Software Diagnostics Institute - a division of Diagnostics Science

All areas of human activity involve the use of diagnostics. Proper diagnostics identifies the right problems to solve. We are now a part of a non-profit organization dedicated to the developing and promoting the application of such diagnostics: systemic and pattern-oriented (pattern-driven and pattern-based).

Our tools are only as good as our pattern language.

Learn from this Webinar about phenomenological, hermeneutical and analytical approaches to software diagnostics and its knowledge, foundations, norms, theories, logic, methodology, language, ontology, nature and truth. This seminar is hosted by Software Diagnostics Services.

Title: Introduction to Philosophy of Software Diagnostics
Date: 13th of May, 2013
Time: 19:00 BST
Duration: 30 minutes

Space is limited.
Reserve your Webinar seat now at:
https://www3.gotomeeting.com/register/872846486

The following direct links can be used to order the book now:

Buy Paperback from Amazon

This is a transcript of Software Diagnostics Services Webinar about different pattern categories for effective and efficient abnormal software behaviour diagnostics: the foundation of scalable and cost-effective pattern-driven software support.

• Title: Pattern-Driven Software Diagnostics: An Introduction
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (April 2013)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 32 pages
• ISBN-13: 978-1908043382

Interpreting hardware signals as messages and messages as signals allows us to apply Software Narratology and software trace analysis patterns to the domain of hardware diagnostics:

Generalized trace analysis patterns and narrative extends the view of hardware-software traces and logs as temporarily ordered event sequences. The time domain is generalized to any arbitrary set such as a list of indexes or pointers or even memory itself. This gives a unification of memory and log analysis and application of Computer Narratology ^(*) to memory dump analysis as well.

(*) We call the application of methods of literary narratology to computer trace and log analysis and computer-related stories in general as Hardware-Software Narratology or simply Computer Narratology as it was originally done in Memory Dump Analysis Anthology, Volume 3 when we first introduced Software Narratology.

Software diagnostics is used whenever there is a fault that triggers some kind of an artefact such as a memory dump or a software trace. It is also used proactively in software and network monitoring. We combine all these uses with our pattern-oriented approach to anticipate faults before their occurrence:

Such preventive software diagnostics consists from 4 interrelated parts:

• General software structure and behaviour pattern catalogues
• Domain, vendor and product specific problem catalogues
• Live monitoring
• Pre-mortem analysis

Pre-mortem here means preventive memory dump analysis. It is similar to post-mortem analysis but artefacts are collected and analysed proactively before any actual problem. In some sense pre-mortem analysis is a part of live monitoring but we confine the latter to software trace and log analysis.

Contains revised, edited, cross-referenced, and thematically organized selected DumpAnalysis.org blog posts about memory dump and software trace and log analysis, software troubleshooting and debugging written in November 2011 - March 2013 for software engineers developing and maintaining products on Windows and Mac OS X platforms, quality assurance engineers testing software on Windows and Mac OS X platforms, technical support and escalation engineers dealing with complex software issues, and security researchers, malware analysts and reverse engineers. The seventh volume features:

- 55 new crash dump analysis patterns
- 27 new software log and trace analysis patterns
- 17 core memory dump analysis patterns for Mac OS X and GDB
- 10 malware analysis patterns
- Additional user interface problem analysis patterns
- Introduction to software problem description patterns
- Introduction to software diagnostics patterns
- Introduction to general abnormal structure and behaviour patterns
- Introduction to software disruption patterns
- Introduction to static code analysis patterns
- Introduction to network trace analysis patterns
- Fully cross-referenced with Volume 1, Volume 2, Volume 3, Volume 4, Volume 5, and Volume 6

Product information:

• Title: Memory Dump Analysis Anthology, Volume 7
• Author: Dmitry Vostokov
• Language: English
• Product Dimensions: 22.86 x 15.24

• Paperback: 310 pages
• Publisher: Opentask (May 2013)
• ISBN-13: 978-1-908043-51-1

• Hardcover: 310 pages
• Publisher: Opentask (May 2013)
• ISBN-13: 978-1-908043-52-8

Back cover features a "liquid memory" image created with Photoshop from contents of computer memory.

