記憶體分析 - EnCase EnScript
EnCase EnScript "Memory Forensic Toolkit" Version 1.42 Download Here
適用作業系統:32位元 Windows XP SP2/SP3 and Windows 7
適用映像檔類型:Raw image/WinEn image/VMware snapshot(.vmem)
適用EnCase版本:EnCase 6.14以上
下載後將壓縮檔解壓縮至EnCaseX.XX \ EnScripts資料夾下,之後開啟EnCase可以看到EnScript欄位顯示Windows 7和Windows XP文件夾,文件夾內含有適合該作業系統之EnScript。
EnScript腳本包含以下功能:
* PsList (List all processes)
* PsScan (Scan _EPROCESS)
* KMList (List all kernel modules)
* KMScan (Scan _LDR_DATA_TABLE_ENTRY)
* ConnList (List all tcp connections)
* ConnScan (Scan TCPT objects)
* VadSearch (Search keywords in Vad trees of a specified process)
* DllList (List all DLLs of a specified process)
* OpenFiles (List all open files of a specified process)
* ProcDump (Extract a specified process as .exe file)
* Vtypes/Win32/x86 (Libraries for above EnScripts)
圖例:
PsList (List all processes)
ConnScan (Scan TCPT objects)
參考http://gleeda.blogspot.com/2010/02/briefly-memory-analysis-enscripts.html
EnCase EnScript "Memory Forensic Toolkit" Version 1.42 Download Here
適用作業系統:32位元 Windows XP SP2/SP3 and Windows 7
適用映像檔類型:Raw image/WinEn image/VMware snapshot(.vmem)
適用EnCase版本:EnCase 6.14以上
下載後將壓縮檔解壓縮至EnCaseX.XX \ EnScripts資料夾下,之後開啟EnCase可以看到EnScript欄位顯示Windows 7和Windows XP文件夾,文件夾內含有適合該作業系統之EnScript。
EnScript腳本包含以下功能:
* PsList (List all processes)
* PsScan (Scan _EPROCESS)
* KMList (List all kernel modules)
* KMScan (Scan _LDR_DATA_TABLE_ENTRY)
* ConnList (List all tcp connections)
* ConnScan (Scan TCPT objects)
* VadSearch (Search keywords in Vad trees of a specified process)
* DllList (List all DLLs of a specified process)
* OpenFiles (List all open files of a specified process)
* ProcDump (Extract a specified process as .exe file)
* Vtypes/Win32/x86 (Libraries for above EnScripts)
圖例:
PsList (List all processes)
ConnScan (Scan TCPT objects)
參考http://gleeda.blogspot.com/2010/02/briefly-memory-analysis-enscripts.html
發表文章
0 意見: