RAM acquisition methods

There are hardware devices for capturing memory. Memory dumping agents also exist. These agents are part of enterprise security solutions. These two methods for acquiring memory images are somewhat expensive and suffer from the fact that they must be in place before a breach. Neither of these are widely used.

Other than the two choices above, if you want to capture memory you will need to create some sort of device which can access all of the virtual memory. Incidentally, this assumes your subject system is not running inside a virtual machine. If this is the case for your investigation, consult your virtualization software documentation for instructions. Techniques presented here will work on both physical and virtual systems.

A forensics memory device, fmem, is available for download from http://hysteria.sk/~niekt0/foriana/fmem_current.tgz. Because the fmem device (along with the LiME device to be discussed next) is highly dependent on various kernel structures, it must be built from source using header files from the subject machine. Remember my earlier warnings concerning building anything on the subject system.

Once built and installed the newly created device /dev/fmem works just like /dev/mem, but without the limitations of only accessing the first 896 MB of RAM. The /dev/fmem device can be used to dump the physical RAM and /proc/iomem used to determine where to find the interesting portions. Using fmem you will end up with a raw memory image. A screenshot from the terminal window I used to build and install fmem on my forensics workstation is shown in Figure 3.9. Notice that fmem is simple enough that the entire build and install process fits on a single screen including the printout of the memory areas after installation.

FIGURE 3.9

Building and installing fmem.

Issuing the command cat /proc/iomem will print a long list of information, most of which is uninteresting to the forensic investigator. If we use grep (the GNU Regular Expression Parser) to extract only the “System RAM” entries from the results using the command cat /proc/iomem | grep “System RAM”, we will see which relevant blocks of memory should be captured. The tail of the unfiltered output from cat /proc/iomem and the results of piping this to grep “System RAM” are shown in Figure 3.10.

FIGURE 3.10

Results from catting the /proc/iomem pseudo file. Unfiltered results are shown at the top and the blocks of system RAM are shown at the bottom.

The dd utility can be used to dump the relevant RAM sections to a file. This raw capture is difficult to use for anything beyond simple searches. The dd program and related utilities will be fully described in the next chapter (Chapter 4: Creating Images). Thankfully, there is a much easier and useful way to collect memory images that we will discuss next.

results matching ""

    No results matching ""