Software Narratology found its successful application in software diagnostics of abnormal software behavior in software logs. Join this Webinar to learn about its new application to network trace analysis with examples from Network Monitor and Wireshark.

Title: Pattern-Oriented Network Trace Analysis
Date: 24th of June, 2013
Time: 19:00 BST
Duration: 60 minutes

Space is limited.
Reserve your Webinar seat now at:
https://www3.gotomeeting.com/register/607192462

Learn live local and remote debugging techniques and tricks in kernel, user process and managed .NET spaces using WinDbg debugger. The unique and innovative Debugging³ course teaches unified debugging patterns applied to real problems from complex software environments. The training consists of practical step-by-step hands-on exercises.

Memory Dump Analysis Services (DumpAnalysis.com) organizes a training course:

The training consists of 2 two-hour sessions. When you finish the training you additionally get:

1. A full transcript in PDF format (retail price $300)
2. 6 volumes of Memory Dump Analysis Anthology in PDF format (retail price $120)
3. A personalized attendance certificate with unique CID (PDF format)
4. Free Software Diagnostics Library membership

Prerequisites: Working knowledge of one of these languages: C, C++, C#. Operating system internals and assembly language concepts are explained when necessary.

Audience: software engineers, software maintenance engineers, escalation engineers.

Session 1: July 19, 2013 4:00 PM - 6:00 PM BST
Session 2: July 22, 2013 4:00 PM - 6:00 PM BST

Price: 210 USD

Space is limited.
Reserve your remote training seat now at:
https://student.gototraining.com/r/8881546314151969024

If you are interested in Windows postmortem software diagnostics using memory dump files there are other courses available:

Accelerated Windows Memory Dump Analysis

Accelerated .NET Memory Dump Analysis

Advanced Windows Memory Dump Analysis with Data Structures

Accelerated Windows Malware Analysis with Memory Dumps

New! The second edition now contains 42 pages of Q&A section with more than 100 questions and answers. Complete memory dump analysis exercises are updated for the latest WinDbg version from Windows 8 SDK.

The first edition is also available for Safari Books Online subscribers

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Also available for sale in PDF format from Memory Dump Analysis Services.

The full transcript of Memory Dump Analysis Services Training with 23 step-by-step exercises, notes, source code of specially created modeling applications and selected Q&A. Covers more than 50 crash dump analysis patterns from process, kernel and complete memory dumps.

• Title: Accelerated Windows Memory Dump Analysis: Training Course Transcript and WinDbg Practice Exercises with Notes, Second Edition
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (March 2013)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 422 pages
• ISBN-13: 978-1908043450

Table of Contents

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Also available in PDF format from Software Diagnostics Services.

The book is also available for SkillSoft Books24x7 subscribers

The full transcript of Software Diagnostics Services Training.

• Title: Accelerated Windows Malware Analysis with Memory Dumps: Training Course Transcript and WinDbg Practice Exercises
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (February 2013)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 232 pages
• ISBN-13: 978-1908043443

Table of Contents

New! Available for Safari Books Online subscribers

The following direct links can be used to order the book now:

Buy Paperback or Hardcover from Amazon

Buy Paperback or Hardcover from Barnes & Noble

Now available in PDF format from Software Diagnostics Services

Contains revised, edited, cross-referenced, and thematically organized selected DumpAnalysis.org blog posts about memory dump and software trace analysis, software troubleshooting and debugging written in November 2010 - October 2011 for software engineers developing and maintaining products on Windows platforms, quality assurance engineers testing software on Windows platforms, technical support and escalation engineers dealing with complex software issues, and security researchers, malware analysts and reverse engineers. The sixth volume features:

- 56 new crash dump analysis patterns including 14 new .NET memory dump analysis patterns
- 4 new pattern interaction case studies
- 11 new trace analysis patterns
- New Debugware pattern
- Introduction to UI problem analysis patterns
- Introduction to intelligence analysis patterns
- Introduction to unified debugging pattern language
- Introduction to generative debugging, metadefect template library and DNA of software behavior
- The new school of debugging
- .NET memory dump analysis checklist
- Software trace analysis checklist
- Introduction to close and deconstructive readings of a software trace
- Memory dump analysis compass
- Computical and Stack Trace Art
- The abductive reasoning of Philip Marlowe
- Orbifold memory space and cloud computing
- Memory worldview
- Interpretation of cyberspace
- Relationship of memory dumps to religion
- Fully cross-referenced with Volume 1, Volume 2, Volume 3, Volume 4, and Volume 5

Product information:

• Title: Memory Dump Analysis Anthology, Volume 6
• Author: Dmitry Vostokov
• Language: English
• Product Dimensions: 22.86 x 15.24

• Paperback: 306 pages
• Publisher: Opentask (January 2013)
• ISBN-13: 978-1-908043-19-1

• Hardcover: 306 pages
• Publisher: Opentask (January 2013)
• ISBN-13: 978-1-908043-20-7

Table of Contents

Back cover features 3d memory space visualization image created with ParaView.

consists of two main parts:

• Pattern-Driven process of finding patterns from existing pattern catalogs
• Pattern-Based evolution of pattern catalogs and pattern relationships

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Also available in PDF format + recording from Software Diagnostics Services.

The book is also available for SkillSoft Books24x7 subscribers

The full transcript of Software Diagnostics Services Training.

• Title: Accelerated Windows Software Trace Analysis: Training Course Transcript
• Authors: Dmitry Vostokov, Software Diagnostics Services
• Publisher: OpenTask (January 2013)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 130 pages
• ISBN-13: 978-1908043429

Table of Contents

Learn how to analyze application, service and system crashes and freezes, navigate through memory dump space and diagnose heap corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of more than 20 practical step-by-step exercises using WinDbg highlighting more than 50 patterns diagnosed in 32-bit and 64-bit process, kernel and complete memory dumps.

Public preview (selected slides) of the previous training

Memory Dump Analysis Services (DumpAnalysis.com) organizes a training course:

If you are registered you are allowed to optionally submit your memory dumps before the training. This will allow us in addition to the carefully constructed problems tailor extra examples to the needs of the attendees.

The training consists of 4 two-hour sessions (2 hours every day). When you finish the training you additionally get:

1. A full transcript in PDF format with more than 100 questions and answers (retail price $300)
2. 6 volumes of Memory Dump Analysis Anthology in PDF format (retail price $120)
3. A personalized attendance certificate with unique CID (PDF format)
4. Free Software Diagnostics Library membership with access to 200 cross-referenced patterns of memory dump analysis, their classification and more than 70 case studies

Prerequisites: Basic Windows troubleshooting

Audience: Software technical support and escalation engineers, system administrators, security professionals, software developers and quality assurance engineers.

Session 1: July 24, 2013 4:00 PM - 6:00 PM BST
Session 2: July 25, 2013 4:00 PM - 6:00 PM BST
Session 3: July 26, 2013 4:00 PM - 6:00 PM BST
Session 4: July 29, 2013 4:00 PM - 6:00 PM BST

Price: 300 USD

Space is limited.
Reserve your remote training seat now at:
https://student.gototraining.com/r/8304463239218972672

If scheduled dates or time are not suitable for you Memory Dump Analysis Services offers the same training in book format with $50 discount.

Training testimonials:

I would like to thank you and recommend your training. I think that the “Accelerated Windows Memory Dump Analysis” training is a pin-point, well taught training. I think it’s the leading training in the dump analysis area and I’ve enjoyed it, the books and materials are very detailed and well written and Dmitry answered all of the needed question. In addition after the training Dmitry sent a PDF with written answers and more information about the questions that were asked. I will give this training 5/5. Thank you Dmitry. --Yaniv Miron, Security Researcher, IL.Hack

If you are mainly interested in .NET memory dump analysis there is another course available:

Accelerated .NET Memory Dump Analysis

If you are mainly interested in Mac OS X core dump analysis there is another course available:

Accelerated Mac OS X Core Dump Analysis

This is the first novella to be written by applying software narratology and trace analysis patterns to history and is planned for publication in Spring 2013 (ISBN: 978-1908043412). Book description:

Russia, 1908, June 30, 7:14 a.m., the court of Tsar Nicholas II is wiped out by an impact, an enormous explosion over St. Petersburg. In an ensuring chaos State Duma takes power over Imperial Russia changing the course of World history forever. Russia, 2017, an alternative history novella is published about the Tunguska event that missed the capital of Russia...

