Memory Forensics
Content Leader: Jess Garcia - Last Updated: June 19, 2007
Techniques
Software
-
UNIX
-
Dump /dev/mem or /dev/kmem
-
Windows
-
\Device\PhysicalMemory (or \.\PhysicalMemory)
-
NtSystemDebugControl
Hardware
-
Sparc's OpenBoot
-
The firmware can be accessed by using the L1-A (or STOP-A) keys and the system is suspended and placed into the OpenBoot prompt. [...] If the sync command is typed at the OpenBoot prompt, the memory and register contents are dumped to a pre-configured device, typically the swap space on a hard drive. After the memory is written, the system reboots and the savecore command can be executed to copy the memory from the dump device to the file system. [...] A disadvantage of this technique is that, by default, it overwrites data in swap space and it requires the system to be rebooted so that savecore can copy the memory contents from swap.
-
Through a PCI Card (Proof of Concept: Tribble)
Tools
Windows
Linux
References
A Hardware-Based Memory Acquisition Procedure for Digital Investigations - Brian Carrier, Joe Grand - 2003
[2] Physical Memory Forensics - Mariusz Burdach - 2006
[3] Finding Digital Evidence In Physical Memory - Mariusz Burdach - 2006
[4] Using memory dumps in digital forensics (Login Required)
[5] Digital Forensics of the Physical Memory - Mariusz Burdach - Jun, 2005
[6] Introduction To Windows Memory Forensic
Firewire: all your memory are belong to us - 2005
Forensic memory dumping intricacies - PhysicalMemory, DD, and caching issues - Arne Vidstrom - 2006
Memory dumping with NtSystemDebugControl - Arne Vidstrom - 2007
Firewire, DMA & Windows
Volatools: Integrating Volatile Memory into the Digital Investigation Process