Issues[]
Capturing[]
The process of capturing the memory is known as dumping. The tools and methods of dumping the memory on a running computer differ with the Operating System.
Windows[]
One way to dump the memory under Windows is to use the dd tool from the Forensic Acquisition Utilities by George M. Garner Jr..
A sample command to achieve a dump is the following:
dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img conv=noerror
The conv=noerror will make dd continue even if there are errors reading the memory. Note also that if you specify a local drive to write the image to that you will need to specify the --localwrt option. This is necessary in the case of a real forensics scenario. You don't want to write to a drive and potentially destroy evidence.
Dumping the memory on Windows Server 2003 SP1 and Windows Vista will be difficult as there is no user-mode access to \Device\PhysicalMemory.
*NIX[]
Stub.
Analyzing[]
Stub.
The DFWS 2005 Forensic Challenge was concerned with analyzing a RAM dump.
External Links[]
- Forensic Analysis of Instant Messenger Artifacts by Belkasoft
- Forensic Analysis of Volatile Memory Stores PDF by Tim Vidas
- dd and other tools for Windows from George M. Garner Jr.
- Memory analysis from Andreas Schuster
- PhysMem tool from SysInternals
- Forensic RAM Dumping by Arne Vidstrom
- Perl scripts for memory analysis by Harlan Carvey
- Part 1 and Part 2 of Win32 Portable Executable File Format by Matt Pietrek