Dumping memory and browsing through it

Viewing 7 reply threads
  • Author
    Posts
    • #6472
      kamikaze_fish
      Participant

      I’m new to computer forensics but I’m trying to figure out how to dump the data in the physical memory, maybe to a flash drive, and what can I use to browse that dump?  I was looking at win32dd and win64dd and possibly using volitility to browse the contents but not sure if there’s something better to use or would someone can point me to training material

    • #40139
      sil
      Participant

      If you’re a glutton for punishment, Mandiant Memorize + WinDBG will get you ALL you will need (http://www.mandiant.com/products/free_software/memoryze/)

      Volatility works just fine without the hassles of getting your hands really dirty as well. WMFT is alright as well but any of the ones mentioned should get you started and finished.

      http://www.mandiant.com/products/free_software/memoryze/
      http://forensic.seccure.net/tools/wmft_0.2.zip

    • #40140
      sil
      Participant

      You could also use DFF see 2 minute video walkthrough

      http://www.infiltrated.net/dff-walkthrough/

    • #40141
      R3B005t
      Participant

      Sil what are you thoughts on DFF? I’m playing around with it and find it to be pretty robust so far, I’d recommend kamikaze go for the Mandiant Memorize and the Memorize viewer initally till he gets more comfortable with the more advanced memory forensic tools.  There really is no end to memory analysis kit out there, if your comfortable with nix then you could play around with the sans sift workstation….

      Actually Mandiant put out a new memory analysis tool called Redline, I have yet to play with it (dling now) but it might be worth looking into, overall I think the make a decent product.  So to recap Memoryze & Audit Viewer, or Redline would be great starting points.

    • #40142
      sil
      Participant

      DFF is alright, nothing more than a GUI for most other tools. I like to use old school *nix tools via cli most of the times. I can do so from anywhere and the results are the same. It also helps keeping me on my toes via way remembering things.

    • #40143
      kamikaze_fish
      Participant

      Thank you Sil.  Great information and you’ve definitely given me a god start.

    • #40144
      blackazarro
      Participant

      Yeah, I like Memorize and you can make it portable too. I added it to my Iron Key USB flash drive as part of my tool kit. You just have to make sure to run it once from your flash drive with write-mode enable to let it copy some additional files.

      Also, last week I had the chance to play around with Redline. I like it except that you need .Net Framework version 4 or greater to use it on your Windows machine. Currently, it’s very slow in analyzing memory dumps and it doesn’t work well with Windows 7. But hey, it’s new and I’m sure that Mandiant will improve it and make it better. I do recommend for beginners to take look at Redline and use it because it walks you through with explaination on quickly detecting suspicious or potentially malicious processes and etc.   

      Btw, Don, I can’t thank you enough for the Iron Key flash drive. I can’t live without it! Since I can unlock the Iron Key in read-mode only, it’s perfect for incident response and malware forensic. You don’t have to worry about your flash drive getting infected. I know it has been more than a year that I received my Iron Key, but I just wanted to say thanks again.

    • #40145
      R3B005t
      Participant

      Yeah redline has potential I hate the .net requirement and keep in mind this is the first release of the product.. Things I have on my Ironkey-Sysinternals suite, mir standalone scan (we do have an appliance but you never know when you need to do the odd offline capture) I tossed redline on there as well as a few other custom goodies.  Only beef I have with the iron key is that its a thousand times bigger than any other memory key I have.  Over all though the product roxxs.

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?