Slides
Memory forensics is a branch of digital forensics that is concerned with extracting important OS and application level artifacts for evidence. Often times, this evidence is limited to data like documents, images, and other content. Furthermore, recent advances in software reverse engineering and memory forensics research have enabled forensic analysts to go further to identify, extract, and interpret program data structures from memory. However, these tools typically break down when the data structures or content in question is constructed in a higher-level, software virtual machine like the JVM. Even still, given the verbose nature of the JVM and the disciplined manner in which data and code are segregated, and an analysts be able to extract and interpret Java classes and the related data with confidence. In this talk, I will discuss the steps and my approach at helping make this Java application memory forensics feasible.