RAM Analysis – Part 1: Introduction and Obtaining the RAM image

I just found this old draft from July 2010, which I completely forgot about. This was supposed to be a series of blogposts but I didn’t had the time back then. Even this post is far from complete, but maybe it’s useful for somebody.

1.1 Introduction

This multiparted series will summarize the various aspects, possibilities and methods to obtain and analyse a computers physical memory. You can find a lot of information about memory analysis on the net and this series neither wants to nor won’t be able to cover all aspects. Part I will focus on the different methods to obtain an memory dump, which will be analyzed later. If you’re not interested in getting a memory dump and just want to take a look at its content, you can download some of the sample memory images for example from here, here, or here.

1.2 Hardware Tools

There are a few PCI cards out there, but most of them are research projects or not available to the costumer.

Tribbel PCI card
Tribble is a proof-of-concept research project by Joe Grand of Grand Idea Studio and Brian Carrier of digital-evidence.org. Most information about the device can be found in this paper.

CoPilot
CoPilot was developed by Komoku as a malware protection and rootkit detection PCI card and was later on acquired by Microsoft.

FRED: Forensic RAM extraction device
Only a few information about this project is available on the developers website at BBN Technologies.

1.3 Software Tools

1.3.1 Windows (free)

http://www.mantech.com/capabilities/mdd.asp

http://sourceforge.net/projects/mdd/

https://www.hbgary.com/products-services/fastdump-pro/

1.3.2 Windows (paid)

http://gmgsystemsinc.com/knttools/

http://www.x-ways.net/capture/index-d.html

1.3.2 Unix/Linux/Mac

Firewire http://www.storm.net.nz/projects/16

Firewire, only for use by law enforcement http://goldfish.ae/

http://www.sleuthkit.org/index.php
http://www.forensicswiki.org/index.php?title=Jesse_Kornblum

1.4 Forensic live cds

http://www.caine-live.net/

http://www.deftlinux.net/

helix

1.5 Links

http://www.gmgsystemsinc.com/fau/
http://computer.forensikblog.de/themen/windows/speicheranalyse/index10.html
http://cybercrimetech.com/projects/reaper/
http://www.digital-evidence.org/tools/index.html
http://www.forensicswiki.org/wiki/Tools:Memory_Imaging
http://www.informaworld.com/smpp/section?content=a779634402&fulltext=713240928
http://www.dfrws.org/

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.