Forensic memory dumping intricacies

By | June 5, 2006

One of the research topics that interests me the most right now is how to dump the RAM contents of a running computer in a forensically sound manner. It can be done quite nicely if the target system has a FireWire port, as demonstrated by Maximillian Dornseif, Michael Becher, and Christian Klein at CanSecWest/core06 – but not if the target computer is running Windows.

A more detailed analysis than they presented can be found in a forthcoming report (written by me) from the Swedish Defence Research Agency. Dumping can also be done with a special PCI card – which has to be installed beforehand. In most practical cases we are left with no other option than doing a dump from the PhysicalMemory device using DD from the Forensic Acquisition Utilities or similar.Read Full Story

Leave a Reply