Live Forensics in C...
 
Notifications
Clear all

Live Forensics in Cloud Environment

3 Posts
2 Users
0 Likes
431 Views
 jv89
(@jv89)
Posts: 3
New Member
Topic starter
 

Hi Everyone
I am a student of MS and I wanted to ask that is Live Forensics truly applicable in cloud environment? I have searched some forensic tools which gives the feature of injecting a remote agent to a remote machine for acquiring a memory dump. Is it possible in cloud? As a scenario, to demonstrate my point; if I have an instance on amazon cloud (AWS) and using any forensic tool I want to acquire a memory image of that instance for analysis. Are there any open source tools or trial versions available giving this feature for research or testing purposes?

 
Posted : 06/11/2015 7:18 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Hi Everyone
I am a student of MS and I wanted to ask that is Live Forensics truly applicable in cloud environment? I have searched some forensic tools which gives the feature of injecting a remote agent to a remote machine for acquiring a memory dump. Is it possible in cloud? As a scenario, to demonstrate my point; if I have an instance on amazon cloud (AWS) and using any forensic tool I want to acquire a memory image of that instance for analysis. Are there any open source tools or trial versions available giving this feature for research or testing purposes?

Memory forensics is not my thing, i've just played around with it. Some people seem to like Volatility though.

If you just want to dump the content of one process, you can use taskmanager, rightclick on the specific process and select Create Dump File.

I also found this page you may find interesting.

You can also try rebooting a specific virtual host and on a Linux Live CD and using DD to image the content of the memory (long time ago, dont remember what /dev/ to image, sorry). I do not know how much memory contamination that creates, but you should get a image of the specific environment if you run it directly on a physical host. If it works in a virtual environment and you get the proper memory area of the host and not some other virtual machine - i do not know.

Sounds like a good exercise for a student, please feel free to post your findings in this thread.

 
Posted : 14/11/2015 3:51 pm
 jv89
(@jv89)
Posts: 3
New Member
Topic starter
 

Thank you for your reply. I will surely post my findings here. For now I am trying to work around other ways to acquire forensic data remotely.

 
Posted : 21/11/2015 12:28 pm
Share: