MoVP II – 2.3 – Creating Timelines with Volatility
by Jamie Levy | May 23, 2013 | forensics, grrcon, malware, movp, timelines, windows
A common computer forensic investigative methodology is creating timelines. Timelines help establish events that took place on the machine prior to investigation. There are various artifacts in Windows memory that can be used to construct a timeline....MoVP II – 2.2 – Unloaded Windows Kernel Modules
by Volatility | May 22, 2013 | forensics, kernel, malware, movp, volatility, windows
Sometimes knowing which kernel modules recently unloaded can be as valuable as knowing which ones loaded. Windows keeps a record of drivers that unload for debugging purposes – in particular to help analyze failures in the attempt to call unloaded code. If...MoVP II – 2.1 – RSA Private Keys and Certificates
by Volatility | May 21, 2013 | malware, movp, volatility, windows
Those of you who downloaded the Volatility Cheat Sheet v2.3 may have noticed a plugin named dumpcerts, which is a relatively new addition to the plugin scene for Windows. Its based on the work by Tobias Klein called Extracting RSA private keys and certificates from...MOVP II – 1.5 – ARM Address Space (Volatility and Android / Mobile)
by Volatility | May 20, 2013 | android, linux, movp
In order to support Android, Volatility now includes an ARM address space. This is the first new hardware architecture supported by Volatility since the inclusion of Intel support in the earliest of releases. The creation of the address space was based upon the ARM...
You must be logged in to post a comment.