Saturday, March 27, 2010

Windows Memory Analysis - EnScript

I recently tried an EnCase EnScript called "Memory Forensic Toolkit". The tool is used as any EnScript is used, and uses the processes run in Volatility however, within the Windows EnCase environment. The download has three distinct directories for the various Windows OS versions it supports (XP, Win7 and Server2003). From some basic testing, so far the EnScripts (13 or so for each OS Version) have worked as anticipated. My tests using the EnScripts with Vista - not so good (although it does not claim to support Vista). Newest version 1.69 was just released today.

The site is in primarily Japanese CCI: Computer Crime Investigation and appears to be run by Takahiro Haruyama.

Next up...comparing the EnScript results with those produced by running Volatility.

No comments:

Post a Comment