I have used Mantech's mdd_1.3 and win32dd to capture RAM on my laptop. The output file sizes are different. In real world, how do we decide which tools to use to capture volatile memory?
In my test case now, I don't know which tool I should rely on.
One other question, what tools are used to analyze volatile images?
k
The Volatility Framework is one approach for memory analysis. I wrote up at summary at
http//
I have tried the volatility framework but the tools kept crashing. I have tried the beta as well as the stable versions.
Are these the only tools for analyzing the volatile memory images?
K
I'm creating a blog post now to address this question…but I'd have to suggest that in some instances, it may not be the tool but rather the user. I know that I've had some difficulty using tools myself, sometimes simply because I didn't 'get' the thought process behind the design of the tool. I mention this because I can't think of anything that would make the Volatility Framework 'crash'.
kleanchap,
I was doing some research for my blog post, and I noticed that you'd responded to the SANSForensics post, and seen what is already available. I suspect that there are some variables that have not been mentioned, such as, what OS is your laptop running; is it 32- or 64-bit? How much RAM is installed? When you're trying to use Volatility, which version of Python did you install? What commands did you run?
hello??
I don't seem to get any output when using the sockets related options, but that may have more to do with my image or something I'm not doing right. Everything else I do seems to work just fine.
(I should be getting essentially the same open ports/sockets that I would I would by running netstat on a live machine - along with the associated processes, right?)
Volatility 1.3 beta
Python 2.5.2
Windows XP SP3
4GB RAM
> C\Python25\python.exe volatility sockets -f pcimage.dd
I would also try Audit Viewer, its a Mandiant tool. Free. You will need to run the scripts against the image, then view the output in Audit Viewer. It's very gui like. You can also use Memoryze to acquire live ram image I believe.
The problem that you could be having with Volatility is it may not be supporting the current operating systems image. Like Windows Server 2003.