State of the art concerning memory acquisition software – A detailed examination of Linux, BSD and Solaris live memory acquisition

PDF

Authors
  1. Carbone, R.
Corporate Authors
Defence R&D Canada - Valcartier, Valcartier QUE (CAN)
Abstract
This technical memorandum examines various software tools that can be used for carrying out forensic memory acquisition against various Linux, BSD, and Solaris x86-based systems. No comparable work could be found in the publicly available literature after an exhaustive survey of the subject matter. This current study is important as these UNIX systems are pervasive in today's modern world and are found in a variety of IT environments ranging from the home to corporate data centres. By addressing the pertinence of x86-based UNIX system memory acquisition the computer forensic investigator will be empowered with the necessary knowledge and techniques required to readily tap into this important avenue of potentially useful evidence. Two tools stand out above the rest, Second Look and Fmem, both of which succeeded in all experiments at capturing the underlying system's memory. Although some of the other tools examined herein had specific strengths, they did not work as expected in all instances.

Il y a un résumé en français ici.

Report Number
DRDC-VALCARTIER-TM-2012-008 — Technical Memorandum
Date of publication
01 Mar 2012
Number of Pages
134
DSTKIM No
CA037004
CANDIS No
536645
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: