SIFT WORKSTATION - SANS Computer Forensics - SANS Institute

MEMORY ANALYSIS 

 

Supported commands 

 

Scan for connection objects 

 

list of open les process 

Convert hibernation le 

Dump process 

 

list of running processes 

Scan for socket objects 

 

Proles 

VistaSP0x86 - A Prole for Windows Vista SP0 x86 



Win2K8SP1x86 - A Prole for Windows 2008 SP1 x86 

Cheat Sheet 

RECOVER DELETED REGISTRY KEYS 

 

 

 

 

RECOVERING DATA 

Create Unallocated Image (deleted data) using 

 

Create Slack Image Using dls (for FAT and NTFS) 

 

Foremost Carves out les based on headers and footers 

= raw data, slack space, memory, unallocated space 

 

Signd - search for a binary value at a given oset (-o) 

start search at byte 

 

SLEUTHKIT TOOLS 

File System Layer Tools (Partition Information) 

fsstat Displays details about the le system 

Data Layer Tools (Block or Cluster) 

blkcat Displays the contents of a disk block 

blkls Lists contents of deleted disk blocks 

blkcalc Maps between dd images and blkls results 

blkstat Display allocation status of block 

MetaData Layer Tools (Inode, MFT, or Directry Entry) 

ils Displays inode details 

istat Displays information about a specic inode 

icat Displays contents of blocks allocated to an inode 

ind Determine which inode contains a specic block 

Filename Layer Tools 

Win2K8SP2x86 - A Prole for Windows 2008 SP2 x86 

Win7SP0x86 - A Prole for Windows 7 SP0 x86 

WinXPSP2x86 - A Prole for Windows XP SP2 

WinXPSP3x86 - A Prole for windows XP SP3 

s Displays deleted le entries in a directory inode 

nd Find the lename that using the inode 

18 

@sansforensics http://computer-forensics.sans.org/blog

Previous page

Next page

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

SIFT WORKSTATION - SANS Computer Forensics - SANS Institute

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?