Hi everyone,
Does the ftk imager allow you to create an image with the memory dump at the same time or do you have to capture the memory dump separately? If not , Are there any tools that allow that?
I have a couple of images that are suppose to be infected with virus/malware. The E01 images have been mounted and checked for viruses & Malware. Nothing has been found so far. Is there anything else one can do to investigate if there is no memory dump.
Thanks,
Dee
Hi everyone,
Does the ftk imager allow you to create an image with the memory dump at the same time
No.
or do you have to capture the memory dump separately?
Yes.
Are there any tools that allow that?
I do not know any. Some forensic tools are scriptable, so you can write a script which makes an image and after that dumps the memory.
Is there anything else one can do to investigate if there is no memory dump.
Check for the existence of a pagefile and/or a hibernation file. Convert them to a memory dump and check them for malware.
Good hunting,
Robin
Thanks Robin for the response. I will check on Pagefile.sys and hibernation files. I don't think i had the hibernation file last time i checked since i removed the hidden file properties.
I strongly recommend to make a full physical image (if possible) or a full logical image and to include pagefile and hiberfil every time. You can then convert the hiberfil.sys to a memory dump with
Did you know there is a commandline version of FTK Imager? If you really want to make a hard drive image and a memory dump in one step, you can write a simple DOS batch script and combine FTK Imager with the Comae Memory Dump tool.
Good hunting!
Thanks Bunnysniper for the comment. The images were passed on to me. I can see the pagefile.sys but i do not have the hiberfil.sys file on the images. Trying to find tools to convert the pagefile. I would check the Arsenal tools out but would that be able to convert the pagefile.sys as well? Thanks Again.
Hi everyone,I have a couple of images that are suppose to be infected with virus/malware.
Who has given this information? How do they know they were infected? If so, how do they think they came to be infected and with what malware? These are all very pertinent questions to your investigation. If you knew the answers you could zero in on what you are looking for much faster.
The E01 images have been mounted and checked for viruses & Malware. Nothing has been found so far. Is there anything else one can do to investigate if there is no memory dump.
Obviously if the volatile memory wasn't captured and the machine was powered off it's gone forever. However, it would be a rare piece of malware indeed if it didn't have anything resident on the machine from which the images were taken. If you even know the likely timescales of apparent infection, you can filter by those dates and look at what data was changed e.g. executables or DLLs appearing/disappearing/being renamed or whatever.
Thanks Redcat. I was hoping the scans would have shown some signs of the compromise as well. But you are absolutely right, I have sent a new set of questionnaire to the client as well. Appreciate your input.