To start the discussion - let's assume the following
The PC we want to acquire runs windows XP or later.
(We can start a different discussion for UNIX-Based OS's if you'd like to)
The PC doesn't have hibernation enabled.
The PC is, obviously, on at the moment.
What will be the most non-intrusive way to acquire it's ram? By non-intrusive I mean not only overriding as little as possible of the RAM's contents but also generating as few logs and events as possible.
Will it be via activating hibernation and turning it off? via plugging a flash drive with a tool that can perform a RAM dump?
Regardless of what method you offer, I'd be thankful if you'll be as thorough in your description of it as possible - describing the tools (if any are used), actions and what will you document (if possible).
Personally, I stuck to the hiberfile method, and usually examined it along with the pagefile, but I'm not quite sure it's the best way to go.
Thanks in advance,
Joe.
i would say knttools or the comae tools (disabling the call back stuff) are the best since they are command line and small in size
Regardless of what method you offer, I'd be thankful if you'll be as thorough in your description of it as possible - describing the tools (if any are used), actions and what will you document (if possible).
Memory Dumps are my 3rd step
1. Gloves on
2. Taking pictures
3. Memory Dump
For this step i have a USB thumb drive with a capacity on 32 GB with me. On it are the Belkasoft RAM Capturer, winpmem and Moonsols/Comae`s dumpit- all in 32 and 64 bit. One of them will do the job. Memory Dumps are written onto the USB drive itself, 32 GB is more than enough. Memory Analysis is done with Volatility later.
best regards,
Robin