What have you been using to image live systems? FTK IMager? Iwant to image out to Ext USB. So I would ideally like to run ftk imager off cd or usb drive. I think with admin rights I could do this without having to log the user out his session, and potentially loosing even more evidence.
I find FTK Imager, run off of a CD or the ext HDD, to be quite effective. However, keep in mind that it does not allow you to retain that potential "evidence" that exists in memory…
Thanks all. Fao keydat89, waht would be your approach to maintaining any potential memory evidence in an image?
*what
Thanks all. Fao keydat89, waht would be your approach to maintaining any potential memory evidence in an image?
Aside from crash dump files and the pagefile, there really isn't any "potential memory evidence in an image".
You'd have to dump the contents of physical memory, which is a separate action all together from acquiring an image of the system.
h
Hi
I have been doing a few experiments in the lab regarding live forensics. I have been imaging RAM using the Helix CD. I have found the results to be really interesting and quite eye opening. After leaving the laptop on for 4 days and the laptop having been used for general usage, I acquired RAM. 7,000 files were retrieved with a mixture of image files, HTML files etc. This I believe to be a very worthwhile process, due to the very small amount of data actually changed versus the potential information gained from RAM. It is worthwhile exporting a word list from the dd image of RAM and running this word list over encrypted volumes or password protected files.
Danielle,
Hi
I have been doing a few experiments in the lab regarding live forensics. I have been imaging RAM using the Helix CD. I have found the results to be really interesting and quite eye opening. After leaving the laptop on for 4 days and the laptop having been used for general usage, I acquired RAM. 7,000 files were retrieved with a mixture of image files, HTML files etc.
What are you using to
(a) "image" or acquire RAM?
(b) extract the 7000 files?
This I believe to be a very worthwhile process, due to the very small amount of data actually changed versus the potential information gained from RAM. It is worthwhile exporting a word list from the dd image of RAM and running this word list over encrypted volumes or password protected files.
Or, perhaps using tools from the Windows Forensic Analysis DVD to extract the memory used by a particular process, and then extract a much smaller word list from that portion of memory.
How about extracting executable image files from memory dumps?
H
Hi H
I have been using a free piece of software called 'Helix' by e-fense to image RAM. It has a nice GUI interface and command line if you prefer. It's well worth getting if you haven't already. Within the Helix CD there is an inbuilt tool called foremost that allows you to extract files from RAM. The foremost tool is a command line tool and allows you to extract the files to your computer, external HDD or wherever you want.
Hope that helps.
Hi H
I have been using a free piece of software called 'Helix' by e-fense to image RAM. It has a nice GUI interface and command line if you prefer. It's well worth getting if you haven't already.
Yes, I'm very well aware of Helix, and also know from your previous post that you used Helix…however, I also know that Helix ships with George M. Garner Jr's older version of dd.exe (which allows access to the PhysicalMemory object) as well as Nigilant32, from AgileRM.net. I was wondering which of those two you were using.
Within the Helix CD there is an inbuilt tool called foremost that allows you to extract files from RAM. The foremost tool is a command line tool and allows you to extract the files to your computer, external HDD or wherever you want.
Hope that helps.
Ah, foremost. Okay. How many of those 7000 files were useful to you? How many did you find that were tied back to a specific process?
Thanks,
H
H,
Of the 7000 files, 3,000-4,000 files were useful to me for the experiements i was undertaking. I retrieved several URL's detailing google search terms that were significant for my test. A large proportion of the notable pictures had matching hash values to known pictures/websites of interest. I know of people who have retrieved email artefacts from months prior to their image of RAM.
Have you identified notable data from your RAM images, what have your findings been, i'm interested to learn of other people's experiences.
Have you identified notable data from your RAM images, what have your findings been, i'm interested to learn of other people's experiences.
All of this has already been thoroughly documented in my book, "Windows Forensic Analysis".
Ch. 4, "Windows Memory Analysis", is available for free from this location
http//
(Click "Sample Chapter")