.

Dumping memory and browsing through it

<<

kamikaze_fish

Newbie
Newbie

Posts: 2

Joined: Wed Jun 08, 2011 10:27 am

Post Wed Jun 08, 2011 12:06 pm

Dumping memory and browsing through it

I'm new to computer forensics but I'm trying to figure out how to dump the data in the physical memory, maybe to a flash drive, and what can I use to browse that dump?  I was looking at win32dd and win64dd and possibly using volitility to browse the contents but not sure if there's something better to use or would someone can point me to training material
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 08, 2011 12:52 pm

Re: Dumping memory and browsing through it

If you're a glutton for punishment, Mandiant Memorize + WinDBG will get you ALL you will need (http://www.mandiant.com/products/free_s ... /memoryze/)

Volatility works just fine without the hassles of getting your hands really dirty as well. WMFT is alright as well but any of the ones mentioned should get you started and finished.

http://www.mandiant.com/products/free_s ... /memoryze/
http://forensic.seccure.net/tools/wmft_0.2.zip
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Jun 08, 2011 4:23 pm

Re: Dumping memory and browsing through it

You could also use DFF see 2 minute video walkthrough

http://www.infiltrated.net/dff-walkthrough/
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Fri Jun 10, 2011 1:36 pm

Re: Dumping memory and browsing through it

Sil what are you thoughts on DFF? I'm playing around with it and find it to be pretty robust so far, I'd recommend kamikaze go for the Mandiant Memorize and the Memorize viewer initally till he gets more comfortable with the more advanced memory forensic tools.  There really is no end to memory analysis kit out there, if your comfortable with nix then you could play around with the sans sift workstation....

Actually Mandiant put out a new memory analysis tool called Redline, I have yet to play with it (dling now) but it might be worth looking into, overall I think the make a decent product.  So to recap Memoryze & Audit Viewer, or Redline would be great starting points.
Last edited by R3B005t on Fri Jun 10, 2011 1:41 pm, edited 1 time in total.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 10, 2011 1:56 pm

Re: Dumping memory and browsing through it

DFF is alright, nothing more than a GUI for most other tools. I like to use old school *nix tools via cli most of the times. I can do so from anywhere and the results are the same. It also helps keeping me on my toes via way remembering things.
<<

kamikaze_fish

Newbie
Newbie

Posts: 2

Joined: Wed Jun 08, 2011 10:27 am

Post Fri Jun 10, 2011 2:48 pm

Re: Dumping memory and browsing through it

Thank you Sil.  Great information and you've definitely given me a god start.
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Fri Jun 10, 2011 3:20 pm

Re: Dumping memory and browsing through it

Yeah, I like Memorize and you can make it portable too. I added it to my Iron Key USB flash drive as part of my tool kit. You just have to make sure to run it once from your flash drive with write-mode enable to let it copy some additional files.

Also, last week I had the chance to play around with Redline. I like it except that you need .Net Framework version 4 or greater to use it on your Windows machine. Currently, it's very slow in analyzing memory dumps and it doesn't work well with Windows 7. But hey, it's new and I'm sure that Mandiant will improve it and make it better. I do recommend for beginners to take look at Redline and use it because it walks you through with explaination on quickly detecting suspicious or potentially malicious processes and etc.   

Btw, Don, I can't thank you enough for the Iron Key flash drive. I can't live without it! Since I can unlock the Iron Key in read-mode only, it's perfect for incident response and malware forensic. You don't have to worry about your flash drive getting infected. I know it has been more than a year that I received my Iron Key, but I just wanted to say thanks again.
Security+, OSCP, CEH
<<

R3B005t

Newbie
Newbie

Posts: 43

Joined: Wed Mar 09, 2011 9:03 am

Location: NVA/D.C.

Post Sun Jun 12, 2011 2:10 pm

Re: Dumping memory and browsing through it

Yeah redline has potential I hate the .net requirement and keep in mind this is the first release of the product.. Things I have on my Ironkey-Sysinternals suite, mir standalone scan (we do have an appliance but you never know when you need to do the odd offline capture) I tossed redline on there as well as a few other custom goodies.  Only beef I have with the iron key is that its a thousand times bigger than any other memory key I have.  Over all though the product roxxs.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software