![]() * New command "Capture Processes" in the Tools menu in X-Ways Forensics that allows to acquire all data in the memory of running processes on a live system contiguously (i.e. Pages in the order as allocated by the process). The creation times of processes can be seen as the creation timestamps of the memory dumps. Pages marked as containing executable code (PAGE_EXECUTE* styles) are optional and if omitted will suitably reduce the amount of data if you are merely interested in keyword searches or carving and not malware analysis. Carving in the memory dumps (files shown as type "mem") can be performed by uncovering embedded data, one of the functions of volume snapshot refinement. * This command can also produces a tab-delimited list of all top-level windows with their titles and corresponding processes plus (comma-delimited) the titles of their child windows. ![]() Screenshots of some of the top-level windows are taken and output automatically. ![]() If this functionality is used without administrator rights, only processes of the current user are covered, otherwise all processes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |