WindowsSCOPE

WindowsSCOPE
Developer(s)	WindowsSCOPE
Development status	Active
Operating system	Windows
Available in	English
Type	Computer forensics, Reverse Engineering
Website	http://www.windowsscope.com

WindowsSCOPE is a memory forensics and reverse engineering product for Windows used for acquiring and analyzing volatile memory.^[1] One of its uses is in the detection and reverse engineering of rootkits and other malware.^[2]

Acquisition

WindowsSCOPE supports both software-based acquisition as well as hardware-assisted methods for both locked and unlocked computers. WindowsSCOPE add-on hardware for memory acquisition uses the PCI Express bus for direct access to system memory. Memory snapshots acquired with WindowsSCOPE are stored in a repository. Memory snapshots in the repository can be compared to track changes in the system over time.^[2]

Analysis

WindowsSCOPE shows Processes, DLLs, and drivers running the computer at the time of the memory snapshot as well as open network sockets, file handles, and registry key handles. It also provides disassembly and control flow graphing for executable code. WindowsSCOPE Live is a version of the tool that allows analysis to be performed from a mobile device.^[3]

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^2.0 ^2.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

External links

WindowsSCOPE Web Site

[klanke-1] Lua error in package.lua at line 80: module 'strict' not found.

[Le_Masle-2] 2.0 ^2.1 Lua error in package.lua at line 80: module 'strict' not found.

[Storm-3] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

WindowsSCOPE

Contents

Acquisition

Analysis

References

External links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools