volatile memory on ...
 
Notifications
Clear all

volatile memory on windows

18 Posts
6 Users
0 Likes
6,377 Views
 koko
(@koko)
Posts: 21
Eminent Member
Topic starter
 

i am just looking for some recommendations of open source software that can grab the volatile memory (RAM) from a windows machine.

 
Posted : 25/01/2006 9:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

dd

Harlan

 
Posted : 25/01/2006 10:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

More specifically…

http//users.erols.com/gmgarner/forensics/

Now, the $64 question…what are you planning to do with it once you have it? Given the discussions that have taken place here, and on other boards, I'm sincerely curious about this topic.

Harlan

 
Posted : 25/01/2006 10:52 pm
 koko
(@koko)
Posts: 21
Eminent Member
Topic starter
 

thank you for the info. i didn't realize you could do it with dd.

i hope i don't disappoint you when i say that my intentions in using it right now are just educational. i'm just going to run it on my machine, etc.

 
Posted : 27/01/2006 1:45 am
(@farmerdude)
Posts: 242
Estimable Member
 

Hi koko,

You can use 'dd' for some memory, but not all. Not all memory has an EOF marker, and 'dd' doesn't like that. Memory can have holes … and 'dd' won't like that either.

You're much better off using a tool written for dumping memory, reading one page at a time so as to minimize your affect on the system memory. 'memdump' is one such tool.

regards,

farmerdude

 
Posted : 27/01/2006 10:14 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Thomas,

Are you referring to the 'memdump' that comes with TCT?
http//www.porcupine.org/forensics/tct.html

Harlan

 
Posted : 27/01/2006 5:37 pm
(@farmerdude)
Posts: 242
Estimable Member
 

memdump by Wietse is the tool I mentioned in my post. I know it's separate from TCT, unless recently he's added it into the package. We spoke of grabbing memory a few years back at AusCERT and subsequently he released memdump. There are others, but this works very well.

regards,

farmerdude

 
Posted : 27/01/2006 6:38 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Thomas,

Given that the 'memdump' you mentioned is for *nix systems, is there a version available for Windows, per the subject of the thread?

Harlan

 
Posted : 27/01/2006 6:43 pm
(@psycko)
Posts: 16
Active Member
 

Hi !
There's a freeware DOS version, located here

http//www.tssc.de/download/prods/memdump.zip

Regards

R1

 
Posted : 07/02/2006 11:57 pm
(@farmerdude)
Posts: 242
Estimable Member
 

R1 beat me to the reply. That link appears to work.

I have used memdump compiled for Windows as well (DOS version) in addition to a proprietary dumper, one page at a time.

Download from the R1 link and test it out.

regards,

farmerdude

 
Posted : 08/02/2006 6:37 am
Page 1 / 2
Share: