OS X is, in effect, a *nix based system.
Continue reading “OS X forensic acquisition: a basic workflow”
Therefore the forensic image acquisition processes are very similar to those used on Linux systems.
Today I’d like to share my personal acquisition workflow for Apple Mac systems, suitable for OSX before 10.11 (El Capitan) or any OSX version with SIP disabled.
Memory analysis on Windows 10 is pretty different from previous Windows versions: a new feature, called Memory Compression, make it necessary a forensic tool able to read compressed memory pages.
Continue reading “Forensic analysis of Windows 10 compressed memory using Volatility”
Malware analysis and digital forensic analysis are processes that often needs the analyst to look into system memory.
Continue reading “Some thoughts about Windows Memory Management”
In this regard, a good analyst must have at least a base knowledge of Windows Memory Management.
In a comment on my article Volatility, my own cheatsheet (Part 3): Process Memory, Fabrizio asked me:
[…] da un dump di memoria su un sistema win7, ho rilevato che era in esecuzione notepad, è possibile visualizzarne il contenuto?
([…] from a memory dump on a win7 system, I found out that notepad was running, can I view its contents?)
Continue reading “Volatility tips: how to extract text typed in a notepad window from a Windows memory dump”