| View previous topic :: View next topic |
| Author |
Message |
koko
Newbie
Joined: Dec 02, 2005
Posts: 22
Location: NYC
|
 Posted: Wed Jan 25, 2006 11:02 am Post subject: volatile memory on windows |
 |
i am just looking for some recommendations of open source software that can grab the volatile memory (RAM) from a windows machine.
|
|
| Back to top |
|
|
keydet89
Senior Member
Joined: Oct 19, 2004
Posts: 2373
Location: NoVA
|
| Posted: Wed Jan 25, 2006 12:50 pm Post subject: Re: volatile memory on windows |
|
dd
Harlan
|
|
| Back to top |
|
|
keydet89
Senior Member
Joined: Oct 19, 2004
Posts: 2373
Location: NoVA
|
| Posted: Wed Jan 25, 2006 12:52 pm Post subject: Re: volatile memory on windows |
|
More specifically...
users.erols.com/gmgarner/forensics/
Now, the $64 question...what are you planning to do with it once you have it? Given the discussions that have taken place here, and on other boards, I'm sincerely curious about this topic.
Harlan |
|
| Back to top |
|
|
koko
Newbie
Joined: Dec 02, 2005
Posts: 22
Location: NYC
|
| Posted: Thu Jan 26, 2006 3:45 pm Post subject: Re: volatile memory on windows |
|
thank you for the info. i didn't realize you could do it with dd.
i hope i don't disappoint you when i say that my intentions in using it right now are just educational. i'm just going to run it on my machine, etc.
|
|
| Back to top |
|
|
farmerdude
Senior Member
Joined: Jan 13, 2006
Posts: 231
Location: USA
|
| Posted: Fri Jan 27, 2006 12:14 am Post subject: |
|
Hi koko,
You can use 'dd' for some memory, but not all. Not all memory has an EOF marker, and 'dd' doesn't like that. Memory can have holes ... and 'dd' won't like that either.
You're much better off using a tool written for dumping memory, reading one page at a time so as to minimize your affect on the system memory. 'memdump' is one such tool.
regards,
farmerdude
|
|
| Back to top |
|
|
keydet89
Senior Member
Joined: Oct 19, 2004
Posts: 2373
Location: NoVA
|
| Posted: Fri Jan 27, 2006 7:37 am Post subject: Re: volatile memory on windows |
|
Thomas,
Are you referring to the 'memdump' that comes with TCT?
www.porcupine.org/fore...s/tct.html
Harlan |
|
| Back to top |
|
|
farmerdude
Senior Member
Joined: Jan 13, 2006
Posts: 231
Location: USA
|
| Posted: Fri Jan 27, 2006 8:38 am Post subject: Re: volatile memory on windows |
|
memdump by Wietse is the tool I mentioned in my post. I know it's separate from TCT, unless recently he's added it into the package. We spoke of grabbing memory a few years back at AusCERT and subsequently he released memdump. There are others, but this works very well.
regards,
farmerdude
|
|
| Back to top |
|
|
keydet89
Senior Member
Joined: Oct 19, 2004
Posts: 2373
Location: NoVA
|
| Posted: Fri Jan 27, 2006 8:43 am Post subject: Re: volatile memory on windows |
|
Thomas,
Given that the 'memdump' you mentioned is for *nix systems, is there a version available for Windows, per the subject of the thread?
Harlan
|
|
| Back to top |
|
|
psycko
Newbie
Joined: Jan 02, 2006
Posts: 16
Location: paris
|
|
| Back to top |
|
|
farmerdude
Senior Member
Joined: Jan 13, 2006
Posts: 231
Location: USA
|
| Posted: Tue Feb 07, 2006 8:37 pm Post subject: Re: volatile memory on windows |
|
R1 beat me to the reply. That link appears to work.
I have used memdump compiled for Windows as well (DOS version) in addition to a proprietary dumper, one page at a time.
Download from the R1 link and test it out.
regards,
farmerdude
|
|
| Back to top |
|
|
|
MY ACCOUNT
COMMUNITY
RESOURCES
MISC
Forum FAQ
Search
Log in to check your private messages
Login
