There are a number of different memory acquisition tools available
-FTK Imager Lite
-MoonSols (win32dd/win64dd)
-FAU (dd suite)
-FastDump
-Encase(winen)
-Memoryze
-HelixPro
-Helix(nigilant32)
-F-Response(+your tool here)
to name a few…..
Personally, I have played with all of these and had been leaning towards FastDumpPro and MoonSols, based on kernel land use and cross platform support…I'm not fond of FastDumpPro needing to extract (and subsequently delete) driver files when run (F-Response does this too when you check the memory option). Free is nice too and I like that these tools have community editions with which I can test at home, before going to my boss for licensing requests….
So what is your preferred Memory Acquisition tool? Anyone have a preference when comes to the above list? Anyone have a better success rate with one over the other(ie works reliably, intuitive to use, no crashing a server its run on, cross platform compatible(x32/x64)..etc ?
What you planning to do with the data?
acquire it and preserve it……and analyze it later with a tool of my choosing.
If you would choose one tool over another, based on your memory analysis expectations, please comment further.
I have not tested everything on your list but I have tested FTK, win32dd, fastdump, winen, and Memoryze. My requirements were similar to yours which is to preserve memory and analyze it offline. I also wanted a program that would acquire the pagefile, and I preferred having a single program instead of having two programs for 32bit and 64 bit platforms.
With physical access to the device, the free program I prefer is Memoryze because it meets the above requirements and has an added feature of verifying digital signatures. I have not tested the paid version of Fastdump but I am interested the program’s specifications such as the platform support (2000, XP, Vista, 2003, and 2008), up to 64GBs of RAM, and obtains the pagefile. I obtained these specifications from the Fastdump website. The last time I inquired the price of a Fastdump license was $100 which means this may become the commercial program I prefer.
If I had to acquire memory over the wire then I would just use the tool my unit has which is Encase. This would let me acquire the memory for offline analysis or just analyze it live using Encase and Memoryze.
The majority of my testing has been on XP but I was testing Encase with Memoryze on the server platforms of 2003 and 2000. I haven't had any issues with the preferred tools I mentioned. The only issue has been with the hardware of the computer being imaged. In a few cases the hardware was dated so the imaging process took some time (I was storing the image on a thumbdrive).
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Fast-dump pro for me.
It is a tool with continuous support and development, HBGary has been good about responding to issues and questions, it works easily and well on both 32 and 64 bit systems as well as large memory sizes, it works on pretty much all Windows platforms, it allows for acquisition of the page file as well.
If I recall, it didn't seem to play nicely with COFEE however. Perhaps that's fixed…