When would you import a memory dump?
Any time you seize a running computer?
If you suspect there is evidence in RAM, dump the memory. Otherwise you risk losing on any remotely modern machine at least 512MB of evidence.
And evidence can mean a lot of things so have a plan.
So I would have to have FTK on a thumb drive and dump the RAM before the computer is unplugged?
FTK Imager. You can have it on a thumb drive or a CD if you have a collection drive.
Sorry, I'm still a bit confused. Would you do a memory dump in the field every time you seize a computer or just when you think something is important and may be lost when you unplug and transport to your forensics lab?
Greetings,
If the information is available, and I am legally entitled to collect it, I will. Worst case scenario, I don't use it. Take the extra bit of time and get everything.
-David
I second this.
I rather have more and later discard, than less and hem and haw…
Greetings,
If the information is available, and I am legally entitled to collect it, I will. Worst case scenario, I don't use it. Take the extra bit of time and get everything.
-David
Dependant on what you are investigating, the memory could contain some very valuable information.
As has already been said if its available and lawful, it could be worth getting. If there's whole disk encryption it could be vital, if you need to know what processes were running or ports were open it could be vital.
If the computers off when you arrive at the scene, its probably not worth turning it on to get it wink
I collected the memory on a test computer using FTK imager 2.9, which created memdump.mem. Now that I have it how do I review the file and what was captured?
Greetings,
Try Volitility - https://
-David