Currently “In Submission” to JDFP

(some content may change before publication)

THE ACQUISITION AND

ANALYSIS OF RANDOM
ACCESS MEMORY
Timothy Vidas
Naval Postgraduate School
Monterey, CA ABSTRACT
Mainstream operating systems (and the hardware they run on)
fail to purge the contents of portions of volatile memory when
that portion is no longer required for operation. Similar to
how many file systems simply mark a file as deleted instead
of actually purging the space that the file occupies on disk,
Random Access Memory (RAM) is commonly littered with
old information in unallocated space waiting to be reused.
Additionally, RAM contains constructs and caching regions
that include a wealth of state related information. The
availability of this information along with techniques to
recover it, provide new methods for investigation.

This article discusses the benefits and drawbacks of traditional

incident response methods compared to an augmented model
that includes the capture and subsequent analysis of a suspect
system’s memory, provides a foundation for analyzing
captured memory, and provides suggestions for related work
in an effort to encourage forward progress in this relatively
new area of digital forensics.

KEYWORDS: memory, random access memory, memory

analysis, digital forensics, Windows forensics, incident
response, best practices

Tim Vidas is a Research Associate at the Naval Postgraduate School. He

has been focusing research in the field of digital forensics for a few years
and is now primarily working on in the area of trusted operating systems
and kernels. In addition to research, he likes to teach and has a wide set of
IT related interests. He maintains several affiliations like ACM, CERT,
and Infragard and holds several certifications such as CISSP, Sec+ and
EnCE. Tim has a BS and MS in Computer Science. In his free time he
toys around with forensic competitions and CTF exercises.

A short version of this work was presented at the Third Annual ifip WG
11.9 International Conference on Digital Forensics in Orlando, Florida on
Jan 28-31, 2007.

Pre-publication copy
 INTRODUCTION
BACKGROUND
Techniques described here tend to follow a
more historical thought process regarding Depending on the situation, upon arriving on
forensic procedures: acquire first, then scene, a responder has two core choices: either
identify. This may cause some privacy interact with the system or pull the plug. On
concerns when contrasted with some more one side, it has been known for some time that
modern approaches to e-discovery1 where the normal user interaction is undesirable, even
pertinent information is located first and then performing a clean shutdown would destroy
only that information is acquired. This potential evidence by changing timestamps
distinction is also pertinent when considering and potentially overwriting information.
the classification of information. Following this train of thought, it was
Traditionally acquired data will need to be suggested that pulling the plug of a machine
classified at the highest classification level of will leave it in a more preserved state than
any information found on the system. powering it down gracefully [2] (albeit some
Theoretically, when using more selective subsystems, such as the file system, may not
methods of e-discovery, the acquisition could recover gracefully from abrupt removal of
be limited to only acquire data of a certain power). On the other side, while pulling the
classification level and thus not be subjected plug does preserve the current contents of the
to the high watermark. Both the historical and hard disk drive, it allows little or no insight
selective techniques have their benefits and into what operations the system was
drawbacks; such as completeness versus speed performing at the time when the power was
and storage advantages respectively. This text removed. In light of this lack of knowledge,
does not debate these techniques. others have provided incident response steps
to perform in order to gain insight about the
This article makes many hardware and state of the system [3 among others].
software assumptions. Intel i386 / IA-32
architecture is assumed, along with a standard When concerned with the contents of RAM,
4K page size. Only Microsoft Windows® neither choice is adequate. Simply, pulling
operating systems are discussed, and for the plug can clear the contents of RAM (in
systems that support memory related boot most cases), and performing many incident
switches such as /3G and /PAE it is assumed response actions overwrites potential evidence
that these switches are not being used2. in memory akin to creating new files on a
suspect hard disk drive. Two additional
Even though the concept of object-reuse and concepts need to be introduced into
related techniques for its mitigation have been acquisition and analysis stages in order to take
known for decades [1], many operating advantage of RAM contents: the acquisition of
systems use memory management techniques RAM, and the extraction of information from
that have little or no safeguards against this the RAM duplicate.
threat. A design decision to place a higher
precedence on performance than security is For some time now, varying abilities of
not uncommon. In the case of Random acquiring RAM contents have been available.
Access Memory (RAM), this design choice A popular open source LiveCD called Helix
can be exploited in order to both further has supported George Gartner’s dd tool in
preserve and gain deeper insight into the state combination with the windows
of a currently running machine. \\.\PhysicalMemory object since about 2004.

2 Pre-publication copy RAM FORENSICS

In many cases, this packaging of a tool with even be intentional, poorly written
the memory object in a mostly graphical form applications can leave information resident, or
can enable mainstream first responders to this type of information may even occur as a
capture memory. byproduct of malware. Circa 1994, malware
sophistication had grown to the point where a
Regardless of the method used to acquire multipartite, stealthy virus [8] could slowly
memory, little effort has been devoted to the encrypt a hard disk drive unbeknownst to the
problem of what to do with the copy once is user.
has been acquired. The lack of analysis
capability is likely why RAM content is not Malware can be completely memory resident.
captured as a matter of course. Prior to 2005, Rather than debate the differences between
the primary method of analyzing a RAM copy viruses, worms, trojans, etc. It is sufficient to
was to perform a strings analysis. In 2005, the say that malware can exist completely in
Digital Forensics Research Workshop RAM. In such a situation the malware may
(DFRWS) held a Memory Analysis Challenge not ever even touch the hard disk drive. After
which will almost certainly be considered the removal of power from the system, no record
beginning of the field of memory forensics. of the malware would exist upon later
Two individuals were credited with winning examination. Contemporary examples of this
the challenge (Garner and Betz) but neither would include the widely publicized nimda
publicly released their tools. Since, others and SQLslammer worms [9,10].
have created tools publicly (Vidas, Carvey,
Burdach, Schuster [4-7]) and privately Memory is latent. Much as a latent fingerprint
(Kornblum, Goldsmith). Current tools have is one that existed but was not readily evident,
distinct drawbacks, but the future outlook there is latent information available in
looks promising. memory. Similar to how the recovery of
deleted files became a widespread act early in
THE CASE FOR COPYING RAM the field of digital forensics, the recovery of
prior (deleted) processes has become a focus
For those that currently do not copy RAM as of current research in memory forensics. Due
part of their acquisition procedures, a logical to file system caching, delayed writes, buffers,
first question to ask is “Why copy RAM?” etc. it is even possible to extract full or
There are several reasons that a complete fragments of files from memory, data that may
RAM capture may prove useful, most revolve have never been written to the hard disk drive.
around key differences between data stored in
RAM and data stored on a hard disk drive. The hacker defense is becoming more
common [11-17 among others]. Envision a
Volatile memory, e.g. RAM, is perceived to suspect that has known contraband stored on
be more trusted than non-volatile memory, e.g. their hard disk drive. A defense mechanism
ROM, magnetic and optical storage. When may be to download some malware
simply considering the data that is either not purposefully. This malware need not even be
stored or somehow protected on a hard disk related to the contraband data in any way. A
drive yet stored in plaintext when stored in judge/jury may be convinced that due to the
memory, many data types immediately come presence of malware and the inability to
to mind: passwords, financial transaction discern whether the malware could be at fault
information, encryption keys, etc. The that a guilty suspect be deemed innocent. The
existence of this type of information may not capture of memory can give the ability to both

T Vidas Pre-publication copy 3

determine if that the malware in question was to evidence, and eventually RAM acquisition
actually executing and if so, it may be possible will become an industry best practice.
to distinguish the capabilities of the malware
in order to meet this burden of proof. It will be shown that similar to Windows Task
Manager listing current processes, forensic
Executing code must actually exist somewhere. tools can be (and have been) created that list
Malware routinely relies on obfuscation and not only processes active at the time of
other techniques to avoid detection and memory acquisition, but also show old and
eradication. However, all code executing on a hidden processes.
processor has to actually exist in executable
form somewhere. In some cases memory RAM ACQUISITION
acquisition may prove to be a useful way to
perform malware analysis. One example may When creating a duplicate of a hard disk drive,
be executable packing. When executables are ideally the drive is disconnected from the
packed (binary obfuscation) they are system and duplicated via a hardware write
inherently harder to understand. In some blocker. Even though power is removed, the
situations unpacked versions of executables data stored on the drive is not lost because the
could be extracted directly from memory in store is non-volatile. This is not the case with
order to avoid tedious and time consuming volatile memory such as RAM. Due to
manual unpacking. physical architecture, once power has been
removed for a certain amount of time the state
Duplicating RAM has less impact to potential of the data in RAM in unknown. This
evidence than normal incident response. prohibits the removal of RAM chips for
During incident response, in order to gain duplication, and encourages live acquisition
insight about system state one might issue (while the system is running).
several commands and catalog the responses.
Typical response may include creating more The actual acquisition of RAM can be
than 30 processes [3]. The more detailed the performed in different ways, each with
responses the more accurate the portrayal of benefits and drawbacks. The biggest
the system state, but the portrayal depends difference in technique is hardware vs
upon the granularity of the tools and the software acquisition. Currently there are three
accurate recording and interpretation of the software based techniques and two hardware
tool output. When considering a copy of based techniques.
RAM as an alternative, the recording is
complete, and the interpretation and Software Acquisition
granularity can be altered via subsequent Software techniques are currently the most
examination of the copy, a leisure that is not prevalent. A tool (such as dd) can be used
possible via live response. from a LiveCD (such as Helix) to copy
RAM3:
Why wouldn’t you acquire RAM? Even dd if=\\.\Device\PhysicalMemory
of=e:\memoryimage.dd bs=4096
though under most circumstances the actual
act of copying RAM will be shown to have a
In this case of software acquisition, some
negative impact to potential evidence, the
memory (potential evidence) will be over-
impact should be outweighed by potential gain.
written because the copy utility itself will be
Good procedures and documentation should
instantiated as a process on the suspect system
help minimized the effect of potential damage
and the data that was in the portion of memory

4 Pre-publication copy RAM FORENSICS

that this new process occupies will be lost4. physical memory (that is the abstraction of
For this reason, the footprint of any physical memory presented to the virtual
acquisition tool should be minimal. In the machine) can simply be copied unbeknownst
above example Helix was mentioned due to its to the virtual machine. Of course, this
prevalence in the field, however, the default software technique does not address the
configuration of Helix may not be conducive tangible physical RAM, and is mentioned
to acquisition needs. Helix will start an primarily for completeness.
autorun process called helix.exe when the
CDROM is inserted into a running Windows Hardware Acquisition
system. For memory acquisition purposes a Hardware techniques are currently quite
less invasive tool would be preferred. The limited. Firewire has shown some merit for
actual duplicate could be stored on removable acquisition, because Direct Memory Access is
media or saved across a network. At a possible via the IEEE 1394 specification, and
minimum, introducing new hardware such as a proof of concept code has been released [19].
mass storage device would affect the registry, However, results of acquisition via Firewire
while creating a new network connection will vary widely. This technique not only has
create associated structures in RAM. specific hardware requirements, but has also
been shown to be inconsistent [20] and in
A second software technique involves the use some cases causes hardware to malfunction.
a system crash. The notorious “blue screen of
death” can occur under certain conditions Hardware acquisition through dedicated
outside of the control of the user, or it can be hardware is the most desirable method. When
forced by the user. The user can force a crash using dedicated hardware the contents of
either by using the built in RAM does not have to be altered in order to
CrashOnCtrlScroll [18] which requires a create the copy. This method currently has
registry edit, or via a 3rd party utility such as two very distinct drawbacks: it requires pre-
NotMyFault.exe released by SysInternals meditation because the hardware must be in
(now owned by Microsoft). In either case, if place prior to the incident, and there are no
the systems is configured to create a FULL such products currently available to the
crash dump (as opposed to Mini, Kernel, or consumer (but proof of concept has been
None – which is controlled again by the created [21,22]). Arguably, this is the only
registry) then the contents of memory will be technique that can suspend a typical (non-
eventually saved to a file. This save comes at virtual) machine in order perform the
the cost of losing the contents of the Pagefile, acquisition.
which when combined with the size of the
subsequent file created upon reboot results in
overwriting areas of the hard disk equal to or Time Sliding Window
greater than twice the size of physical memory Since RAM is constantly in use, the contents
present in the system. This negative impact to of RAM are constantly changing. The amount
non-volatile evidence through the changing of of change varies greatly based on hardware,
registry values, overwriting of unallocated software, and usage of the system, but the fact
space and potential for reboot5 makes this remains that if the system is being used, RAM
method less preferred. is changing. The fact that the contents are
continuously changing paired with the
When using virtualization software, a virtual necessity to acquire memory while the system
machine may be paused and the virtual

T Vidas Pre-publication copy 5

is running results in an inability to capture interpretation of files and file systems.
RAM at a precise point in time. Recovering files, analyzing time stamps, file
carving, etc typically all rely on file system
All of the above techniques6 will exhibit a specific concepts such as the File Allocation
“time sliding-window” phenomenon where at Table, Master File Table, inodes, and even
least some portion of RAM was currently clusters. This additional file system
being altered at the time of the copy. abstraction layer is not present when
Validation, such as an MD5 hash of original considering RAM. When compared to many
media before and of the duplicate after the types of files, much of the data in RAM may
copy, may work on unchanging stores like a appear structureless.
hard disk drive, but one would expect it to not
work on RAM (the contents of which are The analysis of this raw data employs
expected to have changed between hashing). techniques from different areas such as kernel
debugging and reverse engineering. In fact, in
A case could be made for validating similar order to aide the analysis of the volatile data,
copies. Consider two RAM duplicates made often information from a non-volatile may be
as closely together as time allows, one created required. Consider employing a technique to
right after the other. Temporal proximity find processes that is similar to using file
would suggest that “not much” had changed in headers for traditional file carving. Just as
the RAM contents between the two copy particular byte sequences such as
operations or at the very least that less change 0xFFD8FFE0 or 0xFFD8FFE1 can be
will have occurred than if the machine was searched for at the beginning of a cluster on
left to run for extended or particularly busy disk to identify possible JPEG headers,
periods. The amount of actual change could particular patterns can be sought at the
be quantified using a hash window equal to beginning of a memory boundary (such as a
the page size. Pages that did not change page) in order to find possible structures such
between the two copy operations would have as a process. In the case of a JPEG the file
identical hashes, altered pages would have format is well known in order to facilitate
different hashes. broad use of the file type. In the case of a
process no format needs to be publicly
RAM ANALYSIS available as the process structure was never
intended to be disseminated to other systems.
Even if it is shown that creating a duplicate The lack of structure information is only
does have less negative impact to evidence compounded when considering closed-source
than performing common incident response operating systems. In order to seek out these
steps, the requirement for the information structures, the format of the structure must be
obtained during these steps still remains. The known prior to the search. A set of such
RAM duplicate serves little purpose without structures can be calibrated using known
that ability to extract at least similar systems. For example, through kernel
information that incident response tools can debugging, it is readily apparent that the size
provide. Ideally, even more information can and structure of a process differs between
be garnered from the RAM duplicate. many Windows operating systems depending
on version and service pack level (see Table 1:
Lack of Structure Windows Data Structure Offsets).
Today most host based forensic analysis
revolves around the inspection and

6 Pre-publication copy RAM FORENSICS

 Table 1 : Windows Data Structure Offsets
Figure 1: Strings found in a cleanly booted system
2000 XP XP 2003 Vista
45
SP2
EP_PageDirBase 18 18 18 18 18 40
EP_processors 34 34 34 34 34 35
AVERAGE
EP_T_Forward 50 50 50 50 50 30
MB
EP_T_Back 54 54 54 54 54 25
EP_priority 62 62 62 62 64 20
EP_T_Quantum 63 63 6f 63 * 15
EP_T_Qant_dis 69 69 69 69 60* 10
EP_exitStatus 6c 24c 1d0 24c 234 5
EP_createTime 88 70 70 70 88 0 2000 SP0 2000 SP1 2000 SP2 2000 SP3 2000 SP4 XP SP0 XP SP1a XP SP2
2003 SP1

EP_exitTime 90 78 78 78 90
EP_PID(client 9c 84 84 84 9c Operating System
Unique)
EP_WorkSetSize e4 20c 20c 214 208 even 30 MB of text would translate to roughly
EP_WorkSetMin e8 210 210 1f8 1ec 8000 printed 8.5” x 11” sheets of paper.
EP_WorkSetMax ec 214 214 1fc 1f0
EP_AccessToken 12c c8 c8 c8 e0 A strings analysis will not be able to lend
EP_PPID 1c8 14c 14c 128 124
much insight about RAM specific structures
EP_name 1fc 174 174 154 154
EP_size 290 258 260 278 268 such as processes. Instead, a search for
TH_size 248 258 258 260 278 known patterns must be performed along with
TH_createTime 1b0 1c0 1c0 1c8 1d0 a validation process for potential structures.
TH_exitTime 1b8 1c8 1c8 1d0 1d8 The signature of a process can be defined by
TH_exitStatus 1c0 1d0 1d0 1d8 1e0 inspecting known offsets (as obtained from
TH_PID (client 1e0 1ec 1ec 1f4 1fc calibration) for expected data. For example,
unique)
TH_TID (client 1e4 1f0 1f0 1f8 200
the offset related to process priority must be
unique) non-zero for all processes except the idle
TH_isTerminated 224 248 248 250 250 process, the offset related to the Page
TH_startAddr 230 224 224 22c 234 Directory Base (PDB) must be non-zero (a
process must have a PDB) and the PDB must
EP denotes the Windows EProcess structure, TH be on a page boundary (normally 4K), all the
denotes EThread. All values are base 16 (hex).
*Quantum related values for Vista do not fit the pattern threads of a process must exist inside of the
of prior OSes, and need to be researched further. section of RAM dedicated to kernel memory,
Values obtained via LiveKD and the Windows kernel etc.
debugger by issuing: dt -a -b -v _EPROCESS
Assuming that the operating system version
Process Carving
and service pack level are known prior to the
As late as 2005, strings [23] analysis was
search (i.e. obtained by inspection of the hard
considered the best method available to
disk drive), a search for processes in a forensic
extract information from a RAM
image of 512 MB RAM takes about 7 minutes
duplicate [24]. Running strings on a RAM
to execute through a PERL interpreter on a
duplicate acquired from a cleanly installed and
modest system8. This is a brute-force search
booted Windows operating system resulted in
that searches for structure signatures linearly.
the average extraction of more then 30 MB of
The fully commented proof of concept code is
largely unusable text7 (see Figure 1: Strings
less than 1000 lines and a high success rate
found in a cleanly booted system). Keep in
can be achieved implementing as few as five
mind that these are unmodified operating
checks on known offsets. [25]
systems, fairly atypical in the wild and that

T Vidas Pre-publication copy 7

A handful of tools are now available for greatly speeds up the enumeration of
performing analysis similar to what is stated processes. However, if a process (thread) has
above. Among them are procloc [4], become unlinked from this list it will not
Windows Memory Forensic Toolkit [6], appear in the enumerated set. This could be
Windows IR tools [5], and memparser [19] the case for processes that are no longer
which was one of the original DFRWS scheduled for execution (old processes) as
submissions that was later released publicly. well as hidden processes.
Each of these tools have their various benefits
and drawbacks, mostly associated with project A final trust issue is foundational to a core
maturity. For example, many tools do not computer science concept: RAM may not be
have a good user interface and many only as volatile as one might have thought. It has
work on RAM from some versions of been demonstrated that the contents of RAM
Windows. As with other tools, be sure to can actually survive reboots and even short
adequately test these tools before using any of durations of power completely removed from
them in a non-academic sense. a system [27]. This actually challenges term
“volatile memory.” Computing systems can
TRUST ISSUES not be trusted to provide RAM in a clean state
initially, only an unknown state. Further
Issues with trust arise in both the acquisition research must be performed in order to
and analysis phases. The most detrimental determine if this known ledge can be
issue involves the acquisition of RAM leveraged in the favor of a responder.
contents. This situation revolves around the
problem of executing code on an untrusted
system. How can one be assured that the FUTURE WORK
input to the copy operation is actually the
contents of the systems RAM? Techniques For most purposes, the area of memory
could be employed by malware to deny access forensics can be considered to be less than 2
to RAM or worse, to misrepresent the contents years old, still in its infancy. As with other
of RAM in order to elude detection. Many budding areas of research memory forensics is
rootkits already use similar techniques. ripe with possibilities for both unique research
However, in a situation involving such and refinement of existing research. Below
malware one could easily make the argument find suggestions for new research in addition
that this misrepresentation would also affect to ideas on how to extend upon the concepts
common incident response tools. It is provided here.
currently thought that the only way to
completely mitigate this threat is to use Compare the trusted process list with one
dedicated hardware for acquisition9. obtained via brute force methods. A brute
force technique was described in this article.
Trust is also an issue during analysis. For Others [6] use a list traversal approach.
example, some of the above tools make use of Comparing results from the two methods
assumptions about internal Windows process could flag outliers, such as hidden processes.
scheduling. Windows maintains a doubly
linked list of process structures, each process One could employ virtual memory unification.
structure contains information on where the Since the RAM duplicate being analyzed is
next and previous process structures are never actually executed by the CPU, it does
located. If this information is trusted, it not have to obey typical memory management

8 Pre-publication copy RAM FORENSICS

rules, such as those related to paging. For adjusting their strictness could in effect
example, during analysis all pages could be identify structures with varying levels of
“swapped in” from the pagefile extracted from “correctness.”
a forensic duplicate of the hard disk drive.
Account for all areas of memory by marking
Operating system detection could be improved. sections as structures are found. Consider a
The execution time mentioned for a brute mature field of memory forensics, where
force search assumes that the operating system processes, threads, file caches, etc. all have
version and service pack level are known. If reliable tools that allow inspection and
this information is not known (you have a extractions. If each of these tools marked the
RAM image but no hard disk drive image, or areas of memory that it found to be a
an encrypted hard disk drive) then the best legitimate structure, then what do the
case is to try all known operating system unmarked areas represent? This technique
offsets until one search provides enough would be similar to code coverage procedures
results to be deemed correct. This increases use in other discipline.
the execution time 1 factor for every known
operating system. For example, instead of 7 Most current tools only support environments
minutes, procloc could take 35 minutes to that are either easy to develop tools for, or
execute. represent a large user base. Future tools need
to support fringe memory architectures such
One could automate the correlation with non- as those enabled by the /PAE and /3G boot
volatile stores. It was mentioned above that switches, non-i386 support is needed, and of
some information from a hard disk drive is course tools need to keep up with current
very useful in the analysis of RAM. operating systems and add support as needed
Operating system type and service pack level (such as Vista).
for example. Other types of information are
also very valuable. Consider the need to link
a process to a user account. The process CONCLUSION
structure only stores the internal UID which
must then be correlated with information in In exchange for a minimal negative impact
registry to obtain a username. (potentially as small as creating a single new
process) to evidence during acquisition, a
Executables could be automatically or much greater depth and breadth of information
selectively extracted from the RAM duplicate. concerning system state can be gained during
Assuming that outliers could be easily analysis. The ability to gather pertinent
identified (as suggested by list comparison information from a RAM duplication often
earlier), executables could automatically be requires information to be gathered from a
created from the extracted information in related non-volatile store prior to analysis, but
order to automate analysis. may require little acquisition training and
minimal additional hardware. At the very
Flag rogue structures by employing more least, RAM acquisition allows analysis to
checks. It was shown in this article that occur after first response and enables RAM
accurate results could be achieved with as few data to be viewed as an additional static
as 5 checks. Malware that is “aware” of these evidence item to which traditional
checks could attempt to spoof them in order to preservation and duplicate validation
“fit in.” Employing more checks and techniques can be applied.

T Vidas Pre-publication copy 9

 NOTES
8. Tested on a IBM Thinkpad R51, with 1.5 Ghz Intel
1. Guidance software has sections of their website Pentium 3m with 1 GB of RAM, running Windows
(www.guiadancesoftware.com) devoted to e- XP SP2 and ActivePERL 5.8.7.
discovery using their EnCase product line.
Additionally there are many conference 9. Which remains to be seen, not only is such
presentations and whitepapers on the subject, but no hardware not yet available, but circumvention of
traditionally academic sources. (e.g. CSI Annual such hardware have already been claimed [28]
Computer Security Conference, CEIC, DoD Cyber
Crime Conference)dnotes will go here when I figure
out how to do this in Word. REFERENCES
2. /3GB and /PAE are options given at boot time for
MS Windows based operating systems that alter the
1. DEPARTMENT OF DEFENSE TRUSTED
default behavior of memory. Physical Address
COMPUTER SYSTEM EVALUATION
Extension (PAE) is heavily, if not completely,
CRITERIA (TCSEC) DOD 5200.28-STD. US
related to Intel IA-32 architecture PAE (Pentium
Department of Defense. December 1985.
Pro and above) basically increases physical
addresses to more than 32 bits. 3GB allows for
applications to use 3 GB of virtual address space 2. United States Secret Service. Best Practices for
instead of the normal 2 GB. [29,30] Seizing Electronic Evidence. Second Edition. 2002.

3. The command should be typed all on one line, not 3. Nolan, O’Sullivan, Branson, Waits. First
two lines as shown. Notice the specified size of 4K Responders Guide to Computer Forensics.
which corresponds to the size of a memory page. Carnegie Mellon University 2005.
Note that usermode access to the PhysicalMemory
object has been removed by Microsoft in Windows 4. Tim Vidas. Procloc.
Server 2003 SP1 and potentially in future operating http://nucia.unomaha.edu/tvidas/. Accessed Feb 8,
systems. \.\DebugMemory is being researched 2007.
further.
5. Harlan Carvey. Windows IR/CF Tools.
4. It could be argued that this information is not lost, http://sourceforge.net/projects/windowsir/.
but will likely be swapped out. This would depend Accessed Feb 8, 2007.
if the portion of memory in question as allocated or
not, and even if the portion was allocated that 6. Mariusz Burdach. Windows Memory Forensic
subsequently swapped out, some information in the Toolkit. http://forensic.secure.net. Accessed Feb. 8,
swap file would be lost. 2007.

5. A crafty approach would be to invoke the crash 7. Andreas Schuster. PTFinder.

dump which writes physical memory contents to the http://computer.forensikblog.de/en/. Accessed Feb 8,
physical sectors of the hard disk where the pagefile 2007.
is stored. Then unplug the system after the dump is
complete but before POST. In this situation the 8. McAfee VIL database. OneHalf virus. Accessed
contents of the pagefile are still lost, but the dump is Feb. 8, 2007.
not written as a file to the file system and the system http://us.mcafee.com/virusInfo/default.asp?id=alpha
did not actually reboot (changing timestamps and
similar). Using a write blocker the RAM contents 9. McAfee VIL database. Nimda worm. Accessed Feb.
could be extracted from a forensic duplicate in order 8, 2007.
to perform RAM analysis. http://us.mcafee.com/virusInfo/default.asp?id=alpha

