Hi Guys,
I'm doing a project on the integrity of private browsing modes and would like some advice on the best way to create a memory dump.
At the moment i've been creating test evidence in private browsing mode, closing the session and then capturing the physical memory using FTK Imager. Is this the best way to do it?
I was wondering if there were any less 'intrusive' methods of capturing memory. I don't want FTK imager overwriting potential evidence in memory during capture.
Many thanks,
-D
Dan,
First, I noticed that you never actually responded to your initial thread
http//forensicfocus.com/Forums/viewtopic/t=10287/
As I'm sure you're aware, anything you do to capture memory from a live system is going to affect that memory, particularly if you use a physical system. If you are using a VM, you can always pause the VM, and copy off the memory file for analysis.
moonsols dumpit is better than ftk imager as it will leave a smaller footprint.
theres a bunch of ways to do it including F-Response and what not which gives you some more options, but dumpit is one click and done
Try HBGary FDpro. It is a console app that has a very small memory foot print. Plus it is very fast.
Tom
and not free! =)