Notifications
Clear all

LIVE FORENSIC

12 Posts
5 Users
0 Likes
681 Views
(@mrsmartsj)
Posts: 5
Active Member
Topic starter
 

I am doing a project on LIVE FORENSIC for my final year project, i have been searching the web on how a toolkit actually captures data from RAM & i have had no answers. I want to know the insides on how it actually captures the data from RAM.

does anyone have any idea's?

 
Posted : 09/03/2013 9:20 pm
(@bithead)
Posts: 1206
Noble Member
 

The actual procedure/process varies depending on the OS. Windows and Linux address RAM differently, and new versions of Linux are different than old. Also how the tool implements the procedure/process can vary. Does your project cover every OS or are you focusing on one in particular? What "toolkit" in particular are you researching?

 
Posted : 10/03/2013 1:05 am
(@mrsmartsj)
Posts: 5
Active Member
Topic starter
 

Hi i am using helix toolkit, the OS is windows XP.

 
Posted : 10/03/2013 5:46 am
(@bithead)
Posts: 1206
Noble Member
 

XP pre Service Pack 2?

And you are running the Helix application on the Windows machine and using the Live Acquisition function (which uses dd) to capture the Physical Memory?

– This is like pulling teeth . . . Please do not make me/us have to ask what you are doing on every step –

 
Posted : 10/03/2013 7:23 am
(@mrsmartsj)
Posts: 5
Active Member
Topic starter
 

I know how to capture it. No i am using SP3 helix 3 the free version. And yes i am using the the function to capture data from RAM. I want to be clear about my question, i want UNDERSTAND how the data is extracted from the RAM i know how how to capture it but i want to understand the insides BitHead.

Do you understand me now?

 
Posted : 10/03/2013 4:34 pm
(@bithead)
Posts: 1206
Noble Member
 

Great. You know how to click buttons in a tool. If you cannot or will not explain your exact target environment and the tools you are using no one is going to be interested in writing pages of responses that can cover all possible scenarios.

The release of SP 2 for XP changed how memory can be addressed. For SP 2 and later the \\.\PhysicalMemory object is no longer accessible from user mode, it can only be accessed via kernel-mode drivers. So your target environment matters.

The tool and version of the tools is also important. The Windows executable of earlier versions of Helix front ends the Forensic Acquisition Utilities (FAU). FAU uses a version of dd modified by George Garner which is capable of accessing the \\.\PhysicalMemory object but cannot access memory via kernel-mode drivers. Mr. Garner's company, GMG Systems Inc, sells a product called KnTDD that offers this functionality.

Helix3 uses mdd or ManTech Memory DD (feel free to read up on Jesse Kornblum). Per the Forensics Wiki post on the subject This tool is deprecated. The tool that this page describes is deprecated and is no longer under active development. mdd uses the Physical Memory Object Memory Imaging Method and returns a file handle to a user-mode program via an IOCTL on the device file named "\\.\memdd". Once the file handle has been returned the driver and associated memdd device is no longer required and can be removed, which is what the mdd utility does.

That means your snarky answer is barely useful in providing a good answer. So sorry I had to bother you for an explanation of your environment and tool.

 
Posted : 10/03/2013 6:04 pm
(@mrsmartsj)
Posts: 5
Active Member
Topic starter
 

Environment windows XP / home edition / version 2002 / SP3

Toolkit helix 2009R1 01/06/09

Ram size 2.00GB

I am student i cannot afford to pay the price for KnTDD, do you have other suggestions?

 
Posted : 10/03/2013 6:43 pm
(@davidkoepi)
Posts: 9
Active Member
 

Have you try FTK Imager or Dumpit

 
Posted : 10/03/2013 7:25 pm
(@mrsmartsj)
Posts: 5
Active Member
Topic starter
 

I know to acquire data of the ram. I want to learn how its done like how does it capture it? Thats all in general.

 
Posted : 10/03/2013 7:26 pm
(@zekituredi)
Posts: 16
Active Member
 

You will find plenty of scripts on the internet as well as resources that will show you how to capture RAM for different operating systems.

You just have to spend sometime looking for it. I would advice you in looking at the scripts and workout how they do it, this will help you to work out the procedures into capturing RAM.

This industry does not spoon feed, for a lot of information you will just have to work it out for yourself.

 
Posted : 10/03/2013 8:56 pm
Page 1 / 2
Share: