memory acquisition on a running windows system

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Spawn 13 years ago

12 Posts

9 Users

0 Likes

824 Views

RSS

erowe

(@erowe)

Posts: 144

Estimable Member

Dumpit by Mathieu Suiche is a good, free, small footprint, memory acquisition tool http//www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/

You might want to try Mandiant's Memoryze and Audit Viewer (also free) for initial analysis http//www.mandiant.com/products/free_software

Posted : 03/10/2011 6:37 pm

Spawn

(@spawn)

Posts: 34

Eminent Member

So long as your machine is configured to capture a FULL memory dump on a system failure then the quickest way to achieve this is to use KILL.EXE from the debugger tools and
KILL -f CSRSS.EXE
This will force a system crash an generate you a memory dump you can take a look at.

I've yet to find a piece of malware that can hide from this as the whole of ram is written to the pagefile and on reboot the MEMORY.DMP file is created.

Hope it helps.

Alan

P.S. it has no adverse affect on the system other than creating overwriting a MEMORY.DMP file if it already there.

Posted : 04/10/2011 5:29 am

Page 2 / 2 Prev

8 Forums
15.5 K Topics
92 K Posts
9 Online
40.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed