Forums
Main Category
General (Technical,...
Question on memory ...
 
Notifications
Clear all

Question on memory dump acquisition

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by douglasbrush 15 years ago
5 Posts
4 Users
0 Reactions
2,561 Views
RSS
 jason.williams14
(@jason-williams14)
Active Member
Joined: 16 years ago
Posts: 7
Topic starter 26/05/2010 4:19 am  

Hopefully, a simple question.

If using a tool like winDD to acquire the contents of the current active memory, does it not require administrative rights to run the program on the system?

For instance, on a test system, I was running win32dd to test if I could acquire the memory contents on a machine. Since I was logged in with an account that did not have admin rights, I was greeted with a nice red message saying that admin rights is needed to run this util.

Which brings up my next question.

If you need to acquire the live memory from a suspect machine and the current account that is logged into the machine does not have admin rights, how do you go about getting the memory dump from this machine?

I would think that you do NOT want to log off the machine then back on with a different admin account as you would lose the contents of the memory on hand, thus negating a lot of very important information.

Am I missing something here?
What is the best method to gather the memory on a system like this?

I did try running a 'privileged' cmd shell, but whatever reason, I could not CD to the CD-ROM drive where my utilities where, even though using NET USE showed the drives on the system. Very odd.

Any suggestions?

Thanks

Jason


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
26/05/2010 7:07 am  

I would think that you do NOT want to log off the machine then back on with a different admin account as you would lose the contents of the memory on hand, thus negating a lot of very important information.

Logging out of the current user account and logging in as an admin wouldn't necessarily mean rebooting. To log in as a different user, you wouldn't need to shut the system down completely.

Also, without having to logout, how about using RunAs…
http//support.microsoft.com/kb/294676
http//support.microsoft.com/kb/305780


   
ReplyQuote
 jason.williams14
(@jason-williams14)
Active Member
Joined: 16 years ago
Posts: 7
Topic starter 26/05/2010 7:45 pm  

I would think that you do NOT want to log off the machine then back on with a different admin account as you would lose the contents of the memory on hand, thus negating a lot of very important information.

Logging out of the current user account and logging in as an admin wouldn't necessarily mean rebooting. To log in as a different user, you wouldn't need to shut the system down completely.

Also, without having to logout, how about using RunAs…
http//support.microsoft.com/kb/294676
http//support.microsoft.com/kb/305780

I thought about that, using RunAS.
For me, there has been a few times where we needed to grab memory dumps of a system while the user was logged in (weird/nasty stuff in memory that we wanted to capture). However, if you logged off the user and logged on with a different user, the memory is different, and at times, we would not get everything we needed, thus loosing precious information.

I have tried using Windows memory dump utility, but for whatever reason, that seems to be hit or miss.

Thanks for the help.

I will continue to look around.

Thanks,

Jason


   
ReplyQuote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
27/05/2010 7:47 am  

Are you in a position to use F-Response to connect to the remote machine? If so you can use tools on your local machine against the memory in the remote machine.


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
27/05/2010 8:13 am  

Also give FTK Imager LITE a test as well. It can be unpacked/unzipped to a folder that can be run from a USB drive on a suspect machine without installing the program locally. You have the option of doing a memory acquisition on the suspect machine and dumping the memory image to the USB drive. Obviously take careful notes and understand the changes that are made to reg keys and such when running the program so you can explain any changes to suspect machine by your actions.

Do be familiar with the runas option by right clicking on a executable, batch, shell, etc. file as each system can have different group policy settings that can restrict certain Windows functions and/or programs from executing. The group policy editor is a topic unto itself but be familiar with gpedit.msc (Start->Run->gpedit.msc) in general to know where your hands might be tied.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: