search menu icon-carat-right cmu-wordmark

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

August 2008 Technical Note
Cal Waits, Joseph A. Akinyele, Richard Nolan, Larry Rogers

In this 2008 report, the authors compare various approaches and tools used to capture and analyze evidence from computer memory.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2008-TN-017

Abstract

People responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. No longer able to simply unplug a computer and evaluate it later, examiners must know how to capture an image of the running memory and perform volatile memory analysis using various tools, such as PsList, ListDLLs, Handle, Netstat, FPort, Userdump, Strings, and PSLoggedOn. This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory.