2006
DOI: 10.1016/j.diin.2006.10.001
|View full text |Cite
|
Sign up to set email alerts
|

FATKit: A framework for the extraction and analysis of digital forensic data from volatile system memory

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
40
0

Year Published

2009
2009
2017
2017

Publication Types

Select...
6
1
1

Relationship

0
8

Authors

Journals

citations
Cited by 101 publications
(40 citation statements)
references
References 6 publications
0
40
0
Order By: Relevance
“…The paper also describes a compelling attack that modifies cached registry and proposes a method to detect such attacks by examining memory. Petroni et al [161] propose the FATKit, an extendable framework for extraction and analysis of volatile system memory. Harms [94] investigates system restore points in Windows XP and Arasteh and Debbabi [8] use the process logic to model extracted properties of memory stack and verify against model generated from program assembly code.…”
Section: Digital Timestamps and Time-liningmentioning
confidence: 99%
“…The paper also describes a compelling attack that modifies cached registry and proposes a method to detect such attacks by examining memory. Petroni et al [161] propose the FATKit, an extendable framework for extraction and analysis of volatile system memory. Harms [94] investigates system restore points in Windows XP and Arasteh and Debbabi [8] use the process logic to model extracted properties of memory stack and verify against model generated from program assembly code.…”
Section: Digital Timestamps and Time-liningmentioning
confidence: 99%
“…Prior work identifies data structures in memory by traversing pointers starting from program (kernel) global variables and following the points-to relationships to reach instances of the data structure. KOP [5], MAS [16], FATKIT [1] and VOLATILITY [3] all use such technique. While SIGPATH also leverages this approach the substantial difference is that these works require access to the target's source code or its data structure definitions in symbol files.…”
Section: Related Workmentioning
confidence: 99%
“…These data structures store private, often sensitive, data of interest such as running processes in an OS, unit and resource information in online games, and credentials and contact information in Instant Messengers (IM). Such capability is crucial for memory forensics [1][2][3][4], rootkit detection [5][6][7], game hacking [8], reverse engineering [9][10][11], and virtual machine introspection (VMI) [12].…”
Section: Introductionmentioning
confidence: 99%
“…Recent work [4] has considered digital forensics as a primary VMI application area, and there has also been associated work in tools that construct forensically relevant information from memory images [5,6].…”
Section: Research Questionsmentioning
confidence: 99%