Home > News > Forensic memory dumping intricacies

Forensic memory dumping intricacies

June 5th, 2006

One of the research topics that interests me the most right now is how to dump the RAM contents of a running computer in a forensically sound manner. It can be done quite nicely if the target system has a FireWire port, as demonstrated by Maximillian Dornseif, Michael Becher, and Christian Klein at CanSecWest/core06 – but not if the target computer is running Windows.

A more detailed analysis than they presented can be found in a forthcoming report (written by me) from the Swedish Defence Research Agency. Dumping can also be done with a special PCI card – which has to be installed beforehand. In most practical cases we are left with no other option than doing a dump from the PhysicalMemory device using DD from the Forensic Acquisition Utilities or similar.Read Full Story


Comments are closed.