Current analysis methods for images of RAM are limited in that they are designed to analyze a single memory image at a time. When attempting to analyze malware, it is a common technique to spin up a clean VM, infect it with that malware and then acquire a snapshot of...
Introduction In this blog post, we will be presenting new functionality that will be incorporated into the next major Volatility release after version 2.3. This functionality allows for deep analysis of application internals on the Android operating system. All Android applications, such as those downloaded from Google Play, are powered...
We’ve just gotten back from RSA Security in San Francisco. The talk went great as it seemed there were a few hundred people in the room. The jist of the presentation was that registry forensics can be useful for more than just standard forensics investigations. Co-Founder, Dr. Lodovico Marziale, went...
Although not yet nearly as widespread as the Windows platform, Mac OS X-based machines are quickly gaining market share, and are now commonly seen in real-world investigations. While some research exists for analysis on this platform, almost none exists for deep parsing of the Spotlight index, which is used by...
Dalvik is the process Virtual Machine used by Android that powers all non-native applications used on Android devices. Through Dalvik memory analysis, a wealth of insight can be gained into the workings of a running application, including all instantiated objects (classes) and the variables, methods, and other per-instance class information....
Full Text Android Memory Capture and Applications for Security and Privacy, University of New Orleans 2011 Abstract The Android operating system is quickly becoming the most popular platform for mobile devices. As Android’s use increases, so does the need for both forensic and privacy tools designed for the platform. This...
Full Text Acquisition and Analysis of Volatile Memory from Android Devices, Digital Investigation Journal, 2012 Abstract The Android operating system for mobile phones, which is still relatively new, is rapidly gaining market share, with dozens of smartphones and tablets either released or set to be released. In this paper, we...
Full Text Advanced Techniques for Improving the Efficacy of Digital Forensics Investigations, University of New Orleans 2009 Abstract Digital forensics is the science concerned with discovering, preserving, and analyzing evidence on digital devices. The intent is to be able to determine what events have taken place, when they occurred, who...
Full Text MMR: A Platform for Large-Scale Forensic Computing, IFIP 2009 Abstract The timely processing of large-scale digital forensic targets demands the empoyment of large-scale distributed resources, as well as the flexibility to customize the processing performed on the target. We presentMMR– a new, open implementation of the MapReduce processing...
Full Text Dynamic Recreation of Kernel Data Structures for Live Forensics, DFRWS 2010 Abstract The role of live forensics in digital forensic investigations has become vital due to the importance of volatile data such as encryption keys, network activity, currently running processes, in memory only malware, and other key pieces...