tag:blogger.com,1999:blog-9518042.post2800629520367814971..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Thoughts on memory footprints...Unknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-42043389066424374772010-08-10T12:08:06.120-05:002010-08-10T12:08:06.120-05:00Ritch,
Sometimes, you just have to do what you go...Ritch,<br /><br />Sometimes, you just have to do what you gotta do...<br /><br />Don't worry, others have seen the same things you have...unfortunately, when it comes to dumping memory from Windows systems, you get what you pay for. Part of the problem is that there are areas of memory, that even if you just read them, you can crash the system. <br /><br />If you don't have the necessary memory dumping tool, one that you've tested, then I'd recommend going with the batch file instead. Sometimes, the risk or cost of tipping the box is just too great.<br /><br />Also, this is a perfect example of why I so strongly recommend that cops talk to us in the corporate side. You wouldn't believe the numbers of stories I've heard from LE, where some of us (not always me, believe me...) will say, "oh, yeah...we've seen that...".<br /><br />For the most part, I think it's a trust issue, and a lot of LE simply aren't willing to climb that mountain. I know Maj Newell at the Broken Arrow PD in Tulsa, OK, did it...and she's reaping the benefits of it!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27529406455383451782010-08-10T10:41:40.659-05:002010-08-10T10:41:40.659-05:00Harlan,
Let me start by saying thanks for all of y...Harlan,<br />Let me start by saying thanks for all of your work in the forensics field and for maintaining this always informative blog. Although I am not an official 'blog follower', I do frequent your blog as well as many others. <br />This will be my first blog post so, here goes. <br /><br />Regarding incident response, I have in the past been a proponent of first dumping a systems RAM and then (second) running some additional tools (which I have scripted) to grab a variety of different volatile and non-volatile system information. During some recent testing however, I may be re-thinking this order.<br /><br />I was recently testing a variety of RAM dump tools including FastDumpPro, FTK Imager, Mdd, dd, and Winen. During my testing I found that Winen (64 bit version) would continually crash my 64 bit Windows 7 system causing it to re-boot. That made me think of previous testing that I had done (a couple of years ago) where other RAM dump tools had also caused my system to either freeze (causing me to force a re-boot) or crash and re-boot. <br /><br />I remember two recent search warrants where I had was tasked with collecting running Windows systems. In the first case, the system crashed during the RAM dump and on the second case, the systems USB ports were so bad that it took me 10 minutes to just get the USB cable working.<br /><br />That being said, during my testing I have not (yet) had a system crash while collecting volatile / non-volatile data. Perhaps I have just been lucky but so far, but I have never had any complications (other than trying to maintain a USB connection) while collecting system information.<br /><br />So, I have started questioning my methodology. While realizing that capturing system information first (before the RAM dump) will certainly affect the RAM causing a much larger 'foot print', is it better to first capture the system data which is not as likely (in my experience) to cause a catastrophic system failure. A catastrophic failure would obviously cause the loss of all volatile data. <br /><br />Working in Law Enforcement, I do not (usually) have the privilege of walking into a nice clean office to collect computers. More often than not, I am crawling around on a filthy oil stained carpet in some tweekers bed room (trying to keep the flees off of my pants) while attempting to determine just what type of system I have and how to process it. Many of these systems are only partially assembled and are lucky to have functional USB ports.<br /><br />So, for now I am not sure how I will proceed. I will likely developed my methodology on a case by case basis and hope for the best.<br />Thanks,<br />RitchRitchhttps://www.blogger.com/profile/08939430806338374265noreply@blogger.com