LiveMemoryAcquisition

forWindowsOperating
Systems:
ToolsandTechniquesforAnalysis

Theliveacquisitionofvolatilememory(RAM)isanarea
indigitalforensicsthathasnotgarneredmuchattention
untilmostrecently.Theimportanceofthecontentsof
physicalmemoryhasalwaystakenabackseattowhatis
consideredmoreimportantthecontentsofphysical
media.However,agreatdealofinformationcanbe
acquiredfromRAManalysiswhichisunavailableduring
mosttypicalforensicacquisitionandanalysis.This
paperwilltakealookatthedifferenttoolsavailableto
theforensicexaminerformemoryacquisitionandhow
toanalyzetheresultingdata.

NajaDavis
EasternMichiganUniversity
IA328

CoverPageandAbstract

TableofContents

CoverPageandAbstract............................................................................................................................... 1
I.Introduction .............................................................................................................................................. 3
II.Scope ........................................................................................................................................................ 3
III.Toolsforlivememoryacquisition........................................................................................................... 4
Hardwarebasedsolutions ........................................................................................................................ 4
Tribble................................................................................................................................................ 4
Firewire ................................................................................................................................................. 4
Softwarebasedsolutions ......................................................................................................................... 5
Limitationsofsoftwarebasedacquisition............................................................................................ 5
DD(datadumper) .............................................................................................................................. 5
Nigilant32.............................................................................................................................................. 6
ProDiscoverIR ....................................................................................................................................... 6
KntDD .................................................................................................................................................... 6
MicrosoftCrashDump .......................................................................................................................... 7
IV.MemoryAnalysis.................................................................................................................................... 7
Basics:Whatdoesaninvestigatorneedtoknow? .................................................................................. 7
Tools.......................................................................................................................................................... 8
V.Acquisition ............................................................................................................................................. 10
SuggestedProceduresforLiveAcquisition:............................................................................................ 11
VI.TestCase,StepbyStep ......................................................................................................................... 11
VII.Conclusion............................................................................................................................................. 21
AppendixA .................................................................................................................................................. 22
References .................................................................................................................................................. 23

I.Introduction

Untilrecently,theacquisitionofvolatilememory(RAM)hasbeenpracticedmainlyby
thoseinvolvedinliveincidentresponseandlargelyignoredbythoseinthefield.Memory
acquisitionfromalivesystemrequiresspecializedhardwareorsoftwarenotallforensic
utilitiescanaccessthe\\.\PhysicalMemoryobjectinWindows.Theanalysisoftheresulting
imagefilealsorequiresspecializedscriptsandknowledgetobeabletointerpretthedata.
Thesetwofactorsmakememoryacquisitionandanalysismoredifficultthantraditionalforensic
harddriveexaminations;itrequiresagreateramountofcarethanthecommonmethodof
pullingthepowerandpreservingthecrimescene.

However,withtheadventofMicrosoftVistaandBitLockerMicrosoftsanswertofull
diskencryptionandtheincreasingsophisticationofmalware,rootkits,andotherviruses,live
memoryanalysishasbecomeevenmoreimportanttothefieldofcomputerforensics.
Importantdatasuchaspasswords,IPaddresses,whatprocesseswererunning,andotherdata
thatmightnotbestoredontheharddrivecanberetrievedfromamemorydumporimage.
Malwareandrootkitsoftenleavetracesinresidentmemorythatcannotbefoundbyanalyzing
aharddriveimage.

TheDigitalForensicResearchWorkshop(DFRWS)[1],issuedamemoryanalysis
challengeinthesummerof2005,toencourageresearchandtooldevelopmentinlivememory
acquisition.Thischallengeproducedtwowinners,ChrisBetzandtheteamofGeorgeM.
Garner,Jr.andRobertJanMora,whodevelopedtoolstocompletethechallenge.Memparser
[2],ChrisBetzswinningentry,reconstructsprocesseslistsandextractsinformationfrom
processmemory.GarnerandMoradevelopedkntlist,whichenablesanexaminertodumpthe
physicalmemoryfromWindowsandextractinformationfromtheresultingfile.Thesetwo
workshavespurredinterestinthefieldoflivememoryacquisitionandtheissuessurrounding
it.

II.Scope

AlltoolsandproceduresinthisdocumentapplyonlytotheWindowsfamilyofoperating
systems,includingWindows2000,XP,Vista,andServer2003.

