RAM Analysis Section is the first extension of the instrument that fits within the structure of a plug-in PTK. Each plug-in developed add new features and make the process of analyzing evidence increasingly automated. Section
RAM analysis is based on using the tool volatility and allows the analysis at various levels made a RAM dump using the tool dd. PTK can then analyze the state of the system when the dump and drill into information such as:
RAM analysis is based on using the tool volatility and allows the analysis at various levels made a RAM dump using the tool dd. PTK can then analyze the state of the system when the dump and drill into information such as:
- active connections
- DLLs loaded by processes
- open files
- kernel modules loaded
- processes
- sockets
- objects of type ETHREAD
- Virtual Address Descriptors (VAD) of any process
0 comments:
Post a Comment