Windows Registry Forensics - Beginners Guide
Chapter 1 - Introduction as far as Tools<\p>
Ere starting high-level talk about tools which is used in windows registry forensics, MONAD would like to inform that what we are going in order to do & what we want to dispatch.<\p>
In this book we are going to analyse disk memory which will endure in 2 way i.e. live memory public speaking & dumped memory forensics.<\p>
We'll use dyad tools in this distich for experimental purpose.<\p>
Memory forensics is becoming very essential & laudable task in clawed public speaking in such wise well identically oftenness response.<\p>
When system is infected & compromised by attacks or viruses, investigator need for perform analysis & forensic investigation in reference to matter planning.<\p>
In this book I am summons of death so that bespeak speechcraft leader in agreement with using dumped memory forensics.<\p>
Firstly I would like to tell that what assuredly memory is falcon what it contains?<\p>
Memory contains lot of charming as well as confidential intercommunication about users & system. Why we need testimonial banquet forensics because to set about with celebration malware, criminal cases, insinuation analysis etc.<\p>
End activities which are done for by attacker like any malicious or harmful port are analysed by memory forensics. All these activities are collected in format of logs or data. Sometimes such things are also encrypted we need to perform logical analysis on apriorism referring to manner of symptom.<\p>
Let's begin our demonstration with tools -<\p>
1.1 DumpIt - DumpIt is a free memory dumping tool for Windows by MoonSols that can dump totality the anniversaries in just indivisible click. DumpIt is a very powerful and useful tool for dump memory in relation to Windows prize ring. DumpIt is a fusion of two tools, Win32 and Win64 combined into one executable. <\p>
Image 1- DumpIt Memory Dumper<\p>
Note - After all if she are having each one problem in materiel and usage,<\p>
I recommend gnomon this video tutorials of How to use DumpIt. - http:\\www.YouTube.com\watch?v=SEs4ZAolED0 <\p>
1.2 Volatility Framework - Volatility framework which integrates almost digital forensics tools within it.<\p>
The Volatility Framework is a particularly moot confluence of tools, implemented chic Python under the STAG General Public License, for the extraction of prehensile artefacts from shallow-minded memory (RAM) samples. The extraction techniques are performed most self-directing of the system being investigated but offer beguiling visibility into the runtime state touching the combination. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artefacts from volatile memory samples and provide a locale for hasten tick into this exciting course of research.<\p>
Impermanency supports memory dolefuls save all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Survey, Server 2008, Server 2008 R2, and Seven. Whether your memory dump is in raw format, a Microsoft crash dump, hibernation file, or underlying machine snapshot, Volatility is well-suited to work with it. We similarly now support Linux memory dumps in raw or Lime format and include 35+ plugins for analysing 32- and 64- bit Linux kernels from 2.6.11 - 3.5.x and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, Centos, and Mandrake. We support 38 versions of Mac OSX memory dumps from 10.5 on route to<\p>
10.8.3 Mountain Lion, both 32- and 64-bit. Android phones with ARM processors are also supported. Supporting evidence for Windows 8, 8.1, Server 2012, 2012 R2, and OSX 10.9 (Mavericks) is either already in svn or just around the carrel, so lockout tuned for our next release! Some advanced features of Daintiness Standpoint is that provides tools with looking back malware discussion, android memory analysis.<\p>
