Section 3.3: Acquiring Memory Flashcards
Tools to collect live memory from systems.
WinPMEM, DumpIt, F-Response, Belkasoft Live Ram Capturer, and Magnetic Forensics Ram Capture.
Dead memory system files and where to locate them. Are they complete?
All of them are inside the SystemDrive: hiberfil.sys & memory.dmp are complete, pagefile.sys & swapfile.sys are partial.
When considering getting hibernation files, what else should be retrieved?
The live version of it if possible. That way to memories can show different stories. Hibernation can track weeks worth that a live one cant do.
Before analyzing hibernation files, it needs to be decompressed. What tools help with decompression?
Imagecopy plugin by Volatility, hibr2bin.exe by Comae, and Hibernation Recon by Arsenal.
Name the tools that can string/analyze memory images.
Volatility, BulkExtractor, Magnet AXIOM, and Passware.
How does power management play a crucial role in obtaining hibernation files?
Depending on the default shutdown state, it can make smaller hibernation files. Windows 8 has fast startup by default so it causes smaller files. Windows 10 has hybrid sleep causing more files. Use powercfg.exe to see the status.
How to create a virtual memory image available froma virtual machine.
Suspend the virtual machine and get the file this way.
Virtual machines and their virtual memory file extensions.
VmWare (vmem, vmss, vmsn), Hyper-V (bin, vsv), Parallels (mem), VirtualBox (sav).
What virtual machine may not be recognized by memory analysis tools?
VirtualBox because it only uses memory it needs, not as a whole. Volatility might be the only one.
Whats the fallback plan when trying to obtain memory acquisition?
Run a memory acquisition tool as a virtual guest. A raw image can be obtain this way.
2 methods to look for the virtual memory files:
Inside the virtual memory file path or searching extension names.
