[Vol-users] One-byte Modification for Breaking Memory Forensic Analysis.

George M. Garner J.r (online) ggarner_online at gmgsystemsinc.com
Mon Apr 30 09:24:13 CDT 2012


In case you missed it, this is an interesting paper how how to frustrate 
a few free memory forensic tools using one-byte modifications to main 
computer memory: 
https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf. 
  The paper examines potential single points of failure in 3 free memory 
forensic tools:

1. Volatility
2. Memoryze
3. Responder Community Edition

The reliability of memory forensic tools (both acquisition and analysis) 
is a topic which to date has received very little attention (except on 
the part of the "bad guys").  Hence, this paper provides some welcome 
relief.  The paper is marred however by its focus exclusively on free 
tools.  The commercial tools which cost $10K or $100K also may have 
defects and it would be interesting to know how they compare to the free 
tools.  As I remember it, at least one of the commercial tools has a 
license provision which prevents you from telling anyone if you find a 
defect.  So perhaps the author limited his focus due to legal constraints.


More information about the Vol-users mailing list