Forensics

Publish date: August 16, 2005
Tags: security windows

Forensics

Not directly related to coding, but a very interesting topic on it’s own, is Computer Forensics and Incident Response. To relate this to coding, this field is so new that there’s a huge need for good solid reliable smart tools to analyze and extract information from systems. I mean, even the most basic of informations, like knowing the memory map of a running windows system, is still an unkown!

If you dd (dd - a linux tool also available on windows to dump bytes… be it memory, a drive, whatever - to a file, used to image disks or analyze memory or (yep) do forensics analysys) a windows machine’s memory, how do you extract meaningful information out of it? How is it organized, what is the kernel region or the applications region? Process memory is part RAM part swap, how do you deal with that? If you crash dump a windows, you can analyze the dump information on MS’s tools, but dd’s output is not read by the debuggers, so we need tools for this :p

Windows Incident Response Blog