Forums
Main Category
General (Technical,...
Live memory acquisi...
 
Notifications
Clear all

Live memory acquisitions - without reboot ?

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 15 years ago
10 Posts
7 Users
0 Reactions
636 Views
RSS
 research1
(@research1)
Estimable Member
Joined: 17 years ago
Posts: 165
Topic starter 22/04/2010 8:32 pm  

Quick question, what software/techniques do people use for the live acquire of live resident ram data? I've never actually needed to do this in 3 years..first time for everything. I have physical access to the system..and It cannot be rebooted.

Regards


   
Quote
ecophobia
 ecophobia
(@ecophobia)
Estimable Member
Joined: 17 years ago
Posts: 127
22/04/2010 8:39 pm  

Helix, F-responce, HBGary, FTK Imager light or Linux with Python and iPod driver. It cannot be rebooted? If you reboot, what is the point getting the RAM? I am sure the list of tools can be bigger. What OS?

Regards.


   
ReplyQuote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
22/04/2010 8:51 pm  

I like mdd.exe, it's command line, very small, and more idiot proof than using a variant of dd.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
22/04/2010 9:03 pm  

I like mdd.exe, it's command line, very small, and more idiot proof than using a variant of dd.

…and no longer supported.


   
ReplyQuote
 research1
(@research1)
Estimable Member
Joined: 17 years ago
Posts: 165
Topic starter 22/04/2010 9:05 pm  

I presume these can all be used without altering the system, live run via CD/USB?


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
22/04/2010 9:18 pm  

Be sure to check out windd, as well
http//moonsols.com/blog/9-moonsols-windows-memory-toolkit

George M. Garner Jr's variation on dd.exe is no longer available through his site, and only worked on Windows 2000 and XP; as of Windows 2003 SP 1, it was not an option.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
22/04/2010 9:22 pm  

I presume these can all be used without altering the system, live run via CD/USB?

No. Any action taken on a live system, even inaction, will alter a system in some respect.

Insert the USB device, system is altered. Run a program, the system is altered. The system is altered as you stand there and watch it, doing nothing.

The question isn't whether the system is altered or not…the question is whether that alteration can be shown to materially affect your findings or not. If you can justify the acquisition, and thoroughly document it…much easier when it's part of a standard process…then what's the issue? Crime scenes in the real world are subject to similar phenomena…


   
ReplyQuote
 bgrundy
(@bgrundy)
Trusted Member
Joined: 19 years ago
Posts: 70
22/04/2010 9:47 pm  

The question isn't whether the system is altered or not…the question is whether that alteration can be shown to materially affect your findings or not.

The above quote needs to be put on a poster or something, and placed in every forensics lab. I go blue in the face trying to explain this sometimes…far less effectively, mind you. Ah, the gift of language.

This "keydet89" person should write a book or something.

Barry


   
ReplyQuote
 miket065
(@miket065)
Estimable Member
Joined: 21 years ago
Posts: 187
22/04/2010 9:57 pm  

So should that "bgrundy" person…


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
22/04/2010 10:18 pm  

The system is altered as you stand there and watch it, doing nothing.

Yep D , that's how traditionally evil eye is depicted
http//en.wikipedia.org/wiki/Evil_eye

mrgreen

OT, but not much, anyone have experimented with RAM freezing?
http//citp.princeton.edu/memory/

jaclaz


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: