PTK DFLabs
Follow DFLabs on twitter Follow DFLabs on YouTube

border_sx   Italian  Russian border_dx

PTK section:

New Articles rss

  • 2010-07-21 - Robust Process Scanner in PTK Forensics: done!

  • 2010-06-01 - Meet the PTK team at The Sleuth Kit and Open Source Digital Forensics Conference

  • 2010-05-14 - SANS Investigative Forensic Toolkit e PTK Forensics: made simple!

  • 2010-04-26 - DFLabs PTK Forensics new version is available Thru SANS Institute's SIFT Virtual Machine

  • 2010-04-24 - New PTK and IncMan suite Video Available for your demo purposes.

  • 2010-02-20 - New DFLabs YoutTube Channel.

  • 2010-02-04 - PTK Forensics: New Webinar session.

  • 2010-02-01 - PTK Forensics, the new website is online.

  • 2009-11-14 17:31:11 - New PTK roadmap

  • 2009-09-30 14:10:01 - DFLabs is proud to announce that the data carving is available

Validator:

Valid XHTML 1.0 Transitional
CSS Valido!

Ram Dump Analisys

 

Memory dump analysis is done through the Volatility framework https://www.volatilesystems.com.


At the moment, the last version supported by the framework is the 1.3 and the dump memories coming from the Windows XP SP2 and SP3 systems are supported.

 

It is possible to perform a string search both in ASCII and UNICODE format.

Just like all other evidence the results can be added to the PTK bookmarks.

The RAM Dump Analysis section consists of:

  • Date and time
  • Running process
  • Open network sokets
  • Open network connections
  • DLLs loaded for each process
  • Open file for each process
  • Open registry handles for each process
  • A process'addressable memory
  • OS kernel modules
  • Mapping physical offsets to virtual addresses (string to process)
  • Virtual Address Descriptor information
  • Scanning examples: processes, threads, sokets,connections, modules
  • Extract executables from memory samples
  • Trasparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD)
  • Automated conversion between formats

 

RAM DUMP ANALYSIS – PROCESS LIST

  main search host

 

RAM DUMP ANALYSIS – KEYWORDS SEARCH

 

PTK enables to perform a string search on RAM dump memory also.

It is possible to launch keyword search in the following formats:

  • ASCII
  • UNICODE


In this secion it is also possible to perform regular expressions searches.

All results can be inserted in the investigator’s personal bookmarks.

Live search on the content of the RAM through: srch_strings + grep

 

 

  main search host