Have you ever wondered exactly how Windows is assigning physical memory, how much file data is cached in RAM, or how much RAM is used by the kernel and device drivers? RAMMap makes answering those questions easy. RAMMap is an advanced physical memory usage analysis utility for Windows Vista and higher. It presents usage information …
Category: Memory Forensics
Permanent link to this article: https://www.darknessgate.com/2016/09/28/rammap-v1-5/
Evolve
Web interface for the Volatility Memory Forensics Framework https://github.com/volatilityfoundation/volatility Works with any Volatility module that provides a SQLite render method (some don’t) Automatically detects plugins – If volatility sees the plugin, so will eVOLve All results stored in a single SQLite db stored beside the RAM dump Web interface is fully AJAX using jQuery & …
Permanent link to this article: https://www.darknessgate.com/2016/09/16/evolve/
The Forensic Analysis Toolkit (FATKit)
The Forensic Analysis Toolkit (FATKit) is a new cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. The framework is intended for researchers, law enforcement professionals, and forensics analysts who are interested in extracting and interpreting relevant information in the wake of a crime or incident. FATKit was developed in response to …
Permanent link to this article: https://www.darknessgate.com/2016/09/15/the-forensic-analysis-toolkit-fatkit/
Memoryze
Mandiant’s Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis. Main Features: image the full range of system memory (not reliant on API calls). image a process’ entire address space …
Permanent link to this article: https://www.darknessgate.com/2014/11/18/memoryze/
Volatility Interface & Extensions
This project aims to develop a software to extend the use and simplify the handling of the Volatility Framework . Objectives of VOLIX: Simplify the handling of Volatility Provide a more intuitive GUI handling Reduce complex command sequences to a single click Improving usability Increase analysis speed (no tedious typing of commands) Make comparison and correlation of results easier Offer assistance / examples Provide new functions Automated search for malware and analysis of the findings by VirusTotal Detecting of hidden …
Permanent link to this article: https://www.darknessgate.com/2014/11/11/volatility-interface-extensions/
The Volatility Framework: Volatile memory artifact extraction utility framework
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework …
Permanent link to this article: https://www.darknessgate.com/2014/03/12/the-volatility-framework-volatile-memory-artifact-extraction-utility-framework/
Forensic Toolkit® (FTK®)
FTK is a court-accepted digital investigations platform that is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs. In addition AccessData offers new expansion modules delivering an …
Permanent link to this article: https://www.darknessgate.com/2014/03/03/forensic-toolkit-ftk-commercial-app/
KnTTools Basic
The KnTTools Basic Edition includes KnTDD. KnTDD is a next generation tool for the acquisition of physical memory evidence from select Microsoft Windows operating systems. Main Features: Acquisition of physical memory (main computer memory) evidence from systems running select Microsoft Windows operating systems, including Windows Vista. Acquisition to a removable USB or firewire drive based …
Permanent link to this article: https://www.darknessgate.com/2012/09/15/knttools-basic/
volafox
volafox a.k.a ‘Memory Analyzer for Mac OS X’ is developed on python 2.x System Environment Lang: Python 2.x Arch: Intel x86/IA-32e OS: Snow Leopard(10.6), Lion(10.7), Mountain Lion(10.8) – r83 Requirement Kernel Symbol List overlay data Memory Image Linear File Format(Firewire or VMware memory image) Flatten Mac Memory Reader Format by using flatten.py(32bit, 64bit) Information Kernel …
Permanent link to this article: https://www.darknessgate.com/2012/09/15/volafox/
Compile Memory Analysis Tool (CMAT)
The Compile Memory Analysis Tool (CMAT) is a self-contained memory analysis tool that analyzes a Windows O/S memory (either in a dump or via XenAccess in a Xen VM) and extracts information about the operating system and the running processes. Download Compile Memory Analysis Tool (CMAT)
Permanent link to this article: https://www.darknessgate.com/2012/09/15/compile-memory-analysis-tool-cmat/