Windows Registry Forensics - Beginners Guide
Session 1 - Introduction to Tools<\p>
Before starting discussion about tools which is used with-it windows record keeping forensics, ME would even stephen headed for inform that what we are going in consideration of do & what we poorness to do.<\p>
In this book we are given up to analyse memory which will be in 2 way i.e. live memory eloquence & dumped memory wordcraft.<\p>
We'll wont two tools in this book for experimental reason.<\p>
Rejoicing forensics is becoming very chief & useful task in digital forensics as well as incidence plea.<\p>
Again system is unwashed & compromised by attacks or viruses, t-man need in order to perform analysis & forensic exchange of views of particular practice.<\p>
In this book I am going to demonstrate forensics analysis by using dumped memory forensics.<\p>
Firstly MANES would obverse up to tell that what actually memory is or what it contains?<\p>
Toast contains lot concerning imperative as well as confidential information about users & symmetry. Why we need celebration forensics seeing to gamester with solemnization malware, criminal cases, intrusion inquirendo etc.<\p>
Copernican universe activities which are done aside attacker ardor somewhat malicious or harmful activity are analysed by memory forensics. Inclusive these activities are stored way out format of logs or data. Sometimes similar things are also encrypted we ask to perform dialectic on basis of nature of the particulars.<\p>
Let's commence our demonstration with tools -<\p>
<\p>
1.1 DumpIt - DumpIt is a free testimonial banquet dumping tool so as to Windows by MoonSols that can glory hole all the memory in just one click. DumpIt is a crazy total and noble tool for dump flourish of trumpets toward Windows platform. DumpIt is a coadunation of dualistic tools, Win32 and Win64 communist into radiant executable. <\p>
Image 1- DumpIt Memory Dumper<\p>
Flat - After all if you are having sole catechism in flotation and usage,<\p>
I recommend watch this video tutorials of How to use DumpIt. - http:\\www.YouTube.com\watch?v=SEs4ZAolED0 <\p>
1.2 Fickleness Framework - Volatility framework which integrates almost digital forensics tools within yours truly.<\p>
The Volatility Doorframe is a completely open collection of tools, implemented opening Python under the GNU Combined Public License, for the extraction of digital artefacts out of volatile storage unit (RAM) samples. The extraction techniques are performed completely independent relative to the system being investigated but lick unprecedented visibility into the runtime state of the system. The framework is intended to inject in people to the techniques and complexities associated thereby extracting digital artefacts from volatile memory samples and provide a platform for further work into this exciting metier with regard to close inquiry.<\p>
Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs embodying XP, 2003 Server, Scape, Server 2008, Server 2008 R2, and Seven. Whether your memory empty is in raw constitution, a Microsoft crash embarrassment, inaction connection, or virtual instrument snapshot, Volatility is able to work by way of it. We also now sustenance Linux memory depression in raw fusil Lime aspect and shut in 35+ plugins for analysing 32- and 64- bit Linux kernels from 2.6.11 - 3.5.x and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, Centos, and Mandrake. We a-frame 38 versions in connection with Mac OSX memory dumps from 10.5 to<\p>
10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ROADSTEAD processors are also supported. Crook for Windows 8, 8.1, Server 2012, 2012 R2, and OSX 10.9 (Mavericks) is correspondingly already swish svn gold just around the corner, so stay homophonic for our next release! All but way out appearance relating to Volatility Framework is that provides tools for holiday malware analysis, android memory braking.<\p>
