Abstract
As has been discussed throughout this book, the computer memory is a good source of information that should not be overlooked during a forensic examination. However, the traditional tools used for forensic examination are not built to handle memory dumps very well. As has been discovered in the previous chapter, the memory structure is vastly different from the structure of a secondary storage device. Further, there are differences in how memory is allocated between different operating system versions. For that reason, a forensic examiner needs to have a tool for memory analysis, which is capable of interpreting memory dumps from different operating system versions. One such tool is Volatility, which is introduced and described in this chapter in a practical manner. Conveniently enough, Volatility is open source and free to use. Another tool introduced in this chapter is Redline, that is, a graphical tool designed for malware analysis in memory dumps.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Ligh MH, Case A, Levy J, Walters A (2014) The art of memory forensics: detecting malware and threats in windows, linux, and Mac memory. Wiley, New York
Volatility Foundation (2017) Volatility Foundation. Available Online: http://www.volatilityfoundation.org/. Fetched 6 July 2017
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kävrestad, J., Birath, M., Clarke, N. (2024). Memory Analysis Tools. In: Fundamentals of Digital Forensics. Texts in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-031-53649-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-53649-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-53648-9
Online ISBN: 978-3-031-53649-6
eBook Packages: Computer ScienceComputer Science (R0)