It is increasingly more common to come accross machines with large amounts of ram. (4GB+) During these situations we discpline our approach around the order of volatility
However, it would be nice to do a raw capture of memory for analysis. Have any of you found a solution, or have a programatic approach, for addressing this gap? Do you focus on more analysis and collection at the time of the incident?
My thanks in advance for your feedback.
What makes you think that there is a gap, unknown?
Maybe there is not. Do you have a method for capturing an image of a machine with 4GB or more of memory?
Yes. And so does M. Suiche (as long as you stick with the default options in his new release). http//www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/. The only "gap" is in some people's understanding of the subject matter. People try to read from physical addresses occupied by PCI BAR or HPET and then wonder why the system crashes when a crash is the expected result. With 32-bit client systems, which do not allow access to physical addresses above ~3.8 GiB via \Device\PhysicalMemory, the design flaw was harmless. But with the proliferation of 64-bit systems and 32-bit server systems equipped with more than 4 GiB of memory that is no longer the case.
My sincerest thanks for sharing some of your knowledge on the subject matter. )
I need your help guys am try to use mdd tool to dump memory, my machine use window vista.before i used it ,it was ok but suddenly this error come when am try to dump memory.
the below is the way i run mdd and the error i got.
C\>mdd_1.3_2.exe -o kakamana.txt
-> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
-> This program comes with ABSOLUTELY NO WARRANTY; for details use option `-w'
This is free software, and you are welcome to redistribute it
under certain conditions; use option `-c' for details.
-> ERROR CreateService failed (1073)
-> ERROR Failed to open PhysicalMemory section!
I need to know what to do to solve this problem
Please guys advise me.
Are you running as administrator?
I am new to forensics but not with system administration, i just downloaded helix, iso, its pretty much solid linux distro, i ran vmware guest os xp, place the helix (iso) as the primary boot device, but when i choose the option to test cd it presented some errors, but this is not my primary concern because i redownloaded it many times, now to get to my point i used dd- to acquire image of the ram, – i used the GetData Mount Image Pro v188.8.131.522 to mount but no success it did present me with errors, it says drive needed to formated; what is the best way of view live ram acquisition. i'll appreciate any help, pls correct if the location of the post is not the right location. Thank you.
there are 3 sources
physical memory 490 mb — *
physical drive 0
c\(logical drive) - NTFS 7.99 GB
this one used live view with vmware developer module downloaded
ERROR> The image image.dd does not appear to be a disk file or bootable partition
Please make sure that the image file(s) you chose is a valid disk image
ERROR> Image could not be launched in the VM.
Detected VMWare Workstation Installation
now to get to my point i used dd- to acquire image of the ram, – i used the GetData Mount Image Pro v184.108.40.2062 to mount but no success it did present me with errors, it says drive needed to formated; what is the best way of view live ram acquisition.
Acquiring memory with dd doesn't give you a disk image…Mount Image Pro won't mount it because it's not a disk image. When you acquire a memory dump, you're not acquiring a disk image with a file system, MBR, partition table, etc. Memory doesn't follow the same format as a file system.