Has anyone a solution for dumping RAM and/or running scripts extracting all running processes before shutting down a suspects computer?
This is something we are asked often but so far we have not been able to do anything about it thus leaving us with the old fashion "pull then plug".
rofmoc,
There are a couple of ways to go about doing this…
If you're running Windows systems (2K, XP, 2K3), then you can use dd.exe to dump the contents of RAM for later examination. However, if you're looking for process memory (which exists in both RAM and the pagefile) then I'd suggest you look at something like pmdump.exe from NTSecurity.nu.
If you could provide some additional information about the types of user systems you're referring to…*nix, Mac, Windows…I'm sure someone in this forum would be able to provide you with more detailed information.
H. Carvey
"Windows Forensics and Incident Recovery"
If it is part of a network and you have the money the Encase FIM/Enteprise model is pretty good at this. Quite expensive but it has a lot of plus points if you would use it a lot
It is mostly Win XP Pro and Win 2000, but also some Unix and Linux. So far almost no Macs…
Well, I want both, I want all that is in RAM and all that is used by running processes (I know I will find some of it in the pagefile, but I want it all)…
I guess the most important thing is to be able to document every part of the process so that you can explain any changes that you make while doing this RAM dumping.
Is there anywhere I can read about how to use dd.exe for this purpose? Are there any other tools I should look at, besides pmdump.exe?
…and you have the money the Encase FIM/Enteprise model is pretty good at this.
I understand the desire to push EnCase, but other tools do this, as well. Take a look at ProDiscover from TechPathways.
It is mostly Win XP Pro and Win 2000…
Dd.exe, from George Garner's site, will image physical memory for you. Besides pmdump.exe, MS has a "userdump.exe" tool available.
I guess the most important thing is to be able to document every part of the process so that you can explain any changes that you make while doing this RAM dumping.
Besides modifying the actual contents of RAM itself, what other changes would you suspect would be made?
I think that when doing this, the biggest thing to consider is what you're going to do with the data; ie, where you're going to put it. After all, if you have a system with 512MB RAM, you're going to need that much room.
HTH,
H. Carvey
"Windows Forensics and Incident Recovery"