Forums
Main Category
General (Technical,...
memory acquisition ...
 
Notifications
Clear all

memory acquisition for rootkit analysis

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by emretinaztepe 7 years ago
5 Posts
4 Users
0 Reactions
953 Views
RSS
 jolintan
(@jolintan)
Trusted Member
Joined: 7 years ago
Posts: 32
Topic starter 11/09/2018 3:44 am  

I have two tools installed, encase and x-way, my memory is 8G. and windows 7 64 bits

in encase, it asks me for physical memory or process memory during acquistion, if I choose physical memory, after acquire, i double click the acquired memory, but nothing happens

if I acquire process memory, my computer hangs for over 1 hour.

in X-ways, no memory acquisition available

my goal is to analyze memory for rootkit, anyone knows how to handle in Encase or x-ways? thanks


   
Quote
Igor_Michailov
 Igor_Michailov
(@igor_michailov)
Honorable Member
Joined: 20 years ago
Posts: 529
11/09/2018 5:59 am  

You can use FTK Imager or DumpIT. They are good tools for memory acquisition.


   
ReplyQuote
 jolintan
(@jolintan)
Trusted Member
Joined: 7 years ago
Posts: 32
Topic starter 11/09/2018 6:49 am  

we have chosen only encase and x-ways to do our forensic, can't use other software


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
11/09/2018 2:13 pm  

we have chosen only encase and x-ways to do our forensic, can't use other software

Which is good ) , as BOTH those commercial softwares have dedicated support, to which you may want to ask these questions.

jaclaz


   
ReplyQuote
 emretinaztepe
(@emretinaztepe)
New Member
Joined: 7 years ago
Posts: 4
30/09/2018 11:50 pm  

Hi,

You can give a try to IREC TACTICAL for all types of evidence collection on Windows machines including the RAM image and pagefile.sys.

I understand that you are required to use Encase or X-ways but I wanted to let you know just in case…

Thank you.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: