Capture Volatile Data


GlennF

New Member
Nov 12, 2007
18
0
#1
I just joined the forum and have found it very informative so far. Can anyone tell me the best product to use to capture volatile data (Memory Dump) of a machine? I currently use EnCase for a lot of the work that I do. I have slowly figuared out that I can get some information from Encase (i.e. running process etc...) but not exactly what I am looking for. I have heard that Helix is good for this and I have a copy of Linen with Helix on it but I have not found a way to do what I want with it yet. Can anyone assist.

Thanks,

Glenn
 

RobertR

New Member
Jun 3, 2007
447
0
#2
to capture memory image in helix from the windows side you load the disk and go to the imaging tool menu.... I believe by default it is set to capture the RAM. look at the e-fense\helix site and down load the manual for helix.... it is a bit dated but most of the functions and operations are the same.

if you know admin password for target machine you can also connect remotely and grab the images of RAM and attached devices as well.... that way you are touching the system just a little less
 

pearl

New Member
Nov 12, 2007
15
0
#3
Try this
1. Place a knoppix disk with dd.exe in live subject computer
2. run the CMD (command prompt)
3. change directory to dd.exe folder on knoppix CD
4. Attach external drive to subject computer and dd the ram (PhysicalMemory) directly to external drive

dd.exe if=\\.\physicalmemory of=f:\drive.dd conv=noerror bs=32k


\\.\physicalmemory (memory to be imaged from subject computer)

f:\phisicalmemory.dd (external drive)

Analyze the dd image using your preferred program. I generally use FTK , you will need to conduct both an index and data carve on the image to reveal any files or you will only see chunks of drive free space. The last job I did recovered 3400 items from 2GB of ram
 
Sep 2, 2004
70
6
#5
pearl said:
Try this
1. Place a knoppix disk with dd.exe in live subject computer
This won't work...Knoppix doesn't run Win32 PE files (EXEs), and Windows doesn't run Knoppix binaries...
 

Prickaerts

Administrator
Jan 2, 2006
765
0
#6
Probably you are referring to the Helix incident response CD.

Keep in mind that WinXP SP2 (might even be SP1, not sure right now) does not allow DD to access the RAM.

Also have a look at this post:

h t t p ://windowsir.blogspot.com/2005/06/memory-dump-analysis.html
*** Note: There is a link on this page that points to windows-ir.com/fsp.html which is a site containing pornographic material. It is the link in the line "I've corresponded with folks using the FSP," where FSP is a link. Since the page linked from here actually does contain useful information I will leave it.
 
Sep 2, 2004
70
6
#7
Wow, I post direct links in this forum and my posts get deleted and I get a nasty-gram from the admin...

Anywho...Garner's version of dd.exe that you're referring to is no longer supported (he removed the ability to access the \\.\PhysicalMemory object and made the tool closed source). You have to purchase has kntdd.exe or knttools...the upside is that the tools work with Windows 2003 SP1, Vista, and will also work with Windows 2008.

Nigilant32 from Agile Risk Mgmt out of FL is a GUI based tool that will let you dump physical memory.

NTSecurity.nu has a memimager.exe tool...however, it's output is has some differences from other tools...in particular the size of the output file.

ProDiscover IR can be used to dump RAM, even over the wire.

In Forensic Magazine recently, there was an article by Kevin Mandia about using dcfldd.exe to dump RAM, but since that article was published, I haven't been able to find a single person who has gotten the tool to work on Windows XP SP2...including myself.
 

pearl

New Member
Nov 12, 2007
15
0
#8
The 'SPADA' (System Preview And Data Acquisition)) disk used by Law Inforcement has all the tools you need. (http://www.spada-cd.info/). SPADA is a Linux Boot CD that uses a KNOPPIX remaster and incorporates other features like dd
 
Feb 5, 2008
24
0
#9
Encase "Winen

<t>Encase just released Encase 6.11 which has a new program in it called "Winen." This is specifically for capturing memory dumps on window machines. Just put it on your usb thumb drive, open a cmd prompt and run winen.exe. It has 64-bit support as well. This will be a minute amount of footprints in the system registry but not enough to hurt anything. They have a help file on their site.</t>
 

debaser_

New Member
Sep 30, 2007
138
0
#10
If I want to test something I usually just suspend VMs in VMware. IMO this is the easiest solution. I have had mixed results with Helix, but it is possible that the PEBKAC.
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#11
encase is now up to 6.7 and does alot more than that... but gargoyle has a live acquisition tool from thumb drive and does NOT write to the disk..windows can be forced to do a memory dump its in the MSFN or google it....it will dump it to the same drive however.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu