Among different approaches to memory forensics13, native memory forensic analysis is done using native OS debuggers such as WinDbg from Debugging Tools for Windows or GDB (Linux) or GDB/LLDB (Mac OS X). Such approach is an integral part of software diagnostics (investigation of signs of software structure and behavior in software execution artifacts). We introduced it as a part of pattern-oriented software forensics14.
Software Diagnostics Services offers a comprehensive self-paced training course in native memory forensics for Windows platforms15 using WinDbg and memory dumps for hands-on exercises16. This training course17 teaches various pattern languages18 that can be used with other memory forensic analysis tools.
13 Investigation of past system or process structure and behaviour recorded in memory snapshots.
14 http://www.patterndiagnostics.com/pattern-oriented-software-forensics-materials
15 Windows XP, Windows Vista, Windows 7, Windows 8, Windows RT, Windows Server
16 http://www.patterndiagnostics.com/memory-forensics-pack
17 Also includes malware and rootkit detection, disassembly and reversing as an integral part of forensic investigation.
18 Such as memory analysis pattern language, malware analysis patterns, and ADDR patterns.
18.119.106.78