Hello dear volatility community, I am a ISE master student at Ben Gurion University in Israel. And I need you help.
My research deals with extracting many features from a windows memory dump taken from vSphere snapshots. (Mostly Windows 2012 R2). In order to extract as many features as possible I am using volatility framework which helps me to receive the most basic features I need. I want to leverage volatility framework even more so I can extract more valuable features. Here is the list of features I want to try to extract from the memory: - Achieving the stack of all processes. or any thing that can be deduced by it, for example call sequence or function's parameters etc. - Gathering information about reading or writing actions that were happening while the snapshot was taken or before. - Find / detect usages of cryptography keys in the memory, especially asymmetric keys. - Find / detect changes in the registry. I hope this post is not too abstract, and that maybe you can help me start. I want to first know if what I am trying to do is even possible? Is volatility the right tool? If it is, where should I begin? Appreciate your help! Thanks, Yuval
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
