Volatility supported by Volatile Systems is the most powerful in presented set. You can just visit web page and find tons of useful information, documentation and capabilities. What is more there is an awesome text:
The Volatility Framework demonstrates our commitment to and belief in the importance of open source digital investigation tools . Volatile Systems is committed to the belief that the technical procedures used to extract digital evidence should be open to peer analysis and review. We also believe this is in the best interest of the digital investigation community, as it helps increase the communal knowledge about systems we are forced to investigate. Similarly, we do not believe the availability of these tools should be restricted and therefore encourage people to modify, extend, and make derivative works, as permitted by the GPL.On the other hand we have a product from Mandiant - Memoryze. The is a memory forensic software "that helps incident responders find evil in live memory. " List of features can be found here.
One more tool must be mentioned. This is PTFinder. Very often Volatility and PTFinder are compared together. What is more, all of listed tools, use other technology and approach, so it is advisable to know each of them and check how they are working on specific cases - how are they different (or complementary) and what metadata can be found by these tools.
More information about PTFinder can be checked on this page. In the future - hopefully - I will present some of conclusions, how to use these tools on specific memory dump. I would like to make some kind of comparison, just to know what are the strengths, weaknesses and capabilities of mentioned frameworks.
Brak komentarzy:
Prześlij komentarz