Memory Analysis using Digital Corpora - BulkExtractor

Read Lab Instruction

Download Sample

BulkExtractor is a command-line tool that carve data such as URLs, emails, and PDF files.

Windows Memory contains rich and valuable information that can be used as source artifact for gathering evidences and by having enough knowledge how to parse the data can be helpful for the investigator to perform their tasked.

Related Topic

Volatility UserAssist

Memory Analysis using Volatility - Userasssist

Volatility is a tool used for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility uses a set of plugins that can be used to extract these artifacts in a time-efficient and quick manner.

UserAssist a volatility plugin that is used to print userassist registry keys and information.

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.

Related Blog Post:



Memory Timeline Analysis using Sleauthkit - mactime

mactime creates an ASCII timeline of file all activity. This tool can be used to detect anomalous behavior and be able to reconstruct events, its output is a .txt format that contains reconstructed activity.

Why Timeline?

Reconstructing the events can play an important role during the investigation, because it allows the investigator to rebuild the activities happened before and after the event was first detected. It allows the investigator to have a bird’s eye view of the activities done by a certain malware or a threat actors and used this to construct a systematize action.

To be able to use this tool, first we must install Perl.

On Strawberry Perl’s website, download perl that suits your Windows Architecture.

Next, download Sleauthkit. (As of, Sleauthkit’s version is currently 4.11.1)