Notifications

Clear all

Looking for a little help.

Artee · 2015-11-16T15:45:33Z

Morning all,I have recently been given an assignment on forensic implications of acquiring and analysing RAM (From windows based machines). We have been given a list of free tools that can be used for this purpose and we are to pick three to evaluate. We haven't actually done anything like this practically so was wondering if anyone could point me to some free software that i can run in a VM that will show me the impact of each piece of software has on the RAM. We have been told that we do not need to do too much hands on as a lot of the information we will be after is already out there, but i would like to have a play with the software so i know what i am writing about a little better.Thanks in advance,Artee )

Page 2 / 2 Prev

Education and Training

Last Post by jaclaz 10 years ago

12 Posts

7 Users

0 Reactions

1,126 Views

RSS

tracedf

(@tracedf)

Estimable Member

Joined: 10 years ago

Posts: 169

21/12/2015 5:47 am

Honestly, I cannot fathom the purpose of this exercise.

Shouldn't we be able to say whether a tool creates files or registry entries or what its memory footprint is before we use it on a live system? It's pretty obvious that preserving memory is better than not preserving it. Even if the imaging tool has an inordinately large footprint, we're saving far more evidence than if we just pulled the plug. But that won't stop an attorney from asking questions or suggesting that maybe there was something critical that we carelessly erased.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

21/12/2015 10:11 pm

Honestly, I cannot fathom the purpose of this exercise.

Shouldn't we be able to say whether a tool creates files or registry entries or what its memory footprint is before we use it on a live system? It's pretty obvious that preserving memory is better than not preserving it. Even if the imaging tool has an inordinately large footprint, we're saving far more evidence than if we just pulled the plug. But that won't stop an attorney from asking questions or suggesting that maybe there was something critical that we carelessly erased.

Maybe the comment by keydet89 was more about the "strict nature" of the exercise, I mean we do have a "general catalog" of tools here
http//www.forensicswiki.org/wiki/ToolsMemory_Imaging#Windows_Software

The issue might IMHO be if - besides the amount of memory the tool "eats up" for running - there are other aspects that should be taken into account in a "comparative review".

Just as an example, on the page for one of the free tools mentioned in the above, the Belkasoft RAM Capturer
http//belkasoft.com/ram-capturer
it is stated how a couple other freely available tools failed to properly image fully the RAM in some specific "protected" environments.

And there is similarly oriented literature on the topic
http//www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf

In theory "tool A" may seem "better" than "tool B" because it "eats up" less memory when running, in practice it is possible that "tool A" fails to acquire properly large chunks of memory.
So the "metrics" of the assignment may be "too narrow" or "misleading" and a more comprehensive review/comparison should be made.

Now, would such an evaluation be at a level a student can reach ("left alone", i.e. without continuous assistance/feedback loop from the instructor as in the case - as it seems - of a "homework")?

Also, which might be the "side effects" or "collateral damages" of "tool A" (let's say requiring installation and/or a number of writes to the Registry) vs. "tool B" (let's say non-fancy .Net stuff, plain executable that can simply be run from command line)?

jaclaz

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
341 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed