Forums
Main Category
General (Technical,...
RAM Imaging
 
Notifications
Clear all

RAM Imaging

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 13 years ago
7 Posts
6 Users
0 Reactions
1,566 Views
RSS
 tolusoga
(@tolusoga)
New Member
Joined: 13 years ago
Posts: 4
Topic starter 20/09/2012 10:26 pm  

Hello All,
I am a forensic student in a university, i am just trying my hands on tool development. I have been able to develop a tool that will collect volatile evidence, but the only feature i would have love to add, that i cant is the RAM imaging. I want to be able to collect RAM image so that the content of the physical memory can be anlysed with the other evidence collected.
Any idea will be appreciated please, also if anyone knows any tool that is available free that can perform same function, can u please suggest it so i can try my hands round it please?

Thank u
Tolu


   
Quote
Brad Berghuis
 Brad Berghuis
(@cyberknight)
Active Member
Joined: 18 years ago
Posts: 5
21/09/2012 12:30 am  

I am assuming this is for a Windows machine.

Check out MoonSols Dumpit it is free.

http//forensiccontrol.com/resources/free-software/

http//www.moonsols.com/

FTK Imager (AccessData.com)


   
ReplyQuote
 joachimm
(@joachimm)
Estimable Member
Joined: 17 years ago
Posts: 181
21/09/2012 12:38 am  

Or if you prefer Open Source, Volatility also comes with memory acquisition tool and driver for (Windows, Linux and OS X)
http//code.google.com/p/volatility/downloads/list


   
ReplyQuote
corvcop847
 corvcop847
(@corvcop847)
Active Member
Joined: 14 years ago
Posts: 6
21/09/2012 1:11 am  

For Windows systems try…

http//www.mandiant.com/resources/download/memoryze


   
ReplyQuote
 tolusoga
(@tolusoga)
New Member
Joined: 13 years ago
Posts: 4
Topic starter 21/09/2012 1:27 am  

I am assuming this is for a Windows machine.

Check out MoonSols Dumpit it is free.

http//forensiccontrol.com/resources/free-software/

http//www.moonsols.com/

FTK Imager (AccessData.com)

Hello,
Thanks for your response, i remebered i have tried this before, but i go discouraged due to the file extension of the product.
Though this may be a bit embarrasing, but i dont know what a program i can use to open a ".raw" extension.

Please help me

Thanks


   
ReplyQuote
 twjolson
(@twjolson)
Honorable Member
Joined: 17 years ago
Posts: 417
21/09/2012 2:29 am  

Though this may be a bit embarrasing, but i dont know what a program i can use to open a ".raw" extension.

Please help me

Thanks

.raw should be the same as .dd, .mem, and .001. It is just a flat image file, with no administrative overhead added. Thus, if a program can open a .dd, .mem, or .001, it can open a .raw. Of course, if it's a .raw memory image, only those programs that can open the above can interpret the image file.

Regarding Mandiant's Memoryze. Great tool, excellent analysis program, however I constantly had issues with getting the interpreter program to finish. It would stall most of the time. I haven't used it in a few years, so it might be fixed (or even was solely localized to my machine).


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
22/09/2012 8:24 pm  

Maybe useful maybe not

MemGator

MemGator is a memory file interrogation tool that automates the extraction of data from a memory file and compiles a report for the investigator. MemGator brings together a number of memory analysis tools such as the Volatility Framework and PTFinder into the one program. Data can be extracted in relation to memory details, processes, network connections, malware detection, passwords & encryption keys and the registry.

http//www.e5hforensics.com/memgator.htm

jaclaz


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: