KEMBAR78
Introduction to memory forensics | ODP
Marco Alamanni, profile picture
Uploaded byMarco Alamanni
ODP, PPTX1,249 views

Introduction to memory forensics

This document discusses memory forensics, focusing on acquiring and analyzing system memory using tools like the volatility framework. It covers concepts such as virtual memory management, paging, and the importance of memory forensics in investigating intrusions or malware infections. Additionally, it explains how virtual memory maps logical addresses to physical memory and addresses page replacement mechanisms.

Download as ODP, PPTX
Digital forensics with Kali Linux Marco Alamanni Section 6 Memory forensics www.packtpub.com
In this Section, we are going to take a look at… • Introduction to virtual memory. • Acquiring a RAM image. • Analyzing a memory image with the Volatility framework.
Course Name Author Name Video 6.1 Introduction to memory forensics
In this Video, we are going to take a look at… ● Virtual memory management and paging. • Introduction to memory forensics.
Introduction to memory forensics ● Memory forensics is the process of acquiring and analyzing the main memory of a system. ● Very important in the live response process, investigating an intrusion or a malware infection. Allows to collect and examine volatile artifacts that in some cases exist only in memory.
Introduction to virtual memory ● Virtual memory overcomes the limits of physical memory and maps logical to physical memory addresses. ● Virtual memory is divided into chunks called pages. ● The page table mantains the mapping between pages and the relative physical page frames.
Introduction to virtual memory ● Pages are swapped to disk when physical memory lacks according to a page replacement algorithm. ● A page fault is generated when a process refers a logical address of a swapped page. ● The memory manager reads the page from disk and loads it to memory.
Introduction to virtual memory ● Windows page file is %SYSTEMDRIVE%pagefile.sys while Unix and Linux use the swap partition. ● The hibernation file stores the contents of RAM before the OS goes to hibernation state. ● On Windows is located at %SYSTEMDRIVEhiberfil.sys while Linux generally uses the swap partition.
Next Video Memory acquisition
Next Video Memory acquisition

More Related Content

PPTX
Windows Forensics
byPrince Boonlia
 
PPT
Live Forensics
byCTIN
 
PDF
Windows 8.x Forensics 1.0
byBrent Muir
 
PPT
Vista Forensics
byCTIN
 
PDF
Forensics of a Windows System
byConferencias FIST
 
PPTX
Open Source Forensics
byCTIN
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PPT
Mac Forensics
byCTIN
 
Windows Forensics
byPrince Boonlia
 
Live Forensics
byCTIN
 
Windows 8.x Forensics 1.0
byBrent Muir
 
Vista Forensics
byCTIN
 
Forensics of a Windows System
byConferencias FIST
 
Open Source Forensics
byCTIN
 
Windows logging cheat sheet
byMichael Gough
 
Mac Forensics
byCTIN
 

Viewers also liked

PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
PPTX
Mounting virtual hard drives
byCTIN
 
PDF
Netcat cheat sheet
byYoussoufou YABRE
 
PPT
Unit B Windows 7
byChaffey College
 
ODP
File carving tools
byMarco Alamanni
 
PPT
File system
byHarleen Johal
 
PPT
Translating Geek To Attorneys It Security
byCTIN
 
PPTX
Social Media Forensics for Investigators
byCase IQ
 
PDF
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
byMark Matienzo
 
PDF
Sleuth kit by echavarro - HABEMUSHACKING
byEduardo Chavarro
 
PPT
Anti-Forensics: Real world identification, analysis and prevention
bySeccuris Inc.
 
PPTX
Msra 2011 windows7 forensics-troyla
byCTIN
 
PPT
Raidprep
byCTIN
 
PDF
NTFS Forensics
bynullowaspmumbai
 
PDF
NTFS file system
byRavi Yasas
 
PDF
Using and Developing with Open Source Digital Forensics Software in Digital A...
byMark Matienzo
 
PPTX
Windows 8 Forensics & Anti Forensics
byMike Spaulding
 
PPTX
WinFE: The (Almost) Perfect Triage Tool
byBrent Muir
 
PPTX
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
bySandro Suffert
 
Mounting virtual hard drives
byCTIN
 
Netcat cheat sheet
byYoussoufou YABRE
 
Unit B Windows 7
byChaffey College
 
File carving tools
byMarco Alamanni
 
File system
byHarleen Johal
 
Translating Geek To Attorneys It Security
byCTIN
 
Social Media Forensics for Investigators
byCase IQ
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
byMark Matienzo
 
Sleuth kit by echavarro - HABEMUSHACKING
byEduardo Chavarro
 
Anti-Forensics: Real world identification, analysis and prevention
bySeccuris Inc.
 
Msra 2011 windows7 forensics-troyla
byCTIN
 
Raidprep
byCTIN
 
NTFS Forensics
bynullowaspmumbai
 
NTFS file system
byRavi Yasas
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
byMark Matienzo
 
Windows 8 Forensics & Anti Forensics
byMike Spaulding
 
WinFE: The (Almost) Perfect Triage Tool
byBrent Muir
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 

Similar to Introduction to memory forensics

PPTX
Memory Forensics
byAnshul Tayal
 
PPTX
Memory forensics.pptx
by9905234521
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
byTakahiro Haruyama
 
PDF
Mem forensic
byChong-Kuan Chen
 
PPTX
Investigating Malware using Memory Forensics
byCysinfo Cyber Security Community
 
PPTX
Memory Forensic - Investigating Memory Artefact
bySatria Ady Pradana
 
PPTX
Memory Forensic: Investigating Memory Artefact
bySatria Ady Pradana
 
PDF
(120513) #fitalk an introduction to linux memory forensics
byINSIGHT FORENSIC
 
