Home > Forensic Tools & Techniques Taxonomy
| Forensic Functionality: | Memory Capture and Analysis |
|---|
| Technical Parameters: |
|---|
|
tool support for binary RAM dump |
tool support for memory analysis |
process list |
|
binary RAM dump unsupported |
memory analysis unsupported |
process status (active, hidden, or exited) |
|
|
|
processes as .exe files |
|
|
|
EPROCESS list |
|
|
|
kernel module list |
|
|
|
driver list |
|
|
|
DLL lists |
|
|
|
TCPT_OBJECTs |
|
|
|
open handles |
|
|
|
open files by process |
|
|
|
open registry handles by process |
|
|
|
open network sockets |
|
|
|
open network connections |
|
|
|
TCP connections |
|
|
|
passwords |
|
|
|
browser artifacts (e.g., in-private browsing history) |
|
|
|
cloud service artifacts (e.g., Dropbox, Flickr, Google Drive) |
|
|
|
social network artifacts |
|
|
|
webmail artifacts (e.g., GMail, Hotmail, Yahoo) |
|
|
|
P2P remnants |
|
|
|
Instant Messenger histories |
|
|
|
n/a (binary RAM dump only) |
