Windows Memory Analysis #1
(by Jesse Kornblum, ManTech)
Digital Forensics Tool Testing Image (#13)
Memory analysis is becoming an important part of a digital investigation. This test set contains memory images of several Windows systems in different environments. They are released so that there can be a common set of images for researchers to use for development and for practitioners to use for evaluation of their tools.
There are two memory images in a 'raw' format. They were not engaged in any malicious or even network based activity at the time of imaging.
- boomer-win2003: Windows 2003 SP0 installed on a standalone machine named Boomer. Not activated. Running Notepad. 1GB of memory. (zip)
- boomer-win2k: Windows 2000 SP0 installed on a standalone machine named Boomer. Note that this image contains several possible System EPROCESS blocks. The "correct" block is at offset 0x5d008e0. Running a command prompt, WordPad, and Notepad. 1GB of memory. (zip)
These images are released under the
GPL, so anyone can use them.
Jesse Kornblum (web [at] jessekornblum [dot] com) (ManTech) created the test images.
This test was released on January 6, 2007 (although Jesse gave them to me several months before and I forgot to upload them...).
February 23, 2007