0

Hi

I have a question?

If you dump the RAM "internal memory" with dd to an image file, you get everything in memory or Will something be missing?

Edited by tony75

4
Contributors
6
Replies
40
Views
2 Years
Discussion Span
Last Post by Slavi
0

The dd application is running in memory, so it is altering it as you dump it. You might want to look into how the open source ClamWin virus scanner handles this issue when scanning memory for viruses.

0

I would use RamCapturer from belkasoft or FTKImager, think it has an option ot extract ram as dd image as well

0

Thanks all.
If I change my question to

If you dump the RAM "internal memory" with any software to an image file, you get everything in memory or Will something be missing?

Maybe its more clear now

Edited by tony75

1

Whatever is in the ram should be on the image afterwards unless a corruption of some kind has occured(which is not that uncommon). You seem interested in volatile memory as you've asked stuff about volatility and now ram images. I would suggest you to take a look at a book called "The Art of Memory Forensics". It is by the developers of volatility, so the tool is used throughout the book. Moreover, the book covers ram images of different Windows operating systems, Linux and Mac as well. It is an incredable read and I am pretty sure if you want to get deeper in the field you would love it

0

if Linux RAM, I dont think you can use dd to capture or image it. I think LiME may be the option if you are dealing with Linux. There are several free tools for Windows in addition to those already mentioned. Note however as RAM is volatile - the footprint of the tool you use will overwrite data in RAM. As an example, if your target is 1GB and your tool's footprint 100 MB you just overwrote 100MB of potential valuable data. Some tools have larger footprints than others. $0.02

Edited by cis7850

0

LiME is the only decent option yh, problem with linux is that you need a profile of the exact system that you are running, and it's usually the case that you have to make that yourself(On a different machine so the RAM that you are trying to capture doesn't get changed). The process is a bit painful, especially when it comes to Kali .. But there are some already premade profiles on github open for download that include the most common distros althogh it's been awhile since it's been updated

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.