introduction to memory forensics
TRANSCRIPT
Digital forensics with Kali Linux
Marco Alamanni
Section 6
Memory forensics
www.packtpub.com
In this Section, we are going to take a look at…
• Introduction to virtual memory.
• Acquiring a RAM image.
• Analyzing a memory image with the Volat i l i ty framework.
Course Name
Author Name
Video 6.1
Introduction to memory forensics
In this Video, we are going to take a look at…
● Virtual memory management and paging.
• Introduction to memory forensics.
Introduction to memory forensics
● Memory forensics is the process of acquiring and analyzing the main memory of a system.
● Very important in the live response process, investigating an intrusion or a malware infection.
Allows to collect and examine volatile artifacts that in some cases exist only in memory.
Introduction to virtual memory
● Virtual memory overcomes the limits of physical memory and maps logical to physical memory addresses.
● Virtual memory is divided into chunks called pages.
● The page table mantains the mapping between pages and the relative physical page frames.
Introduction to virtual memory
● Pages are swapped to disk when physical memory lacks according to a page replacement algorithm.
● A page fault is generated when a process refers a logical address of a swapped page.
● The memory manager reads the page from disk and loads it to memory.
Introduction to virtual memory
● Windows page file is %SYSTEMDRIVE%\pagefi le.sys while Unix and Linux use the swap partition.
● The hibernation file stores the contents of RAM before the OS goes to hibernation state.
● On Windows is located at %SYSTEMDRIVE\hiber f i l .sys while Linux generally uses the swap partition.
Next Video
Memory acquisition
Next Video
Memory acquisition