Join Us!

Notifications
Clear all

Memory Acquisitions  

  RSS
unknown
(@unknown)
New Member

It is increasingly more common to come accross machines with large amounts of ram. (4GB+) During these situations we discpline our approach around the order of volatility

http//www.ietf.org/rfc/rfc3227.txt

However, it would be nice to do a raw capture of memory for analysis. Have any of you found a solution, or have a programatic approach, for addressing this gap? Do you focus on more analysis and collection at the time of the incident?

My thanks in advance for your feedback.

Quote
Posted : 05/11/2009 6:16 pm
Rossetoecioccolato
(@rossetoecioccolato)
Junior Member

What makes you think that there is a gap, unknown?

ReplyQuote
Posted : 05/11/2009 7:52 pm
unknown
(@unknown)
New Member

Maybe there is not. Do you have a method for capturing an image of a machine with 4GB or more of memory?

ReplyQuote
Posted : 06/11/2009 10:09 am
Rossetoecioccolato
(@rossetoecioccolato)
Junior Member

Yes. And so does M. Suiche (as long as you stick with the default options in his new release). http//www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/. The only "gap" is in some people's understanding of the subject matter. People try to read from physical addresses occupied by PCI BAR or HPET and then wonder why the system crashes when a crash is the expected result. With 32-bit client systems, which do not allow access to physical addresses above ~3.8 GiB via \Device\PhysicalMemory, the design flaw was harmless. But with the proliferation of 64-bit systems and 32-bit server systems equipped with more than 4 GiB of memory that is no longer the case.

ReplyQuote
Posted : 06/11/2009 11:01 am
unknown
(@unknown)
New Member

My sincerest thanks for sharing some of your knowledge on the subject matter. )

ReplyQuote
Posted : 06/11/2009 10:05 pm
Rossetoecioccolato
(@rossetoecioccolato)
Junior Member

Tsukasa Ooi has some interesting observations in his PacSec presentation http//a4lg.com/presentations/pacsec-2009/stealthy_rootkit.en.pdf.

ReplyQuote
Posted : 08/11/2009 3:43 am
alawi
(@alawi)
New Member

Dear all

I need your help guys am try to use mdd tool to dump memory, my machine use window vista.before i used it ,it was ok but suddenly this error come when am try to dump memory.
the below is the way i run mdd and the error i got.

C\>mdd_1.3_2.exe -o kakamana.txt
-> mdd
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance

-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.

-> ERROR CreateService failed (1073)
-> ERROR Failed to open PhysicalMemory section!

I need to know what to do to solve this problem

Please guys advise me.

thanks.

ReplyQuote
Posted : 09/02/2010 9:14 am
Patrick4n6
(@patrick4n6)
Senior Member

Are you running as administrator?

ReplyQuote
Posted : 09/02/2010 10:13 am
alawi
(@alawi)
New Member

@Tony Patrick
yes tony , i run it as admin

ReplyQuote
Posted : 09/02/2010 1:17 pm
trendsec
(@trendsec)
New Member

Hi everyone,

I am new to forensics but not with system administration, i just downloaded helix, iso, its pretty much solid linux distro, i ran vmware guest os xp, place the helix (iso) as the primary boot device, but when i choose the option to test cd it presented some errors, but this is not my primary concern because i redownloaded it many times, now to get to my point i used dd- to acquire image of the ram, – i used the GetData Mount Image Pro v3.2.6.522 to mount but no success it did present me with errors, it says drive needed to formated; what is the best way of view live ram acquisition. i'll appreciate any help, pls correct if the location of the post is not the right location. Thank you.
——————————————————-
there are 3 sources
physical memory 490 mb — *
physical drive 0
c\(logical drive) - NTFS 7.99 GB

this one used live view with vmware developer module downloaded
*
ERROR> The image image.dd does not appear to be a disk file or bootable partition
Please make sure that the image file(s) you chose is a valid disk image
ERROR> Image could not be launched in the VM.
Detected VMWare Workstation Installation

i

ReplyQuote
Posted : 09/02/2010 3:41 pm
keydet89
(@keydet89)
Community Legend

now to get to my point i used dd- to acquire image of the ram, – i used the GetData Mount Image Pro v3.2.6.522 to mount but no success it did present me with errors, it says drive needed to formated; what is the best way of view live ram acquisition.

Acquiring memory with dd doesn't give you a disk image…Mount Image Pro won't mount it because it's not a disk image. When you acquire a memory dump, you're not acquiring a disk image with a file system, MBR, partition table, etc. Memory doesn't follow the same format as a file system.

ReplyQuote
Posted : 09/02/2010 7:26 pm
Share: