Category: Memory Imaging

LiME (formerly DMD)

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. Full Android memory acquisition Acquisition over network interface Minimal process footprint …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2016/09/17/lime-formerly-dmd/

Evolve

Web interface for the Volatility Memory Forensics Framework https://github.com/volatilityfoundation/volatility Works with any Volatility module that provides a SQLite render method (some don’t) Automatically detects plugins – If volatility sees the plugin, so will eVOLve All results stored in a single SQLite db stored beside the RAM dump Web interface is fully AJAX using jQuery & …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2016/09/16/evolve/

The Forensic Analysis Toolkit (FATKit)

The Forensic Analysis Toolkit (FATKit) is a new cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. The framework is intended for researchers, law enforcement professionals, and forensics analysts who are interested in extracting and interpreting relevant information in the wake of a crime or incident. FATKit was developed in response to …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2016/09/15/the-forensic-analysis-toolkit-fatkit/

Magnet RAM Capture

Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory. Magnet RAM Capture has a small memory footprint, meaning investigators can run the tool while minimizing the data that is overwritten in …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2015/02/12/magnet-ram-capture/

WinDD – Disk Dump for Windows

WinDD – Disk Dump for Windows! Windows XP version of Unix ‘dd’ command. Safe, effort-free backup for FAT, FAT32, NTFS, ext2, ext3 partitions. http://sourceforge.net/projects/windd/

Permanent link to this article: http://www.darknessgate.com/2014/11/23/windd-disk-dump-windows/

Memoryze

Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis. Main Features: image the full range of system memory (not reliant on API calls). image a process’ entire address space …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/18/memoryze/

Volatility Interface & Extensions

This project aims to develop a software to extend the use and simplify the handling of the Volatility Framework . Objectives of VOLIX: Simplify the handling of Volatility Provide a more intuitive GUI handling Reduce complex command sequences to a single click Improving usability Increase analysis speed (no tedious typing of commands) Make comparison and correlation of results easier Offer assistance / examples Provide new functions Automated search for malware and analysis of the findings by VirusTotal Detecting of hidden …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/11/11/volatility-interface-extensions/

MDD

MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server. Download MDD

Permanent link to this article: http://www.darknessgate.com/2014/11/10/mdd/

AfterLife

AfterLife permits the collection of physical memory contents from a system after a warm or cold reboot. The tool is an extension of the msramdump utility by Wesley McGrew that adds forensic features and some functionality. In addition to providing a self-contained memory acquisition environment on a USB drive or a CD/USB combination, AfterLife is also …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/10/19/afterlife/

The Volatility Framework: Volatile memory artifact extraction utility framework

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/03/12/the-volatility-framework-volatile-memory-artifact-extraction-utility-framework/

Forensic Toolkit® (FTK®)

FTK is a court-accepted digital investigations platform that is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs. In addition AccessData offers new expansion modules delivering an …

Continue reading »

Permanent link to this article: http://www.darknessgate.com/2014/03/03/forensic-toolkit-ftk-commercial-app/