Memory dump is the process of taking all information contained in RAM and writing it to a storage drive. Developers commonly use memory dumps to gather diagnostic information at the time of a crash to help them troubleshoot issues and learn more about the event.
WINDOWS:
MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
MDD : MDD is a physical memory acquisition tool for imaging Windows-based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista, and Windows Server.
Process Hacker: This is an open-source process monitoring application that is very useful to run while the target machine is in use. It will give the investigator a better understanding of what is currently affecting the system before the memory snapshot is taken, and can go a long way to help uncover any malicious processes, or even help to identify what processes have been terminated within a set period of time.
Winen: is the RAM Acquisition Tool Provided by Guidance. Winen.exe is supposed to work on all variations of Windows higher than 2000. The Winen Executable can run as a command-line tool, user prompt, or from a configuration file. You can run Winen.exe from a USB drive that you plug into the Target Machine
FTK : Forensic Toolkit or FTK is a computer forensics software product made by AccessData. This is a Windows-based commercial product. For forensic investigations, the same development team has created a free version of the commercial product with fewer functionalities. This FTK Imager tool is capable of both acquiring and analyzing computer forensic evidence.
The evidence FTK Imager can acquire can be split into two main parts. They are:
- Acquiring volatile memory
- Acquiring non-volatile memory (Hard disk)
WinPmem: winpmem can get much useful information from operating system memory dump analysis during the incident investigation: list of running processes, alive network connections, registry entries.
MANDIANT Memoryze: is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis. It can perform all these functions on live system memory or memory image files
WindowsSCOPE is an incident response tool that enables memory forensics for Windows computers. It performs reverse-engineering of the entire operating system from physical memory as well as all running software. It automatically identifies all processes, threads, and drivers running on the system as well as other system activity including open files, registry keys, and network sockets. It supports the latest Windows versions through Windows 10 and also has advanced data search capabilities to find URLs, credit cards, names, etc. in a captured memory. It is the next generation in live memory forensics tools and memory forensics technologies
For Mac OS X
Goldfish is a Mac OS X live forensic tool. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available.
Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM. Results are stored in a Mach-O binary or raw data file. Mac Memory Reader is available free of charge. It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer, or any Intel processor.
OSXPMem: is an open-source tool to acquire physical memory on an Intel-based Mac. The imager supports multiple output formats, at the moment these are Mach-O, ELF, and zero-padded RAW.
For Linux:
LiME Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.
Linux Memory Grabber is a tool to create Linux Volatility profiles and dump memory (using LiME) from a USB Key, without installation on local HDD.
/ dev/mem : on older Linux systems, the program dd can be used to read the contents of physical memory from the device file /dev/mem. On recent Linux systems, however, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system
fmem is a kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tools. Works on 2.6 Linux kernels. Under GNU GPL.
Source: hackernewsdog
