Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

August 2008 • Technical Note

Cal Waits, Joseph A. Akinyele, Richard Nolan, Larry Rogers

The authors compare various approaches and tools used to capture and analyze evidence from computer memory.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2008-TN-017

DOI (Digital Object Identifier):

10.1184/R1/6572696.v1

Subjects

Abstract

People responsible for computer security incident response and digital forensic examination need to continually update their skills, tools, and knowledge to keep pace with changing technology. No longer able to simply unplug a computer and evaluate it later, examiners must know how to capture an image of the running memory and perform volatile memory analysis using various tools, such as PsList, ListDLLs, Handle, Netstat, FPort, Userdump, Strings, and PSLoggedOn. This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory.

Download PDF

Cite This Report

SEI

Waits, Cal; Akinyele, Joseph; Nolan, Richard; & Rogers, Lawrence. Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis. CMU/SEI-2008-TN-017. Software Engineering Institute, Carnegie Mellon University. 2008. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8605

IEEE

Waits. Cal, Akinyele. Joseph, Nolan. Richard, and Rogers. Lawrence, "Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2008-TN-017, 2008. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8605

APA

Waits, Cal., Akinyele, Joseph., Nolan, Richard., & Rogers, Lawrence. (2008). Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis (CMU/SEI-2008-TN-017). Retrieved March 27, 2023, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8605

CHI

Cal Waits, Joseph Akinyele, Richard Nolan, & Lawrence Rogers. Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis (CMU/SEI-2008-TN-017). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2008. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8605

MLA

Waits, Cal., Akinyele, Joseph., Nolan, Richard., & Rogers, Lawrence. 2008. Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis (Technical Report CMU/SEI-2008-TN-017). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8605

BibTex

@techreport{WaitsComputerForensics2008,
title={Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis},
author={Cal Waits and Joseph Akinyele and Richard Nolan and Lawrence Rogers},
year={2008},
number={CMU/SEI-2008-TN-017},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=8605} }

Ask a question about this Technical Note

Software Engineering Institute