Can anybody tell me diffrence between dump taken from memory and dump taken from harddrive.Also are there any tools which can help to analyze memory dump to see for process,images etc in memory dump.
When you say "dump taken from hard drive", are you referring to the page file, or an image of the whole hard disk? Because clearly, the existence of a system of indexing and tracking data locations (file system) would be the major difference if you're referring to the whole hard disk.
I am referring to image of whole hard disk
Can anybody tell me diffrence between dump taken from memory and dump taken from harddrive.
A "dump" I would assume you are referring to is an image of a memory device.
Memory (RAM) can be acquired from a live running system. Once it is turned off that data is "lost" because it is volatile.
Hard drive data is non-volatile and can be imaged even when the computer or device is powered off.
Both types of imaging, if done forensically, will make a bit stream copy of all addressable memory areas.
Also are there any tools which can help to analyze memory dump to see for process,images etc in memory dump.
Yes.
Can you please name them?
Thanks
Only a few examples
Also are there any tools which can help to analyze memory dump to see for process,images etc in memory dump.
For processes, it depends on the OS and version.
In general, you may be able to use PhotoRec, and/or foremost/scalpel, to extract images, or portions thereof.
There will be differences in content order and structure, depending on the OS's memory management, and the applications running versus the disk management used.
When you take a memory dump you are looking at hardware code, kernel code, drivers, programs, supporting applications, then associated data like heaps, stacks and some more.
On top of that, all locations are in flux, and is not relevant other than within that single snapshot.
Otherwise it is straight forward. mrgreen