III.Toolsforlivememoryacquisition
Hardwarebasedsolutions

Tribble

TheTribble[3]wasintroducedinFebruary2004intheDigitalInvestigationJournalby
BrianCarrierandJoeGrand,ofGrandIdeaStudio,Inc.TheTribbleisahardwareexpansion
cardwhichcanbeusedtoretrievethecontentsofphysicalmemory.ItisaPCIexpansioncard
designedtobeinstalledonaserverbeforetheevent,withaswitchthatisenabledwhenthe
investigatorwantstocapturedata.
Thismethodofacquisitionhasitsstrengthsandlimitations.Asahardwaredevice,the
Tribblecanaccessphysicalmemorywithoutintroducinganysoftwareontothetargetsystem,
minimizingtheimpactonthedatabeingretrieved.However,itmustbeinstalledpriortothe
incident,makingitsomewhatinconvenientforontheflyacquisition.Itisalsostillaproofof
conceptdeviceandnotwidelyavailable.

Firewire

Thesecondhardwaresolutionavailableforlivememoryacquisitionisthroughtheuse
ofaFirewiredevice.Firewiredevicesusedirectmemoryaccess(DMA),withouthavingtogo
throughtheCPU.Thememorymappingisperformedinhardwarewithoutgoingthroughthe
hostoperatingsystem,whichallowsnotonlyforhighspeedtransfersbutalsobypassesthe
problemwithsomeversionsofWindowsthatdonotallowmemorytobeaccessedfromUser
mode.
AdamBoileau[4]developedsoftwareusingPythontoextractphysicalmemoryfroma
systemonLinux.ThistoolcanbeusedonWindowssystemsaswell,bytrickingWindowsinto
givingtheuserDMAbymasqueradingasaniPod.Thismethodismoreconvenientthanthe
aforementionedTribbledevice,asmostsystemstodayhaveFirewireportsavailable(usually
builtrightintothemotherboard).Thecurrentproblemwiththismethodisanissuewiththe
UpperMemoryArea(UMA)whichcausessomesystemstosuffercrashesduringtheacquisition
process[5].

Softwarebasedsolutions

Limitationsofsoftwarebasedacquisition

WiththereleaseofServicePack2forWindowsXPthe\\.\PhysicalMemoryobjectisno
longeraccessiblefromusermode.ThisisalsotrueforWindowsVistaandWindowsServer
2003(ServicePack1)itcanonlybeaccessedviakernelmodedrivers.Assuch,someutilities
whichmayhaveworkedinthepastwillnolongerworkonversionsofWindows.Theymaystill
applytoearlierorunpatchedversions,however.

Oneissuethattheforensicinvestigatorneedstoremainmindfulofduringlivememory
acquisitionwithsoftwarebasedtoolsisthepotentialchangetodataduringtheacquisition
process.DuetothevolatilenatureofRAM,introducinganynewsoftwareontothesystemmay
changethedatawhichcurrentlyresidesinmemory.Thememoryintroducedtothesystemwill
displacethedatathatpreviouslyoccupiedthatspace.Theimageacquiredmayalsopresenta
smearedpictureofthedata,sincethesystemisliveandpagesarechangingastheacquisition
progresses.Thisiscertainlynotidealforforensicallysoundacquisitionandsubsequentanalysis
andmustbegivendueconsideration,particularlywhenevidentiaryrulesandstandardsapply.

DD(datadumper)

DD,betterknownasthedatadumpertoolfromUNIX,isprobablyfamiliartomost
forensicinvestigatorsasatoolforcreatingforensicimagesofharddrivesandisincludedin
manyopensourceforensicutilitiessuchasHelix(http://www.efense.com/helix/).TheDD
formatisalsosupportedbymostmajorforensicapplications.ForensicAcquisitionUtilities
(FAU)[6]usesamodifiedversionofthedatadumpertoolwhichiscapableofaccessingthe
\\.\PhysicalMemoryobjectinWindows.UnfortunatelyFAUwillonlyworkonversionsearlier
thanWindowsXPServicePack2,WindowsVista,orServer2003ServicePack1,asitaccesses
thePhysicalMemoryfromusermode.(Note:ThemostrecentversionofFAUdoesnotinclude
aversionofDDthatworksformemoryacquisitionpreviousversionsarestillviablehowever).
Also,notallversionsofDDwillallowaccesstothe\\.\PhysicalMemoryobject.

