query related to vo...
 
Notifications
Clear all

query related to volatile data

8 Posts
7 Users
0 Reactions
458 Views
(@ajayramani80)
New Member
Joined: 15 years ago
Posts: 2
Topic starter  

I am confused to the order in which volatile data needs to be collected. Most of the place I read it’s written that RAM should be collected first. The question I have is what about other volatile data that can be lost very soon like time, network connections and process information. The amount of time it takes to acquire RAM these information would change by that time. Also specially, when these days we see server having 16 to 32 GB of RAM?


   
Quote
(@miket065)
Estimable Member
Joined: 21 years ago
Posts: 187
 

I guess it would depend on the circumstance. I think theory that you should collect RAM first is based on the fact that any other tools you run to gather the other volatile data load and run in memory. Getting RAM first gives you a somewhat more pristine image.

So if the circumstance were that someone was actively connected to a machine, you might want to run your network tools first.


   
ReplyQuote
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
 

Greetings,

Also, some of the other volatile data resides in RAM so you can recover some of it from RAM if you fail to get it via other mechanisms.

-David


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Dumping the contents of memory first will allow you to get an as-pristine copy of memory as possible. Network connections may terminate while memory is being collected, but if you're using Volatility, you will be able to collect information about disconnected connections, if you didn't get the information while they were active.

You may, however, have the need to retrieve volatile data first…it all depends on your environment. Keep in mind that tools such as Volatility will allow you to retrieve data structures that were no longer in use by the system within memory, even at a later date. Running your tools will overwrite those sections of memory that were marked available for reuse.

The key, however, is that you document your justification and what you do. If you collect volatile memory first, as part of a documented policy, with exception of very technical discussions, no one can really argue that…


   
ReplyQuote
(@ajayramani80)
New Member
Joined: 15 years ago
Posts: 2
Topic starter  

Really appreciate everyone’s response. It seems need to explore more on volatility framework- “if you're using Volatility, you will be able to collect information about disconnected connections”. “Volatility will allow you to retrieve data structures that were no longer in use by the system within memory” Thanks

Ajay Ramani


   
ReplyQuote
nlpd120
(@nlpd120)
Trusted Member
Joined: 15 years ago
Posts: 96
 

Just a note that other physical memory analysis tools will also retrieve this other collected volatile data from a RAM Dump.

Data in physical memory may be crucial to a case, malware analysis, decryption efforts, etc… So you wouldn't want to risk losing that data if you can get it. Yes, with larger RAM there is a longer wait time, but usually it is not too bad and worth it.

My suggestion is read the Windows Forensics Analysis book if you have not.

Regards,

Chris


   
ReplyQuote
(@chrism)
Trusted Member
Joined: 16 years ago
Posts: 97
 

RFC 3227 gives sound advice (although a little dated) on this

Section 2.1 http//www.faqs.org/rfcs/rfc3227.html


   
ReplyQuote
erowe
(@erowe)
Estimable Member
Joined: 18 years ago
Posts: 144
 

Just wondering if those of you who are collecting memory dumps are seeing many 64 bit systems?

Mostly asking because this puts a bit of a kink into using Volatility

http//code.google.com/p/volatility/wiki/FAQ#What_operating_systems_does_Volatility_support?


   
ReplyQuote
Share: