Live memory acquisi...
 
Notifications
Clear all

Live memory acquisitions - without reboot ?  

  RSS
research1
(@research1)
Active Member

Quick question, what software/techniques do people use for the live acquire of live resident ram data? I've never actually needed to do this in 3 years..first time for everything. I have physical access to the system..and It cannot be rebooted.

Regards

Quote
Posted : 22/04/2010 8:32 pm
ecophobia
(@ecophobia)
Active Member

Helix, F-responce, HBGary, FTK Imager light or Linux with Python and iPod driver. It cannot be rebooted? If you reboot, what is the point getting the RAM? I am sure the list of tools can be bigger. What OS?

Regards.

ReplyQuote
Posted : 22/04/2010 8:39 pm
twjolson
(@twjolson)
Active Member

I like mdd.exe, it's command line, very small, and more idiot proof than using a variant of dd.

ReplyQuote
Posted : 22/04/2010 8:51 pm
keydet89
(@keydet89)
Community Legend

I like mdd.exe, it's command line, very small, and more idiot proof than using a variant of dd.

…and no longer supported.

ReplyQuote
Posted : 22/04/2010 9:03 pm
research1
(@research1)
Active Member

I presume these can all be used without altering the system, live run via CD/USB?

ReplyQuote
Posted : 22/04/2010 9:05 pm
keydet89
(@keydet89)
Community Legend

Be sure to check out windd, as well
http//moonsols.com/blog/9-moonsols-windows-memory-toolkit

George M. Garner Jr's variation on dd.exe is no longer available through his site, and only worked on Windows 2000 and XP; as of Windows 2003 SP 1, it was not an option.

ReplyQuote
Posted : 22/04/2010 9:18 pm
keydet89
(@keydet89)
Community Legend

I presume these can all be used without altering the system, live run via CD/USB?

No. Any action taken on a live system, even inaction, will alter a system in some respect.

Insert the USB device, system is altered. Run a program, the system is altered. The system is altered as you stand there and watch it, doing nothing.

The question isn't whether the system is altered or not…the question is whether that alteration can be shown to materially affect your findings or not. If you can justify the acquisition, and thoroughly document it…much easier when it's part of a standard process…then what's the issue? Crime scenes in the real world are subject to similar phenomena…

ReplyQuote
Posted : 22/04/2010 9:22 pm
bgrundy
(@bgrundy)
Member

The question isn't whether the system is altered or not…the question is whether that alteration can be shown to materially affect your findings or not.

The above quote needs to be put on a poster or something, and placed in every forensics lab. I go blue in the face trying to explain this sometimes…far less effectively, mind you. Ah, the gift of language.

This "keydet89" person should write a book or something.

Barry

ReplyQuote
Posted : 22/04/2010 9:47 pm
miket065
(@miket065)
Active Member

So should that "bgrundy" person…

ReplyQuote
Posted : 22/04/2010 9:57 pm
jaclaz
(@jaclaz)
Community Legend

The system is altered as you stand there and watch it, doing nothing.

Yep D , that's how traditionally evil eye is depicted
http//en.wikipedia.org/wiki/Evil_eye

mrgreen

OT, but not much, anyone have experimented with RAM freezing?
http//citp.princeton.edu/memory/

jaclaz

ReplyQuote
Posted : 22/04/2010 10:18 pm
Share: