RAM Memory Dump.

This is one avenue that I have started using with success F-Response - The Long Road to Physical Memory.

There are also a number of Enterprise tools available that work well in a corporate environment.

Good afternoon,

Mantech's mdd appears to be one of the better memory collection tools available

http//www.mantech.com/msma/mdd.asp

Volatility will help you analyze it

https://www.volatilesystems.com/default/volatility#overview

Apparently the latest version of EnCase, or a recent EnScript, will also do memory analysis.

-David

This is one avenue that I have started using with success F-Response - The Long Road to Physical Memory.

There are also a number of Enterprise tools available that work well in a corporate environment.

Thanks BH, we've gotten a good bit of positive feedback so far on F-Response 2.03.

Warmest Regards,

M. Shannon, Founder, F-Response

If not, could you give me efficient software to catch if from the LIVE CD to put into the CD room of the suspect’s machine and save results somewhere on the network for further analysis.

Hi

The newest versions of EnCase & Helix contain Winen, this may satisfy the last resort. More info here;
http//forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
The author of this article also mentions another tool that he uses; http//gmgsystemsinc.com/knttools/

All great suggestions.

For the remote acquisition, F-Response is a great solution. Combining that with your imaging tool of choice is a very good way to capture RAM over the network. It sees RAM as a physical device, like a hard drive. Very cool….

For local acquisition, when possible I like running my tools from a USB hard drive (thumbs are way to slow to be practical). I am fond of MDD and WinEn. Other solutions exist; however, these two offer some of the widest compatibilities (i.e. Vista and 2003).

For analysis, I like Volatility, HB Gary Responder, and good old EnCase or FTK. Mantech has just released Memoryze as well.

Our company, BitSec Forensics, offers a two day course on the Acquisition and Analysis of physical memory. We offered an abbreviated version of the course HTCIA in Atlantic City. Please feel free to download a copy of those materials at http//www.bitsecforensics.com/htcia08.pdf . We're hosting a full two day course in March. Details are available at http//www.bitsecforensics.com/Courses/livedc09.html

Mike Webber
BitSec Forensics

Bump!

F-Response 2.04 Beta is now available.

www.f-response.com

Thanks!

M. Shannon, F-Response

Mantech has just released Memoryze as well.

Mantech, or Mandiant?

AIYDK. Mandiant.

EnCase has acknowledged that there is a bug in winen which blanks out the first page of memory..Feature / bug #24597