Time
4 hours 15 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:01
Hello and welcome back
00:03
in the last video, we were analyzing the data dumper DD on its functionality.
00:08
You know what? I know Those comes it for this video. So if you're free to post this one a go back to the previous one for analyzing what did he is
00:15
in this video we're going to analyze, have to obtain physical memory in a forensic manner.
00:21
Conservation of military data is one of the most challenging tasks in computer forensics. This is to dump the round content off running computer in a forensically sound manner.
00:32
In the Microsoft Windows environment, Billy provides a convenient way to cope with a memory into a file. There's only one flaw.
00:40
It won't work for Windows servers to those on three. Be back. One worse
00:45
the dumper. Or did he? For lice in Accord don't function, which create a special image structure in a key world equals value for months. Therefore, the auto file is readable in many tools and applications like the Windows Colonel, The bugger
01:03
we need to analyze the pros on comes off this process off foreign six ramp dumping with Dede
01:08
in the event as well. After there is no need to start so far. Like Kepner, more drivers on the system under examination
01:17
three on the created memory dump usually fit onto a USB memory stick.
01:22
A simple 54 months it's managed fine, Off said equals the address. In physical memory,
01:29
executing the program does not require reboot in the system or any disruption off the service
01:34
in these advantages. In addition to the fact that this can be done in a recent version of Windows, we also have that they don't memory has the same size after, UM,
01:45
the system continues to wrong there in the dump,
01:48
resulting in a blurred image instead, off a sharp snapshot.
01:52
Macaws off Colonel. The bugger can't handle the 54 months.
01:56
They're no publicly available tools to analyse a memory. Don't finally, administrator privileges are required.
02:05
Physical memory exception object which enable us to access the physical memory from your dinner user modes. Applications in windows for territory from a security viewpoint,
02:16
deception object can only be opened by members off the Minister group, as we have seen,
02:22
unfortunately also for our forensics. Viewpoints on these remote access to it has been blocked in those experiences to forbid on Windows to the sentry Windows Vista on followings.
02:36
We will be stolen it anyways as Humane Corner in the Forensic investigation. Some servers all my change where this process it's possible on. Also, it's good to know the full functionality off duty.
02:49
This in Texas plate, really Must you physical memory on Save It to a file for further analysis.
02:54
This ***, the system memory until the end off. I never result. You'll see heaven I never reporting. When the starting off set off the reed goes beyond the ranch off the addressable physical memory
03:07
any windows waste the working toe can analyze a physical memory much after conversion to a Microsoft custom format.
03:16
Today we use commercial tools such as the Forensic Tool Kit or a Stick eight or a program called Don't Beat from Going Suze. We were molested. Stools layer on this course
03:30
as useful. Here's a quick question for you
03:34
when performer off basic rat jumping with the D. Which statement from the following is not true?
03:39
Do you think it's a dump? Memory has the same size as the ram off. Be a Mr British are required.
03:47
We'll see Executing The program does not require within the system
03:52
or D, it will work on a Windows feast. Our operating system.
03:58
The answer here is the Unfortunately, I'll use remote access to the physical memory has been blocked in windows expiate 64 bit on windows to those country. Serbia Serbia Popcorn on Windows Vista on following
04:13
foreign. Six. Analysis. Off physical memory
04:15
is a relatively new field off research, though their local software tools for acquisition of systems physical memory We need to be careful as so for tools were inevitable damage or even override the contents of physical memory.
04:31
A lot of information and computer, such as the system processes that were information. Logan Information released. Information. Open fires Configuration parameters on song must be accessed by containing on analyzing the target computers. Physical memory dump.
04:50
This will be the main topic in the next Morty.
04:56
In this model, we have covered that dara dumper, or didi, as a tool for creating foreign sticky much files. We studied the definition, some examples, the functionality and the syntax. We also analyzed the physical memory. How can we get information off it?
05:13
Don't forget to shake the references supplementary material where you will have the chance to practice that Opec's covered
05:18
and you mean the next video where we will be reeling from labs

Up Next

Windows Forensics and Tools

The Windows Forensics and Tools course focuses on building digital forensics knowledge of Microsoft Windows operating systems, as well as some compatible software or tools that can be used to obtain or process information in such systems.

Instructed By

Instructor Profile Image
Adalberto Jose Garcia
Information Security Analyst at Bigazi
Instructor