The Forensic Analysis ToolKit

Overview

The Forensic Analysis Toolkit (FATKit) is a new cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. The framework is intended for researchers, law enforcement professionals, and forensics analysts who are interested in extracting and interpreting relevant information in the wake of a crime or incident. FATKit was developed in response to a growing trend in the development of offense-oriented frameworks (e.g., penetration/exploitation, rootkits, worms). As a result of this coordination, sophistication of methods and accessibility to knowledge has continued to grow unabated in the offensive community. Many of these technologies have begun to focus on anti-forensics techniques, such as leveraging the complexities associated with physical memory analysis.

FATKit automates the extraction and visualization of digital objects found in physical memory, thereby freeing the forensic analyst from the tedious aspects of low-level data extraction. FATKit was designed to facilitate the extraction, analysis, aggregation, and visualization of forensic data at various levels of abstraction and data complexity. The framework also includes tools to automate the development of forensic profiles for applications, from web browsers to the operating system kernel. Additionally, as development continues, FATKit will be augmented to include a set of tools and techniques to facilitate case management.

The FATKit framework currently includes modules for virtual address space reconstruction, virtual to physical address translation, and visualization. The framework employs a number of visualization and data mining techniques to improve analysis and facilitate searching through large amounts of data.

Architecture


The FATKit software architecture

Features

The first release of FATKit is expected to include the following useful features:

Architecture and Operating System Support

Automation, Reuse, and Extensibility

Visualization Modules

Contact and Information

FATKit was invented and is under active development by:

If you are interested in getting involved, receiving training on volatile memory forensics, or would like to a see a demo, please contact us at . We are currently holding a training sessions in the Washington, D.C. area.

Support

The following companies have supported the research and development of FATKit:


Mailing List

We are currently in the process of establishing a public mailing list for discussing volatile memory analysis. If you are interested in joining please contact us at .

Publications

Journals

Conferences

White Papers

Challenges

Talks:

Related Work:

If you have any corrections or additions, please contact us at .

Papers

Web Sites

Presentations

Projects

Public Samples

Books

Legal

  • Columbia Pictures et al. v. Justin Bunneli, CV 06-1093
  • MDY Industries, LLC, v. Blizzard Entertainment et al., 2-06-cv-02555-PHX-DGC
  • MAI Systems Corp. v. Peak Computer, Inc., 991 F.2d 511, 518-19 (9th Cir. 1993)

Legal Discussion

Copyright © 2006,2007,2008. All rights reserved.