Transcript: When we get memory dumps and raw logs from scripts we want to extract more structural, fine-grained information. Here checklists are indispensable tools.

Transcript: Checklists can be viewed as a part of information extraction step.

Transcript: Checklists have numerous advantages. For one example please look at memory dump analysis checklist published on memory dump analysis portal. WinDbg has built-in support for checklists to present them in user-interface friendly manner: the so called .cmdtree command.

Transcript: Checklists can be structured in various ways. Here is one example with sample entries drawn from the memory dump analysis checklist I use. We want, for example, to check system uptime, extract a computer name and component timestamps and their paths, check critical sections and whether there in any patched code such as hooked functions. We might also want to check inter-process communication chains, how many processors are busy to detect possible CPU spikes and resource contention.

Comment: Checklists are also useful for software trace analysis, for example, CDF analysis. Example checklist can be found on Memory Dump, Software Trace, Debugging and Malware Analysis Portal. Many general software trace analysis patterns were drawn from software narratology and application of literary theory and criticism to software trace analysis. See also my interview on tracing and tracing tools where I explain software trace as a sofware narrative: CTX121366.

- Dmitry Vostokov @ Citrix Blogs –

Follow me on Twitter and connect with me on LinkedIn.