I have never had to do an image of a system's memory, and I don't think I will ever have to do it at my current position, but I would still like to know how to handle this task. After doing some reading on these forums, I have seen multiple commands, and I get the sense that people are not really sure what is happening when you run the command or at least the output that is showing.
I was hoping someone could provide me a command that has been well tested and is an acceptable form of capture in our field. I mainly use a linux distro, like Helix, to do my images with dcfldd.
Can you provide me
1)The Tool to use
2)Command to run
3)Detailed explanation of any outputs
4)Scenario–Since RAM is so volatile, I would like to know your procedures when walking up to a running system. Is there a way to capture the contents of RAM while the system is running, etc.
Thanks
I have never had to do an image of a system's memory, and I don't think I will ever have to do it at my current position, but I would still like to know how to handle this task. After doing some reading on these forums, I have seen multiple commands, and I get the sense that people are not really sure what is happening when you run the command or at least the output that is showing.
Have you read anything beyond the borders of these forums? I ask, as there are many areas where this subject is addressed with a greater level of certainty than you're likely to have seen here.
I was hoping someone could provide me a command that has been well tested and is an acceptable form of capture in our field. I mainly use a linux distro, like Helix, to do my images with dcfldd.
Well, that would depend. I hate to fall back on this, but especially in this instance, it is important…but what operating system and version are you referring to?
Can you provide me
1)The Tool to use
2)Command to run
3)Detailed explanation of any outputs
4)Scenario–Since RAM is so volatile, I would like to know your procedures when walking up to a running system. Is there a way to capture the contents of RAM while the system is running, etc.
Well, as I mentioned earlier in this post, this has been addressed in a number of areas. If you've searched this forum on the subject, I'm sure you've seen references to a book titled "Windows Forensic Analysis"…the PDF version can be purchased from Syngress for around $20. There is an entire chapter that addresses this.
Also, the answers to your questions are very dependent upon the OS and version you're asking about.
H
I have never had to do an image of a system's memory, and I don't think I will ever have to do it at my current position, but I would still like to know how to handle this task. After doing some reading on these forums, I have seen multiple commands, and I get the sense that people are not really sure what is happening when you run the command or at least the output that is showing.
Have you read anything beyond the borders of these forums? I ask, as there are many areas where this subject is addressed with a greater level of certainty than you're likely to have seen here.
I was hoping someone could provide me a command that has been well tested and is an acceptable form of capture in our field. I mainly use a linux distro, like Helix, to do my images with dcfldd.
Well, that would depend. I hate to fall back on this, but especially in this instance, it is important…but what operating system and version are you referring to?
Can you provide me
1)The Tool to use
2)Command to run
3)Detailed explanation of any outputs
4)Scenario–Since RAM is so volatile, I would like to know your procedures when walking up to a running system. Is there a way to capture the contents of RAM while the system is running, etc.Well, as I mentioned earlier in this post, this has been addressed in a number of areas. If you've searched this forum on the subject, I'm sure you've seen references to a book titled "Windows Forensic Analysis"…the PDF version can be purchased from Syngress for around $20. There is an entire chapter that addresses this.
Also, the answers to your questions are very dependent upon the OS and version you're asking about.
H
I will check out that PDF thanks.
