Full Memory Acquisition on Live Windows System

The simple approach to capturing the full physical memory of a Windows is running the “dd” command from removable media.(you can download dd tool from FAU Website ). although its Linux/AIX tool you can get windows dd from Google.

If you are not that much familiar with Command Line, there are lots of GUI Tools are available on internet for free usage (open source) . FTK , mdd Wiki.

Here is an example how to get RAM image using Helix Live CD. I have old version of Helix Live CD (2008 R).

A Sample screen shot of the Helix Forensic Live CD Version 2

image

After accepting the Term & Conditions Of Live CD, you can browse lots of Forensic Tools ( hmm i have old and outdated one 😦 )

image

To acquire RAM image using dd [ Menu Page >> Acquire >> Acquire RAM ]

image

Select the destination Folder where Image has to be store.

image

now Press Acquire button and the Helix Live forensic CD will asks for confirmation

image

Simply Press YES and wait for some time ( its depends on your system CPU speed / RAM size )

image

after a couple of minutes

image

check the image size and location

image

( here in my VMWare XP has 512 MB of RAM size, and now i got 526,970,880 bytes of image means 514 MB of image approx )

here an interesting Helix Live forensic CD automatically create md5 file of the RAM image ( check here how md5 useful for forensics )

Advertisements

About this entry