15,2008]
2. C.Betz,Memparser,http://sourceforge.net/projects/memparser.[AccessedMarch
15,2008]
3. B.D.CarrierandJ.Grand,AHardwareBasedMemoryAcquisitionProcedureforDigital
InvestigationsJournalofDigitalInvestigations,March2004.
4. A.Boileau,FirewireandDMA,March2008,http://www.storm.net.nz/projects/16.
[AccessedMarch16,2008].
5. A.Vidstrom,MemorydumpingoverFirewireUMAIssues,
http://www.ntsecurity.nu/onmymind/2006/20060902.html.[AccessedMarch16,
2008].
6. G.Garner,ForensicAcquisitionUtilities,November2007,
http://gmgsystemsinc.com/fau/.[AccessedMarch20,2008].
7. AgileRiskManagement,Nigilant32,http://www.agilerm.net/publications_4.html.
[AccessedMarch20,2008].
8. TechnologyPathways,ProdiscoverIR,
http://www.techpathways.com/ProDiscoverIR.htm.[AccessedMarch20,2008].
9. GMGSystems,Inc,KntToolswithKntList,http://www.gmgsystemsinc.com/knttools/.
[AccessedMarch20,2008].
10. Microsoft,Inc.,Windowsfeatureletsyougeneratememorydumpfilebyusingthe
keyboard,December2007,http://support.microsoft.com/kb/244139.[Accessed
March21,2008].
23
11. Microsoft,Inc.,DebuggingToolsforWindowsOverview,
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.[AccessedMarch
21,2008].
12. J.Kornblum,UsingeverypartofthebuffaloinWindowsmemoryanalysis,Digital
Investigation,vol.4,issue1,pp2429.March2007.
13. H.Carvey,WindowsForensicAnalysis,Burlington,MA:SyngressPublishing,2007.
14. AccessData,ForensicToolkit2.0,http://www.accessdata.com/Products/ftk2test.aspx.
[AccessedMarch22,2008]
15. VMWare,VMWareServer,http://www.vmware.com/products/server/.[Accessed
April8,2008]
24