Nigilant32

Nigilant32[7]isatooldevelopedbyAgileRiskManagementthatallowsaninvestigator
topreviewaharddisk,imagememory,andtakeasnapshotofcurrentrunningprocessesand
openportsonthetargetsystem.Nigilant32hasasmallfootprint,usinglessthan1MBin
memorywhenloaded,supportingAgilesclaimofminimalimpactduringacquisition.The
programiscurrentlyinbeta,however,itisfreetodownloadanduseoffoftheirwebsite.

ProDiscoverIR

TechnologyPathwaysforensicacquisitiontool,ProDiscover[8],isanincidentresponse
toolthatallowsinvestigationofalivesystemanywhereonthenetwork.Theinvestigationcan
includeimagingofphysicalmediaormemory,however,useofthistoolrequiresaserverapplet
tobeinstalledonthetargetsystempriortoacquisitionviaremovablestoragemediasuchasa
USBdriveorCD.Thisrequirementmakesthisparticulartoolnotasdesirableachoiceforfield
acquisitionandperhapsbettersuitedtoacorporatenetworkenvironment.(Note:Thistoolis
restrictedbythekernelmodedriverrequirementforaccessing\\.\PhysicalMemoryincertain
versionsofWindows).

KntDD

KntDDisamemoryacquisitiontooldevelopedbyGeorgeGarner(alsoresponsiblefor
theForensicAcquisitionToolkit)asapartofKntTools[9].GarnerdevelopedKntToolsin
responsetotherestrictionofaccessing\\.\PhysicalMemoryfromUsermodeandsupports
Windows2000throughVista.Imagescanbeacquiredtoalocalremovabledriveoracrossthe
network.ItalsoallowstheinvestigatortoconvertarawimagetoMicrosoftcrashdump
format,sothedatacanbeanalyzedusingtheMicrosoftDebuggingTools.Thistoolisonly
availabletolawenforcementorsecurityprofessionals.

MicrosoftCrashDump

AnalyzingcrashdumpsisanotherwaytoobtaininformationonthecontentsofRAM.
Unlikeothersoftwaremethodsofmemoryacquisition,theimageobtainedbyacrashdumpis
anunalteredcopyofthecontentsofasystemsmemoryatthetimethecrashoccurred.There
isnointroductionofsoftwaretothesystemthatwillalterthecontentsofmemory.The
drawbacktothismethodisthatcrashdumpsonlyoccurwhenthereisaproblemwiththe
system.Thereisamethodtoinduceacrashdump;however,itrequiresanentryintheregistry
alongwitharebootbeforeitisuseable[10],renderingitineffectiveforfieldacquisition.

Despitethisshortcoming,itisstillimportantforaninvestigatortofamiliarwithcrash
dumpsastheycanprovidevaluableinformationaboutasystem.NotallversionsofWindows
generatefullcrashdumpsandmaygeneratesmallersizeddumps.Thesefilescanbeanalyzed
withtheWindowsDebuggingTools[11]andcangivetheinvestigatorameanstopracticeand
becomefamiliarwithmemoryanalysis.

IV.MemoryAnalysis

Basics:Whatdoesaninvestigatorneedtoknow?

TheEProcessstructureiswhatrepresentsaprocessonaWindowssystem.Itincludes
informationonthedifferentattributesoftheprocessalongwithpointerstootherattributes
anddatastructureswhicharerelatedtoit.However,EProcessblockstructurevariesbetween
operatingsystems,includingbetweendifferentversionsofWindows.Typically,theoffsetsvary
fromversiontoversion.ItisimportanttomakenoteoftheversionofWindowsthatthe
memoryimageordumpistakenfrom,asthiswillaffectwhattoolsyoumaybeabletouseto
extractinformation.Thiscanbedonemanually,however,itrequiresabitmoreindepth
knowledgeofWindowsmemorymanagementthanthispapercovers.HarlanCarveyhas
writtenaPerlscript[12],osid.pl,whichwillidentifytheoperatingsystemofanimage.
TheEProcessblockcontainstheprocessenvironmentblock(PEB)whichisveryvaluable
toaforensicinvestigatorinthatitincludespointerstotheloaderdata,suchasmodulesused
bytheprocess.Thisisparticularlyusefulinmalwareorrootkitanalysis,butcanalsohelp
presentaclearerpictureastowhatexactlywasgoingoninthesystematthetimeinquestion.