Software log analysis patterns from Software Diagnostics Institute are independent from any OS, platform or product because they are based on viewing software logs as stories of computation and were discovered by application of narratological analysis (software narratology). In addition to these patterns there exist domain specific problem patterns such as wrong hotfix level or specific product error code during software installation or execution. Typical examples of support for such platform and product specific type of patterns include Microsoft Windows Problem Reporting and Citrix Auto Support.

Feel frustrated when opening a software trace with millions of messages from hundreds of software components, threads and processes?

Memory Dump Analysis Services (DumpAnalysis.com) organizes a training course:

Go beyond simple CPU and disk hog monitoring or searching for errors in a text and learn how to efficiently and effectively analyze software traces and logs from complex software environments. Covered popular software logs and trace formats from Microsoft and Citrix products and tools including Event Tracing for Windows (ETW) and Citrix Common Diagnostics Format (CDF). This course teaches using pioneering and innovative pattern-driven and pattern-based analysis of abnormal software behavior incidents developed by Software Diagnostics Institute.

Public preview (selected slides) of the previous training

If you are registered you are allowed to optionally submit your software traces and logs before the training. This will allow us in addition to the carefully constructed problems tailor additional examples to the needs of the attendees.

The training consists of 4 one-hour sessions and additional homework exercises. When you finish the training you additionally get:

1. A full transcript in PDF format (retail price $300)
2. Recording of training sessions including exercises
3. 6 volumes of Memory Dump Analysis Anthology in PDF format (retail price $120)
4. A personalized attendance certificate with unique CID (PDF format)
5. Free Software Diagnostics Library membership with access to cross-referenced patterns of software trace and analysis

Prerequisites: Basic Windows troubleshooting.

Audience: Software technical support and escalation engineers, software maintenance engineers, system administrators.

At this time available only in PDF book format + recording with $100 discount.

Defined in 2012, software diagnostics discipline needs a year of dedicated development to further advance its body of knowledge including theoretical foundations and practical tools.

Let’s define software diagnostics as a discipline studying abnormal software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using pattern-driven, systemic and pattern-based analysis methodologies.

Pattern-driven software post-construction problem solving involves using preexisting pattern languages and pattern catalogs for software diagnostics, troubleshooting and debugging. Pattern-based software post-construction problem solving addresses PLS (Pattern Life Cycle) - from the discovery of a new pattern through its integration into an existing catalog and language, testing, packaging and delivering to pattern consumers with subsequent usage, refactoring and writing case studies:

New! Available for Safari Books Online subscribers

The following direct links can be used to order the book now:

Buy Paperback from Amazon

Buy Paperback from Barnes & Noble

Also available for sale in PDF format from Memory Dump Analysis Services.

The full transcript of Memory Dump Analysis Services Training with 12 step-by-step exercises.

• Title: Accelerated Mac OS X Core Dump Analysis: Training Course Transcript and GDB Practice Exercises
• Authors: Dmitry Vostokov, Memory Dump Analysis Services
• Publisher: OpenTask (August 2012)
• Language: English
• Product Dimensions: 28.0 x 21.6
• Paperback: 250 pages
• ISBN-13: 978-1908043405

Table of Contents
Amazon Reviews

Click on an individual volume to see its description and table of contents:

You can buy 6 volume set from Software Diagnostics Services with 20% discount and you also get free access to Software Diagnostics Library.

Praise for the series:

I have been working with reversing, dumps, IAT, unpacking, etc. and I am one of the few at my workplace that like analyzing hangs and crashes. I always knew that I had more to learn. So I continuously look for more info. Many links directed me to dumpanalysis.org. Frankly speaking, its spartan/simple design made me question its seriousness. But after reading some articles, I immediately decided to order "Memory Dump Analysis Anthology". I have only read 100 pages so far. But I am stunned. It is such an amazing book. How the author refines / reconstructs the call stack, and finds useful information in the stack is incredible. I am enormously thankful for the effort that the author has put in making these books. They are very didactic even though the topic is a bit hard. It is a real treasure.

Mattias Hogstrom

We propose to use Trace Analysis Patterns (on the right column) in network trace analysis. For details please see this article:

http://www.dumpanalysis.org/blog/index.php/2012/07/19/network-trace-anal...

