Jesse Kornblum und Brian Carrier haben wieder ein paar Testimages für die RAM-Analyse veröffentlicht. Damit ist es jedermann möglich, Werkzeuge und Methoden zur forensischen Analyse von Hauptspeicherinhalten zu erproben. Es gibt folgende unterschiedliche Server- und Notebook-Images:
- boomer-win2003: Windows 2003 SP0 installed on a standalone machine named Boomer. Not activated. Running Notepad. 1GB of memory. (zip)
- boomer-win2k: Windows 2000 SP0 installed on a standalone machine named Boomer. Note that this image contains several possible System EPROCESS blocks. The „correct“ block is at offset 0x5d008e0. Running a command prompt, WordPad, and Notepad. 1GB of memory. (zip)
- boomer-vista-beta2: Windows Vista Beta 2 (build 5384) installed on a standalone machine named Boomer. Not activated. Running a few programs such as Windows Media Player, Notepad, MineSweeper, and Solitaire. 1GB of memory. (zip)
- xp-laptop-2005-06-25: Windows XP installed on a Toshiba laptop connected to a network The image from June 25th was running Firefox and had recently been pointed http://mit.edu/. It was also running Internet Explorer pointed at http://nytimes.com/. 500MB of memory. (zip)
- xp-laptop-2005-07-04: Windows XP installed on a Toshiba laptop connected to a network The image from July 4th was running Firefox and had recently been pointed to http://www.w3.org/. 500MB of memory. (zip)
Originalseite hier.