Schlagwort-Archive: forensic

RAM Analysis – Part 1: Introduction and Obtaining the RAM image

I just found this old draft from July 2010, which I completely forgot about. This was supposed to be a series of blogposts but I didn’t had the time back then. Even this post is far from complete, but maybe it’s useful for somebody.

1.1 Introduction

This multiparted series will summarize the various aspects, possibilities and methods to obtain and analyse a computers physical memory. You can find a lot of information about memory analysis on the net and this series neither wants to nor won’t be able to cover all aspects. Part I will focus on the different methods to obtain an memory dump, which will be analyzed later. If you’re not interested in getting a memory dump and just want to take a look at its content, you can download some of the sample memory images for example from here, here, or here.

1.2 Hardware Tools

There are a few PCI cards out there, but most of them are research projects or not available to the costumer.

Tribbel PCI card
Tribble is a proof-of-concept research project by Joe Grand of Grand Idea Studio and Brian Carrier of Most information about the device can be found in this paper.

CoPilot was developed by Komoku as a malware protection and rootkit detection PCI card and was later on acquired by Microsoft.

FRED: Forensic RAM extraction device
Only a few information about this project is available on the developers website at BBN Technologies.

1.3 Software Tools

1.3.1 Windows (free)

1.3.2 Windows (paid)

1.3.2 Unix/Linux/Mac


Firewire, only for use by law enforcement

1.4 Forensic live cds


1.5 Links