The first software diagnostics certification in memory dump analysis starts this September and will be administered by Memory Dump Analysis Services:

http://www.dumpanalysis.com/memory-dump-analysis-certification-outline

We also plan a beta software trace analysis certification by the end of 2012.

For companies there is also available Software Diagnostics Maturity enterprise certification:

http://www.dumpanalysis.com/software-diagnostics-maturity

Learn how to navigate process, kernel and physical spaces and diagnose various malware patterns in Windows memory dump files. We use a unique and innovative pattern-driven analysis approach to speed up the learning curve. The training consists of practical step-by-step hands-on exercises using WinDbg, process, kernel and complete memory dumps.

Public preview (selected slides) of the previous training

Memory Dump Analysis Services (DumpAnalysis.com) organizes a training course:

The training consists of 4 one-hour sessions. When you finish the training you additionally get:

1. A full transcript in PDF format (retail price $300)
2. 6 volumes of Memory Dump Analysis Anthology in PDF format (retail price $120)
3. A personalized attendance certificate with unique CID (PDF format)
4. Free Software Diagnostics Library membership with access to 200 cross-referenced patterns of memory dump analysis, their classification and more than 70 case studies

At this time available only in PDF book format with $100 discount.

The main audience are software technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible malware presence in cases of abnormal software behavior. The course will also be useful for software engineers, quality assurance and software maintenance engineers, security researchers and malware analysts who have never used WinDbg for analysis of computer memory.

If you are mainly interested in software diagnostics and debugging using memory dump files there are other courses available:

Accelerated Windows Memory Dump Analysis

Accelerated .NET Memory Dump Analysis

Accelerated Mac OS X Core Dump Analysis

Welcome to the project CARE!

New! We now also accept GDB logs and crash reports from Mac OS X and iOS.

CARE means Crash Analysis Report Environment. It includes a pattern-driven debugger log analyzer and standards for structured audience-driven reports. The system architecture is described here.

Please help to populate the database of stack traces by submitting your WinDbg and GDB output logs including Mac OS X and iOS crash reports. For Windows you can use VBScript / WinDbg script to process all .DMP files on your hard drives: DebuggerLogs.zip. The archive contains VBScript file for x64 WinDbg (DebuggerLogs64.vbs) and for x86 WinDbg (DebuggerLogs.vbs) plus the very simple mode-independent WinDbg script (DebuggerLogs.wds). The WinDbg output is stored in dbgeng.log file.

Note: Please do not submit your crash or core dumps because the file size is limited to 2 MB and CARE system is currently being designed to analyze debugger logs and crash reports only. If your log is bigger you can submit a zip file. If you have any problems please contact the administrator. Please do not expect any crash analysis response for your logs or reports. The submittal is currently for internal CARE database population only and not for the pattern analysis of your computer memory.

Under inscription...

The name for this table was suggested by Joshua J. Drake and first propagated to me by @jcran

Action                      | GDB                 | WinDbg
----------------------------------------------------------------
Start the process           | run                 | g
Exit                        | (q)uit              | q
Disassemble (forward)       | (disas)semble       | uf, u
Disassemble N instructions  | x/<N>i              | -
Disassemble (backward)      | disas <a-o> <a>     | ub
Stack trace                 | backtrace (bt)      | k
Full stack trace            | bt full             | kv
Stack trace with parameters | bt full             | kP
Partial trace (innermost)   | bt <N>              | k <N>
Partial trace (outermost)   | bt -<N>             | -
Stack trace for all threads | thread apply all bt | ~*k
Breakpoint                  | break               | bp
Frame numbers               | any bt command      | kn
Select frame                | frame               | .frame
Display parameters          | info args           | dv /t /i /V
Display locals              | info locals         | dv /t /i /V
Dump byte char array        | x/<N>bc             | db
Switch to thread            | thread <N>          | ~<N>s
Sections/regions            | maint info sections | !address
Load symbol file            | add-symbol-file     | .reload
CPU registers               | i(nfo) r            | r

The current version is from April 30th, 2012:
http://www.dumpanalysis.org/blog/index.php/2012/04/30/gdb-for-windbg-users-part-8/

To Do:

- Split rows by categories
- Add links to command descriptions, examples, relevant patterns