1 Cameron Middle School into Cameron College Prep - TN.gov

Software Trace and

Memory Dump Analysis

Presenter: Dmitry Vostokov

Memory Dump Analysis Services

Prerequisites

Experience in software

troubleshooting and reading

software logs

Advantage: Citrix CDF and

Microsoft ETW trace analysis

including Process Monitor logs

© 2011 Memory Dump Analysis Services

Agenda

Memory Dump Analysis Services

Root Cause Analysis Methodology

Software Traces and Memory Dumps

Examples


MDA Services

Memory Dump Analysis Audit

Software Trace Analysis Audit (New)

Software Error Reporting Audit

Remote Training

Debugging Bureau

Tool Objects and EasyDbg

Powered by DA+TA

DumpAnalysis.org + TraceAnaysis.org


http://www.dumpanalysis.org/

http://www.traceanalysis.org/

A.C.P. Root Cause Analysis


Artifacts

Checklists

Patterns

Checklists and patterns

as best practices

Iterative and Incremental

DA+TA

DA: Dump Artifact / Dump Analysis

Memory snapshots: process, kernel, physical memory dumps

TA: Trace Artifact / Trace Analysis

Software traces: Event Tracing for Windows, logs


Spatiality vs. Narrativity


Narrativity

Spartiality

Software

Trace

Memory Dump

Software trace as software narrative,

the story of a computation

Tools for Artifact Analysis

Memory dumps:

WinDbg from Debugging Tools for Windows

Notepad (textual debugger logs)

Software traces:

CDFAnalyzer* / CDFControl from Citrix

Process Monitor* from Microsoft

* supports adjoint threads


Checklists for Analysis

Memory dumps:

http://www.dumpanalysis.org/blog/index.php/2007/06/

20/crash-dump-analysis-checklist/

Software traces:

http://www.dumpanalysis.org/blog/index.php/2011/03/

10/software-trace-analysis-checklist/


http://www.dumpanalysis.org/blog/index.php/2007/06/20/crash-dump-analysis-checklist/








http://www.dumpanalysis.org/blog/index.php/2011/03/10/software-trace-analysis-checklist/








Software Behavior Patterns

Memory dump and software trace

Examples: Spiking Thread, Discontinuity

+200 patterns (DA+TA)

DumpAnalysis.org


http://www.dumpanalysis.org/blog/index.php/2007/05/11/crash-dump-analysis-patterns-part-14/

http://www.dumpanalysis.org/blog/index.php/2009/08/04/trace-analysis-patterns-part-8/


DA: Software Behavior

Memory dump: a memory snapshot

Definition, partial classification and

historical list

Pattern identification case studies


http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/

http://www.dumpanalysis.org/blog/index.php/crash-dump-analysis-patterns/

http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

TA: Software Behavior

“Imagine you got a software trace from hundreds of modules

you haven’t written or haven’t seen source code of...”

Software trace: a sequence of memory

fragments ordered in time

Definition, and historical list

Pattern identification case studies


http://www.dumpanalysis.org/blog/index.php/trace-analysis-patterns/

http://www.dumpanalysis.org/blog/index.php/pattern-cooperation/

CDFAnalyzer Filters


ThreadsTime

# PID TID Time Message

Time



Adjoint Threads


Time


Time

# PID TID Time Message (ATID)

Significant Event

csrss.exe

winlogon.exe

LogonUI.exe

userinit.exe

…

Custom events: CDFMarker


Time


Discontinuity


…

14:23:02.146

14:23:02.345

14:31:10.254

14:31:10.341

…

Time


No Activity

Expecting messages from Module X

Absence of such messages may

suggest that a process or a thread was

hang / blocked


Guest Component

Sudden appearance of an unexpected

module, for example, werfault.exe or

faultrep.dll


Statement Current

The flood of messages

Normal case: 15 msg/s

Abnormal case: 3500 msg/s

May point to a CPU spike


Resources DumpAnalysis.org

Pattern-Driven Memory Dump Analysis

Memory Dump and Trace Analysis: A Unified Pattern Approach

Introduction to Pattern-Driven Software Problem Solving

Advanced Software Debugging Reference:

OpenTask publishes this talk with extra case studies

(ISBN: 978-1908043238)



http://community.citrix.com/blogs/citrite/dmitryv



http://www.debuggingexperts.com/memory-dump-trace-analysis-unified-pattern-approach

http://www.dumpanalysis.com/PDSPSI-materials



http://www.forensicanalysis.org/advanced-software-debugging-reference

http://www.opentask.com/

http://www.dumpanalysis.org/Memory+Dump+Analysis+Anthology+Volume+1

http://www.dumpanalysis.org/Forthcoming+Memory+Dump+Analysis+Anthology+Volume+2




More Resources

August remote training season:

Accelerated Windows Memory Dump Analysis

Complete Physical Memory Dump Analysis

Visit Memory Dump Analysis Services for registration details:

www.DumpAnalysis.com


http://www.dumpanalysis.com/



Free Summer Webinars

The Old New Crash: Cloud Memory Dump

Analysis (June 6th)

Cyber Warfare Memory Dump Analysis

(forthcoming in July-August)

Visit Memory Dump Analysis Services for registration details:

www.DumpAnalysis.com





Q&A

Please send your feedback using the contact

form on DumpAnalysis.com


http://www.dumpanalysis.com/contact

http://www.dumpanalysis.com/contact

Thank you!


Join DA+TA Facebook Group

http://www.facebook.com/group.php?gid=95282722070

1 Cameron Middle School into Cameron College Prep - TN.gov

Documents

Transcript of 1 Cameron Middle School into Cameron College Prep - TN.gov