Here are DNS queries issued by a Windows XP machine:
And here is a command history of a Cisco router:
What do these results have in common?
Both were produced by analyzing RAM dumps with a new forensic toolkit I’m developing, the Network Appliance Forensic Toolkit, or NAFT.
More to be published soon.
But if you want a beta version now, provide me a Cisco core dump in exchange 😉
Didier Stevens 