Hello everybody. I hope someone can help me out here. I am investigating several ways to dump the RAM memory. I have tested a couple of methods so far, but I did nog manage to find a way to do this through a network.
I know this is possible with EnCase and ProDiscover IR, but I am wondering if there are also freeware tools available to do this. It might be possible with Netcat, but I have got no idea how to get that working.
It would make my day (or even my entire week) if someone could help me out here.
Live Marshal (http//
Doing it with simple, free tools should be possible, but many memory acquisition tools don't like dumping to stdout or a pipe, making it trickier. (DD should be a notable exception.)
For example, if you were sitting at a Linux machine and wanted to dump the memory and write the output to a different host, you could possibly use something like this
dd if=/dev/mem of=- | ssh user@hostname "cat >output"
Hello everybody. I hope someone can help me out here. I am investigating several ways to dump the RAM memory. I have tested a couple of methods so far, but I did nog manage to find a way to do this through a network.
I know this is possible with EnCase and ProDiscover IR, but I am wondering if there are also freeware tools available to do this. It might be possible with Netcat, but I have got no idea how to get that working.
It would make my day (or even my entire week) if someone could help me out here.
I think that the responses you get might differ depending upon the platform you're looking at…as you've mentioned EnCase and PDIR, I'll assume Windows…
To get this working via netcat, here's what I'd do if I were you…
I'd start by getting the MoonSol Memory Toolkit and practicing using it at the command line. Then I'd copy the toolkit over to the target machine, and then launch it from my system using psexec.exe, piping the output through netcat from the target system to a netcat listener set up on my system.
HTH.
Did you try cold-boot attack method? If not give a try? You can get full information by googling about this method and technique.
Paraben has a free tool that can do this on Windows based clients. It's called Shuttle Free. You can get more info and download it from http//
Thanks for the replies. I will examen the last mentiod tool tomorrow. I have heard about the cold boot mehod, but we have not got sufficient resources to get a second test system (need one to get the memory out and one to examen it with).
I just did a download request for Paraben. They will contact me within two business days. I will also have a look at netcat, but I don't think it is going to work the way described above.
To be a bit clearer I want to capture the memory of a powered on, but locked, computer. I know this can be achieved through FireWire, but I am also looking at the possibilities through a network. The way for netcat as described above is not going to work for a locked computer, is it? (I mean, how will I manage to copy the files to the target computer when this is locked?) Or do I get it wrong? (A)
To be a bit clearer I want to capture the memory of a powered on, but locked, computer.
Okay, that's new.
The way for netcat as described above is not going to work for a locked computer, is it? (I mean, how will I manage to copy the files to the target computer when this is locked?) Or do I get it wrong? (A)
It will if you have credentials…however, it's probably not a good idea to try it.
Okay, that's new.
I know. I totally forgot to mention this in my starting post. Sorry for confusing everyone.
I will await response from Paraben the next couple of days. Hope they will provide me their tool.