ThePEBalsoshowsuswheretheimageoftheexecutablelies,theDLLpaths,andthecommand
lineusedtolaunchtheprocess.
Oneissuethatinvestigatorsneedtobeawareofwhenexamininganimageofmemory,
isthatmostlikelyitisnotacompletepicture.Windowsmemorymanagementusesvirtual
addressingwhichassignspointerstothetruelocationofthephysicaldata.AccordingtoJesse
KornbluminhisUsingeverypartofthebuffaloinWindowsmemoryanalysis[13],most
memoryanalysistoolsuseanaveformoftranslationwherepageswithinvalidpointersare
ignored.Memorypageswhichhavebeenswappedoutduetopagingwillnotshowupina
memorydump,althoughtheyareonthesysteminthepagefile.Allthetoolstestedinthis
paperdonot(asfarasthisauthorisaware),includethepagefile.Therearetoolsin
developmenttoaddressthisissue,althoughnonearepubliclyavailable(yet).

Tools

Duetothediligenceofthecomputerforensicscommunity,therearequiteafewtools
availabletotheinvestigatorwithwhichtoanalyzememorydumps.Sometechnicalknowledge
orfamiliaritywithcommandlineinteractionisrecommendedasmanyoftheavailabletoolsare
scriptswhichmustbeexecutedfromacommandprompt.Thereareonlyafewtoolswhich
haveaGUIinterface.
Thefollowingisalistoftoolswhichcanbeusedtoextractprocessandother
informationfrommemorydumps(linkstodownloadlocationswillbeincludedinAppendixAof
thisdocument):

Tool

Operating
System

Whatitdoes

Requirements

Lsproc.pl

Windows
2k

Locatesprocesses

Perl(http://www.perl.org)

Lspd.pl

Windows
2k

Listsdetailsof
processes

Perl(http://www.perl.org)

Osid.pl

Any

IdentifiesOSof

Perl(http://www.perl.org)

Windows

memoryimage.

PoolFinder(part
ofPoolTools)

Windows
2k,XP

Findsallocationsof Perl(http://www.perl.org)
OSkernelin
memorydumpand
pagefile.

PoolGrep(partof
PoolTools)

Windows
2k,XP

Findsstringsinpool Perl(http://www.perl.org)
allocations

PoolDump(part
ofPoolTools)

Windows
2k,XP

Hexdumpofall
allocationsfora
selectedclass.

Perl(http://www.perl.org)

PTFinder

Windows
2k,XP

Includesallscripts
inPoolToolsaswell
asosid.pl,buthasa
GUI.Produces
graphicaloutputof
processesand
threads.

Perl(http://www.perl.org)
Graphviz(http://www.graphviz.org/)
and
ZGRViewer
(http://zvtm.sourceforge.net/zgrviewer.ht
ml)toviewthegeneratedgraphicfile.

FTimes

Windows
NT,XP,2K

Comprehensive
toolkitwithvarious
memoryanalysis
functions.

IfrunninginaWindowsenvironment,you
willneedVisualStudioinordertocompile
andrunthecode.Requiresadvanceduser
knowledge.

Volatility

Windows
NT,XP,2K

Comprehensive
NeedsPythontorun.Thiscanbe
toolkitwithvarious accomplishedintheWindowsenvironment
memoryanalysis
byinstallingCygwin
functions.
(http://www.cygwin.com/)

Theabovetoolsmainlydealwithprocessinformation,whichiswherethebulkof
memoryforensicanalysishasbeenfocused.Otherdatacanbeextractedfromamemoryimage
aswell,suchasusernames,passwords,andemailaddresses.Agoodstringsearchutility,such

asfind.exeorstrings.exeisessential.ForensicToolssuchasAccessDatasForensicToolkit[14]
canbeusedtodatacarvetoretrievedocuments,graphicfiles,orwebpages.Oneimportant
noteaboutdatacarvedfrommemoryimagesistokeepinmindthatthedatawasretrieved
undervolatileconditions.Assuch,filesretrievedfrommemorymaybedegradedduetothe
datanotbeingstatic.Thisisillustratedbythefollowingpicture,carvedfromatestmemory
image:

V.Acquisition

Duetothevolatilenatureofliveforensics,aninvestigatorneedstodevelopastandard
setofprocedures.Thisisimportantnotonlytoinsurethattheinvestigatorknowsexactlywhat

10

todowhenarrivingonthescene,butalsosotherearenounexpectedconsequencessincethe
systemisliveunintentionallychangingdataonthetargetsystemcouldinvalidatetheacquired
evidenceandalsocauseittobeinadmissibleinacourtoflaw.Beforeattemptingalive
acquisition,aninvestigatorshouldtesttheirtoolset(s)extensively,undervaryingconditions
(VMware[15]isexcellentforthis).

SuggestedProceduresforLiveAcquisition:

1. Documentallsteps.Thisisnotonlyimportantforevidentiaryreasons,butalsoforthe
investigatorsownreference.
2. Isthesystemlocked?Ifso,thatwillchangetheacquisitionprocess.Ifyoucannot
obtainapasswordforaccess,thenliveacquisitionmaynotbepossible.Currently,no
softwareutilitiescanimage\\.\PhysicalMemorywithoutfullaccess.
3. Donotcloseanywindowsorcloseanydocuments/programsleavethemrunning.By
closingawindoworprogramyoumaybeterminatingaprocess,whichwillaffectwhatis
occurringonthesystematthattime.
4. Limittheacquisitionprocesstoasfewstepsaspossible,whenitcomestointeracting
withthetargetsystemfewersteps=lessimpactonthesystem.
5. Usetoolsthathaveassmallafootprintaspossible.Nigilant32(thisauthors
recommendedchoice)useslessthan1MBofmemory;Helixuses17MB.

VI.TestCase,StepbyStep

Testsystem:
VMWare,WindowsXPProfessionalServicePack2
IntelDualCoreProcessor2.6MHz
512MBRAM
Toolusedforimageacquisition:Nigilant32

11

Desktopbeforeliveacquisition:

AOLInstantMessengercanbeseenrunning.
1. ForthisacquisitionIchosetouseaUSBthumbdriveforstoringtheimage.
Investigatorsshouldremembertowipemediathoroughlybeforeeachacquisition,so
remnantsofdatafrompreviousimagesarenotafactorinanalysis.
AfterinsertingyourCDwiththeNigilantsoftwareonit,browsetoMyComputerand
explorethedrive(ifitdoesntalreadyopenduetoAutoRun).RuntheNigilant32
executableandgotoToolsSnapshotComputer.Thisoptionwillenumeratethe
currentlyrunningprocesses,users,andopenportsandallowtheinvestigatortosave
thisdatatoaplaintextfile.Savethetextfiletoyourthumbdrive,namingit
appropriately.Youcanalsoenumerateprocessesviaotherscriptsafterimage
acquisition,ifyouwishtovalidatethisoutput.

12

Note:YoucanputtheNigilantexecutableonthethumbdriveandrunitfromthere,
however,bemindfulifyourdatawillbeusedasevidence.Itmaybebesttoburnittoa
CDwithyourothermemoryacquisitiontools,sothereisnoquestionastotheintegrity
ofyourimage.

2. Aftersavingthetextfile,browsetoToolsImagePhysicalMemory.Apromptwill
appearclickonStart

13

Youwillbepromptedtochoosealocationandnameforyourimage.

14

Acquiringphysicalmemorytakesabitoftime,aswithnormaldataacquisition.Aprogress
indicatorwillappeartoletyouknowhowfaralongyouare:

3. Aftertheimageiscomplete,closetheNigilantsoftware.Unfortunately,Nigilantdoes
nothaveanabilitytohashtheimagefileafteracquisitiontheinvestigatorwillhaveto
dothisbeforebeginninganalysis.
4. Beforebeginninganalysis,theinvestigatorshouldmakeanothercopyofthememory
imagetoworkonneverworkontheoriginalmedia!Sincethisisntlikeaharddrive
acquisition,thereisnooriginalphysicalmediatheimagewejustmadeistheoriginal.
Forevidentiarypurposes,itisagoodpracticetohashtheoriginalmedia(thethumb
drive)andthememoryimageandmakeaworkingcopyofthememoryimagebefore
proceedingwithanalysis.

15

5. Asdiscussedearlier,memoryanalysisdiffersfromharddriveanalysisinthatevenslight
changesinoperatingsystemversion(Windows2kvs.WindowsXP)willdeterminewhich
toolswillbethemosteffective.Nigilant32hasdonealotoftheworkforusalready,by
providinguswithasnapshotoftheOSversion,runningprocesses,users,andopen
networkports:

16

Aninvestigatorcouldverifyoutputbyrunninganotheranalysistoolandenumeratingthe
processes.IwilldemonstratethisherebyusingPTFinder:

PTFinderisaGUIinterfaceforAndreasSchustersPoolTools.Onceyouvechosenyour
dumpfileandoptions,itwillgenerateatextfileandagraphicfileoftherunningprocesses.
Weareonlyinterestedinthetextfileatthistime.AfterclickingExecuteyouwillbe
promptedtorunabatchfileclickYes.

17

ADOSpromptwillopenup:

Whentheanalysisiscomplete,PTFinderwillcloseonitsown.

18

Theresultingtextfilelookslikethis:

TheoutputfromPTFinderisnotascleanaswhatyouwillseefromNigilant,butprovides
morethanenoughinformationtocomparerunningprocesses.Note:PTFinderwillnot
providenetworkinformationorusers,onlyprocessinformation.

19

6. Nowthatwehaveprocessinformation,wecanproceedwithanalyzingtheimagefile
withothertools.Inthiscase,wewilluseForensicToolkit:

Afteranalyzingtheimagetheinvestigatorcanexaminecarveddataandperformstringsearches
aswithanormalimagefile.

20

VII.Conclusion

Whiletherearemanytoolsavailableforlivememoryacquisitionandanalysis,itisstilla
relativelynewendeavorintheareaofdigitalforensics;manyofthetoolsandtechniques
developedthusfararestillinthegrowingphaseandrequirerefinement.Todayscomputer
forensicinvestigator,inordertobesuccessful,willneedtobewellinformedandbeintimately
familiarwiththeinternalworkingsofWindowsmemorymanagementinordertoacquirea
completepictureofmemoryfromanevidentiarystandpoint.Thankfullytherehavebeenmany
forensicinvestigators,suchasHarveyCarlan,AndreasSchuster,andMariuszBurdachwhohave
startedalongthepathandcreatedafoundationforotherstobuildupon.Asthetoolsbecome
betterandtheproceduresmoresound,examinerswillhaveanewweaponintheirarsenalto
utilizeduringforensicinvestigations.

21

AppendixA

Lsproc.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
Lspd.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
Osid.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
PoolTools(PoolFinder,PoolGrep,PoolDump)
http://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.html
PTFinderhttp://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html
FTimeshttp://ftimes.sourceforge.net/FTimes/
Volatilityhttps://www.volatilesystems.com/VolatileWeb/volatility.gsp

22

References

1. DigitalForensicsResearchWorkshop,DFRWS,http://www.dfrws.org/.[Accessed
March15,2008]

2. C.Betz,Memparser,http://sourceforge.net/projects/memparser.[AccessedMarch
15,2008]

3. B.D.CarrierandJ.Grand,AHardwareBasedMemoryAcquisitionProcedureforDigital
InvestigationsJournalofDigitalInvestigations,March2004.

4. A.Boileau,FirewireandDMA,March2008,http://www.storm.net.nz/projects/16.
[AccessedMarch16,2008].

5. A.Vidstrom,MemorydumpingoverFirewireUMAIssues,
http://www.ntsecurity.nu/onmymind/2006/20060902.html.[AccessedMarch16,
2008].

6. G.Garner,ForensicAcquisitionUtilities,November2007,
http://gmgsystemsinc.com/fau/.[AccessedMarch20,2008].

7. AgileRiskManagement,Nigilant32,http://www.agilerm.net/publications_4.html.
[AccessedMarch20,2008].

8. TechnologyPathways,ProdiscoverIR,
http://www.techpathways.com/ProDiscoverIR.htm.[AccessedMarch20,2008].

9. GMGSystems,Inc,KntToolswithKntList,http://www.gmgsystemsinc.com/knttools/.
[AccessedMarch20,2008].

10. Microsoft,Inc.,Windowsfeatureletsyougeneratememorydumpfilebyusingthe
keyboard,December2007,http://support.microsoft.com/kb/244139.[Accessed
March21,2008].

23

11. Microsoft,Inc.,DebuggingToolsforWindowsOverview,
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx.[AccessedMarch
21,2008].

12. J.Kornblum,UsingeverypartofthebuffaloinWindowsmemoryanalysis,Digital
Investigation,vol.4,issue1,pp2429.March2007.

13. H.Carvey,WindowsForensicAnalysis,Burlington,MA:SyngressPublishing,2007.

14. AccessData,ForensicToolkit2.0,http://www.accessdata.com/Products/ftk2test.aspx.
[AccessedMarch22,2008]

15. VMWare,VMWareServer,http://www.vmware.com/products/server/.[Accessed
April8,2008]

24