6. This may prove to not be the case with a dedicated 10. McAfee VIL database. SQLslammer worm.
hardware acquisition, but this cannot be tested as no Accessed Feb. 8, 2007.
such hardware readily exists. http://us.mcafee.com/virusInfo/default.asp?id=alpha

7. Tested on systems with 512 MB of RAM. 11. Goodwin, Bill. High-tech crime is put on trial.
ComputerWeekly.com. Jan 27, 2007. Accessed

10 Pre-publication copy RAM FORENSICS

 Apr 30, 2007. 24. Stover S., Dickerson M. Using Memory Dumps in
http://www.computerweekly.com/Articles/2007/01/ Digital Forensics. ;Login: magazine. Volume 30,
27/221526/high-tech-crime-is-put-on-trial.htm Issue 6. December 2005.

12. United States vs O’Keefe. D.C. Docket No. 04- 25. Vidas, Timothy. Starting a Framework for the
0001 Cr-WLS-1. No 05-11924. Georgia App. Ct. Analysis of Volatile Data Stores. Third Annual ifip
Aug 22. 2006. WG 11.9 International Conference on Digital
http://www.ca11.uscourts.gov/opinions/ops/200511 Forensics. Orlando, Florida. Jan 28-31, 2007.
924.pdf
26. Chris Betz. Memparser.
13. St. of AZ vs Brandy. S-0700-CR-2005014635. http://sourceforge.net/projects/memparser/.
Arizona Sup. Ct. Nov. 11 2005. Accessed Feb 8, 2007.

14. Auditor Acquitted – Uses Computer Virus Defense. 27. Chow, Pfaff, Garfinkel, Rosenblum. Shredding
Aug 28 2003. Accessed Mar 28, 2007. Your Garbage: Reducing Data Lifetime Through
http://www.accountingweb.com/cgi- Secure Deallocation. 14th USENIX Security
bin/item.cgi?id=98024 Symposium. July / August 2005.

15. United States vs Michael Shawn McCourt. District 28. Joanna Rutkowska. Beyond the CPU: Defeating
Court for the western district of Missouri. 06-1018. Hardware Based RAM Acquisition Tools. Will be
Nov 24, 2006. given at Black Hat DC 2007.
http://www.ca8.uscourts.gov/opndir/06/11/061018P. http://blackhat.com/bh-dc-07/bh-dc-07-
pdf speakers.html#Rutkowska. Accessed Feb 8, 2007.

16. Matthew David Bounds v The Queen. HCA 39. 29. Memory Support and Windows Operating Systems.
July 20, 2006. Feb 9, 2005. Accessed March 28, 2007.
http://www.austlii.edu.au/au/cases/cth/high_ct/2006 http://www.microsoft.com/whdc/system/platform/se
/39.html rver/PAE/PAEmem.mspx

17. Altheide, Cory. Forensic analysis of Windows 30. Intel 64 and IA-32 Architectures Software
hosts using UNIX-based tools. Journal of Digital Developer’s Manual: Volume 3A: System
Investigation. Vol 1, Num 1. Feb 2004. Programming Guide Part 1. Intel Corp. November
2006.
18. KB 244139: Windows feature allows a Memory
dump file to be generated with the keyboard
http://support.microsoft.com/kb/244139/en-us

19. Adam Boileau. Hit By A Bus: Physical Access

Attacks With Firewire. Ruxcon 2006

20. GM Garner. Memory image differences in Firewire

acquisition. http://www.storm.net.nz/projects/16

21. Carrier, Grand. A hardware-based memory

acquisition procedure for digital investigations.
Digital Investigation Journal. Issue 1, p 50-60. Feb
2004.

22. Petroni, Fraser, Molina and Arbaugh. Copilot – a

Coprocessor-based Kernel Runtime Integrity
Monitor. Proceedings of the 13th USENIX Security
Symposium. Aug 9-13, 2004.

23. Strings man page. (Fedora Core 4, 2006).

T Vidas Pre-publication copy 11