PDF
(120513) #fitalk an introduction to linux memory forensics
byINSIGHT FORENSIC
 
PDF
Introduction to Memory Analysis
byEmil Tan
 
PPT
Virtual memory ppts
bymanpreetgrewal
 
PDF
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
byJoe Sylve
 
PPT
Mac Memory Analysis with Volatility
byAndrew Case
 
PPTX
(Workshop) Memory Forensic - Investigating Memory Artefact
bySatria Ady Pradana
 
PPTX
Memory Forensic: Investigating Memory Artefact (Workshop)
bySatria Ady Pradana
 
PPT
NOV11 virtual memory.ppt
byAshokRachapalli1
 
ODP
Brief introduction to digital forensics
byMarco Alamanni
 
PPT
Chapter 09 - Virtual Memory.ppt
byMonirJihad1
 
PPT
virtual memory.ppt
bysuryansh85
 
PDF
Workshop - Linux Memory Analysis with Volatility
byAndrew Case
 
Memory Forensics
byAnshul Tayal
 
Memory forensics.pptx
by9905234521
 
One-Byte Modification for Breaking Memory Forensic Analysis
byTakahiro Haruyama
 
Mem forensic
byChong-Kuan Chen
 
Investigating Malware using Memory Forensics
byCysinfo Cyber Security Community
 
Memory Forensic - Investigating Memory Artefact
bySatria Ady Pradana
 
Memory Forensic: Investigating Memory Artefact
bySatria Ady Pradana
 
(120513) #fitalk an introduction to linux memory forensics
byINSIGHT FORENSIC
 
(120513) #fitalk an introduction to linux memory forensics
byINSIGHT FORENSIC
 
Introduction to Memory Analysis
byEmil Tan
 
Virtual memory ppts
bymanpreetgrewal
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
byJoe Sylve
 
Mac Memory Analysis with Volatility
byAndrew Case
 
(Workshop) Memory Forensic - Investigating Memory Artefact
bySatria Ady Pradana
 
Memory Forensic: Investigating Memory Artefact (Workshop)
bySatria Ady Pradana
 
NOV11 virtual memory.ppt
byAshokRachapalli1
 
Brief introduction to digital forensics
byMarco Alamanni
 
Chapter 09 - Virtual Memory.ppt
byMonirJihad1
 
virtual memory.ppt
bysuryansh85
 
Workshop - Linux Memory Analysis with Volatility
byAndrew Case
 

Recently uploaded

PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PDF
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
PPTX
Integrated Billing, Accounting & Inventory Solution for MSMEs
byMoving Cloud
 
PPTX
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
PPT
Evolution of the Major Programming Languages
bymjmansoori54
 
PDF
Best Tableau Alternatives for Data Analytics and Reporting.pdf
byVarsha Nayak
 
PDF
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
PPTX
Financial Literacy for Software Developers
byBalanathanVirupasan
 
PPTX
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
PDF
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
byprasadexiga0
 
PDF
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
PDF
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
DOCX
What Is the Best BI Software Other Than Tableau.docx
byVarsha Nayak
 
PPT
preliminaries, concepts of programming languages
bymjmansoori54
 
PDF
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
PDF
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
PDF
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
Integrated Billing, Accounting & Inventory Solution for MSMEs
byMoving Cloud
 
AI-Powered Intelligent Agents for Fraud Detection
byleolucus1995
 
Evolution of the Major Programming Languages
bymjmansoori54
 
Best Tableau Alternatives for Data Analytics and Reporting.pdf
byVarsha Nayak
 
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
byNewFangledVision
 
Financial Literacy for Software Developers
byBalanathanVirupasan
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
byprasadexiga0
 
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
byVadym Kazulkin
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
What Is the Best BI Software Other Than Tableau.docx
byVarsha Nayak
 
preliminaries, concepts of programming languages
bymjmansoori54
 
Metrics, logs, traces, and mayhem_ introducing an observability adventure gam...
byImma Valls Bernaus
 
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
byyashpatric
 
How QuickHR Helps SMEs Control Expense Claims
byParker adam
 
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 

Introduction to memory forensics

  • 1.
    Digital forensics withKali Linux Marco Alamanni Section 6 Memory forensics www.packtpub.com
  • 2.
    In this Section,we are going to take a look at… • Introduction to virtual memory. • Acquiring a RAM image. • Analyzing a memory image with the Volatility framework.
  • 3.
    Course Name Author Name Video6.1 Introduction to memory forensics
  • 4.
    In this Video,we are going to take a look at… ● Virtual memory management and paging. • Introduction to memory forensics.
  • 5.
    Introduction to memoryforensics ● Memory forensics is the process of acquiring and analyzing the main memory of a system. ● Very important in the live response process, investigating an intrusion or a malware infection. Allows to collect and examine volatile artifacts that in some cases exist only in memory.
  • 6.
    Introduction to virtualmemory ● Virtual memory overcomes the limits of physical memory and maps logical to physical memory addresses. ● Virtual memory is divided into chunks called pages. ● The page table mantains the mapping between pages and the relative physical page frames.
  • 7.
    Introduction to virtualmemory ● Pages are swapped to disk when physical memory lacks according to a page replacement algorithm. ● A page fault is generated when a process refers a logical address of a swapped page. ● The memory manager reads the page from disk and loads it to memory.
  • 8.
    Introduction to virtualmemory ● Windows page file is %SYSTEMDRIVE%pagefile.sys while Unix and Linux use the swap partition. ● The hibernation file stores the contents of RAM before the OS goes to hibernation state. ● On Windows is located at %SYSTEMDRIVEhiberfil.sys while Linux generally uses the swap partition.
  • 9.
  • 10.