introduction to memory forensics
TRANSCRIPT
![Page 1: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/1.jpg)
Digital forensics with Kali Linux
Marco Alamanni
Section 6
Memory forensics
www.packtpub.com
![Page 2: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/2.jpg)
In this Section, we are going to take a look at…
• Introduction to virtual memory.
• Acquiring a RAM image.
• Analyzing a memory image with the Volat i l i ty framework.
![Page 3: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/3.jpg)
Course Name
Author Name
Video 6.1
Introduction to memory forensics
![Page 4: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/4.jpg)
In this Video, we are going to take a look at…
● Virtual memory management and paging.
• Introduction to memory forensics.
![Page 5: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/5.jpg)
Introduction to memory forensics
● Memory forensics is the process of acquiring and analyzing the main memory of a system.
● Very important in the live response process, investigating an intrusion or a malware infection.
Allows to collect and examine volatile artifacts that in some cases exist only in memory.
![Page 6: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/6.jpg)
Introduction to virtual memory
● Virtual memory overcomes the limits of physical memory and maps logical to physical memory addresses.
● Virtual memory is divided into chunks called pages.
● The page table mantains the mapping between pages and the relative physical page frames.
![Page 7: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/7.jpg)
Introduction to virtual memory
● Pages are swapped to disk when physical memory lacks according to a page replacement algorithm.
● A page fault is generated when a process refers a logical address of a swapped page.
● The memory manager reads the page from disk and loads it to memory.
![Page 8: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/8.jpg)
Introduction to virtual memory
● Windows page file is %SYSTEMDRIVE%\pagefi le.sys while Unix and Linux use the swap partition.
● The hibernation file stores the contents of RAM before the OS goes to hibernation state.
● On Windows is located at %SYSTEMDRIVE\hiber f i l .sys while Linux generally uses the swap partition.
![Page 9: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/9.jpg)
Next Video
Memory acquisition
![Page 10: Introduction to memory forensics](https://reader038.vdocument.in/reader038/viewer/2022100419/5a64e3877f8b9a735d8b4d5d/html5/thumbnails/10.jpg)
Next Video
Memory acquisition