OS X forensic acquisition: a basic workflow

OS X is, in effect, a *nix based system.
Therefore the forensic image acquisition processes are very similar to those used on Linux systems.
Today I’d like to share my personal acquisition workflow for Apple Mac systems, suitable for OSX before 10.11 (El Capitan) or any OSX version with SIP disabled.

Continue reading “OS X forensic acquisition: a basic workflow”

Forensic analysis of Windows 10 compressed memory using Volatility

Memory analysis on Windows 10 is pretty different from previous Windows versions: a new feature, called Memory Compression, make it necessary a forensic tool able to read compressed memory pages.

Continue reading “Forensic analysis of Windows 10 compressed memory using Volatility”

Some thoughts about Windows Memory Management

Malware analysis and digital forensic analysis are processes that often needs the analyst to look into system memory.
In this regard, a good analyst must have at least a base knowledge of Windows Memory Management.

Continue reading “Some thoughts about Windows Memory Management”

Volatility tips: how to extract text typed in a notepad window from a Windows memory dump

In a comment on my article Volatility, my own cheatsheet (Part 3): Process Memory, Fabrizio asked me:

[…] da un dump di memoria su un sistema win7, ho rilevato che era in esecuzione notepad, è possibile visualizzarne il contenuto?

([…] from a memory dump on a win7 system, I found out that notepad was running, can I view its contents?)

Continue reading “Volatility tips: how to extract text typed in a notepad window from a Windows memory dump”