MoVP II – 2.2 – Unloaded Windows Kernel Modules
by Volatility | May 22, 2013 | forensics, kernel, malware, movp, volatility, windows
Sometimes knowing which kernel modules recently unloaded can be as valuable as knowing which ones loaded. Windows keeps a record of drivers that unload for debugging purposes – in particular to help analyze failures in the attempt to call unloaded code. If...MoVP II – 2.1 – RSA Private Keys and Certificates
by Volatility | May 21, 2013 | malware, movp, volatility, windows
Those of you who downloaded the Volatility Cheat Sheet v2.3 may have noticed a plugin named dumpcerts, which is a relatively new addition to the plugin scene for Windows. Its based on the work by Tobias Klein called Extracting RSA private keys and certificates from...MOVP II – 1.5 – ARM Address Space (Volatility and Android / Mobile)
by Volatility | May 20, 2013 | android, linux, movp
In order to support Android, Volatility now includes an ARM address space. This is the first new hardware architecture supported by Volatility since the inclusion of Intel support in the earliest of releases. The creation of the address space was based upon the ARM...MoVP II – 1.4 – New HPAK Address Space
by Volatility | May 17, 2013 | forensics, movp, volatility
Volatility can analyze memory dumps in the “HPAK” archive format, which is proprietary to the Fast Dump (FDPro.exe) acquisition utility. As we said in a previous MoVP post, if you’re not the person acquiring memory, there’s no telling what tool...MoVP II – 1.3 – VMware Snapshot and Saved State Analysis
by Volatility | May 16, 2013 | movp, vmware, volatility
VMware is arguably the most popular virtualization software used in production and research. However, there are various versions of VMware (Workstation, Fusion, ESX Server, etc) and not all of them write raw memory dumps with .vmem extensions for guest VMs....
You must be logged in to post a comment.