Windows memory forensics

Immunity [CANVAS] http://www.immunitysec.com/products-canvas.shtml

Core [IMPACT] http://www.coresecurity.com/products/coreimpact/index.php

[Syscall Proxying] http://www.coresecurity.com/files/files/11/SyscallProxying.pdf

Metasploit’s [Meterpreter] http://www.metasploit.com/projects/Framework/docs/meterpreter.pdf

Ultimate way to hide [rootkit] https://www.rootkit.com/newsread.php?newsid=648

Fred [Raynal] “Malicious cryptography” Part one: http://www.securityfocus.com/infocus/1865 Part two: http://www.securityfocus.com/infocus/1866

Éric [Filiol] “Strong Cryptography Armoured Computer Viruses Forbidding Code Analysis: the Bradley virus” Proceedings of the 14th EICAR Conference, 2005 http://papers.weburb.dk/archive/00000136/01/eicar05final.pdf

[Malicious Cryptography] http://www.cryptovirology.com/

Andreas [Schuster] http://computer.forensikblog.de/en/

Windows Incident Response http://windowsir.blogspot.com/

Mariusz Burdach http://forensic.seccure.net/

George M. [Garner] http://users.erols.com/gmgarner/forensics/

[Dump Analysis] http://www.dumpanalysis.org/

Alexandre Garaud http://c4rtman.blogspot.com/

[Pentium] Intel® 64 and IA-32 Architectures Software Developer’s Manuals http://www.intel.com/products/processor/manuals/index.htm

[Debugging Tools] for Windows http://www.microsoft.com/whdc/devtools/debugging/default.mspx

\Device\[PhysicalMemory] http://technet2.microsoft.com/WindowsServer/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true

[DMP] File Structure http://computer.forensikblog.de/en/2006/03/dmp_file_structure.html

[CrashOnCtrlScroll] Windows feature lets you generate a memory dump file by using the keyboard http://support.microsoft.com/kb/244139

[Q254649] Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000 http://support.microsoft.com/kb/254649

[Q237740] How to overcome the 4,095 MB paging file size limit in Windows http://support.microsoft.com/kb/237740

[Q886429] What to consider when you configure a new location for memory dump files in Windows Server 2003 http://support.microsoft.com/kb/886429

[IOMMU] http://en.wikipedia.org/wiki/IOMMU

Virtualization Services [Market] to Reach $11.7 Billion by 2011, According to IDC http://www.idc.com/getdoc.jsp?containerId=prUS20778407

[SMSS] Session Manager SubSystem http://en.wikipedia.org/wiki/Session_Manager_Subsystem Mark E. Russinovich and David A. Solomon

[Windows Internals], 4th edn. http://www.microsoft.com/mspress/books/6710.aspx

[Upper Memory Area] Memory dumping over FireWire—UMA issues http://ntsecurity.nu/onmymind/2006/2006-09-02.html

[DFRWS] 2005 Challenge http://www.dfrws.org/2005/challenge/index.html

[Securitech] 2005, Challenge 16 http://www.challenge-securitech.com/archives/2005/displaylevel.php?level=21

Remote [Library Injection] http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf

[Tribble] “A Hardware-Based Memory Acquisition Procedure for Digital Investigations” http://www.digital-evidence.org/papers/tribble-preprint.pdf

[iPod] “Firewire—all your memory are belong to us” http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf

Joanna [Rutkowska] “Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case)” http://invisiblethings.org/papers/cheating-hardware-memory-acquisition-updated.ppt

David [Piegdon] and Lexi [Pimenidis] “Targeting Physically Addressable Memory” http://david.piegdon.de/papers/SEAT1394-svn-r432-paper.pdf

[Adam Boileau] “Hit by a Bus: Physical Access Attacks with Firewire” http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf

Joanna Rutkowska [Subverting Vista Kernel] http://invisiblethings.org/papers/joanna%20rutkowska%20-%20subverting%20vista%20kernel.ppt

Loïc Duflot [SMM] Security Issues Related to Pentium System Management Mode http://cansecwest.com/slides06/csw06-duflot.ppt

Sherri Sparks, Jamie Butler [Shadow Walker]: Raising the Bar for Rootkit Detection http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf

Bradley Schatz [BodySnatcher]: Towards reliable volatile memory acquisition by software https://www.dfrws.org/2007/proceedings/p126-schatz.pdf

Andreas Schuster [DFRWS 2006] Searching for processes and threads in Microsoft Windows memory dumps http://dfrws.org/2006/proceedings/2-Schuster.pdf

[Komoku] http://www.komoku.com/

[PicoComputing] http://www.picocomputing.com/

[Lexfo] http://www.lexfo.fr/

[LiveKD] http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx

[PTFinder] 0.3.0 http://computer.forensikblog.de/en/2006/09/ptfinder_0_3_00.html

[Volatools] http://www.komoku.com/forensics/basic.html

[SystemDump] http://citrite.org/blogs/dmitryv/2006/09/12/new-systemdump-tool/

[FATKit] http://www.4tphi.net/fatkit/

[MemParser] http://sourceforge.net/projects/memparser

[pmodump.pl] and the Truman Project http://www.secureworks.com/research/tools/truman.html

Guidance Software: [EnCase] Forensics http://www.guidancesoftware.com/products/ef_index.asp

The [Sleuth Kit] & Autopsy: Digital Investigation Tools for Linux and other Unixes http://www.sleuthkit.org/

[Disk Explorer] http://www.runtime.org/

[Forensic Toolkit] http://www.accessdata.com/catalog/partdetail.aspx?partno=11000

[X-Ways Forensics] http://www.x-ways.net/forensics/index-m.html

[iLook] http://www.ilook-forensics.org/

[WOLF] http://blogs.technet.com/robert_hensing/archive/2005/01/17/354471.aspx

[KnTTools] http://users.erols.com/gmgarner/KnTTools/

[VMWare] http://www.vmware.com/

Microsoft [Virtual PC] http://www.microsoft.com/windows/products/winfamily/virtualpc/default.mspx