I am trying to determine if a computer on my network has any malware on it, and one of the things that I keep seeing from my google searching is that I need a memory dump to analize.
How can I obtain a dump of the system's memory without introducing any new artifacts into it (or at least minimizing the impact)?
What tools are good for this kind of work?
MDD
I also see a tool called win32dd which looks promising, however, I can't find a copy of it anywhere.
It looks like mdd only comes in source format and requires visual studio to compile it. Need to work that detail out -)
Try FTK imager (lite) then. Its free and everything but does have a bigger memory footprint than MDD.
Oh, and I've compiled MDD.exe for you - http//
To answer your question, everything you do will introduce artifacts. To image memory, a program has to be run, to run, the program has to be in memory, that program in memory has possibly overwritten, or shuffled data to pagefile.sys, other programs/data.
dumpit by moonsols, is self-contained executable for 32-bit or 64-bit systems, collection only.
also memoryze and redline by mandiant; memoryze is the collection & analysis engine bit (CLI), redline is the GUI front-end that automates analysis. 32 or 64-bit systems.
hbgary has community edition which is free, but only handles 32-bit, collection and analysis.
ftk imager lite will collect on 32 or 64-bit, but is only on 2.9, which apparently (according to v3 release notes) has some issues with 64-bit ram.
hope that helps
Firewire.
When you sign up at HBGary you can obtain (besides Responder CE) a free version of their acquisition tool, I think.
I am trying to determine if a computer on my network has any malware on it, and one of the things that I keep seeing from my google searching is that I need a memory dump to analize.
Apart from the usual forensic memory acqusition tools, it's also a good idea to be aware of tools such as Hijackthis from Trend, GMER, and RootkitRevealer from SysInternals – at least if the computer runs Windows.
