RE: Imaging a "live" system

From: Kohlenberg, Toby (toby.kohlenbergat_private)
Date: Fri Jun 21 2002 - 11:54:48 PDT

Next message: Bill Royds: "RE: Imaging a "live" system"

Previous message: KF: "Re: Ending a few arguments with one simple attachment."
Next in thread: Raymond M. Reskusich: "Re: Imaging a "live" system"
Reply: Raymond M. Reskusich: "Re: Imaging a "live" system"
Reply: Seth Arnold: "Re: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have to say I'm surprised the path this discussion has taken- the
real issue I have run into is not the need to not bring systems down
or get a freeze of a live system- that isn't too hard to handle in one
way or another. The problem I have yet to hear a decent solution for is
how to get a dump of what is in memory off a running system when you
don't necessarily have root control over the system. 

Someone mentioned this earlier- the key reason I want to image a live system
is to get to encryption and steganography keys that are stored in memory
(and are very likely never written to disk). This means things like Solaris'
flash imaging capabilities don't do much good as far as I can tell.
Especially
if this is a box that I don't have root on.

So, how do I get a dump of the contents of RAM without doing anything to
violently
alter the system (and hence tip off any monitoring processes that would then
wipe
the disks and shut down the system).

Thanks,
Toby

All opinions are my own and in no way reflect those of my employer.

> -----Original Message-----
> From: ed.crossleyat_private [mailto:ed.crossleyat_private]
> Sent: Thursday, June 20, 2002 8:46 AM
> To: forensicsat_private
> Subject: Re: Imaging a "live" system
> 
> 
> In-Reply-To: <3D10A42A.9070006at_private>
> 
> Plase forgive me with this, im not an expert like the rest of you ;)
> 
> could a read only quaranitne be put up around the drive to 
> image. if read 
> requests are required by the system these are allowed. If the 
> system needs 
> to write to the disk, could it be diverted to a secondary 
> drive, with the 
> system assuming it has gone to the original? then any request 
> for data 
> wrote would come from the secondary device. in the mean time, 
> the original 
> disk is imaged. Just a thought. Forgive me if its a stupid one!!
> 
> ----------	  ---------------	 -------------
> | system |<-------|		|<-------| hard disk |
> |        |------->|		|	 |           |
> ----------        |		|	 -------------
> 		  |   l i v e   |              ||
> 		  |             |	       \/	
> 		  | i m a g e r |	 -------------
> 		  |		|	 | i m a g e |
> 		  |		|	 -------------
> 		  |		|
> 		  |		|------>|-------------|
> 		  |		|	|  secondary  |
> 		  | 		|<------|   storage   |
> 		  |		|	|-------------|
> 		  ---------------
> 
> Regards
> 
> Ed
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bill Royds: "RE: Imaging a "live" system"
Previous message: KF: "Re: Ending a few arguments with one simple attachment."
Next in thread: Raymond M. Reskusich: "Re: Imaging a "live" system"
Reply: Raymond M. Reskusich: "Re: Imaging a "live" system"
Reply: Seth Arnold: "Re: Imaging a "live" system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 16:01:51 PDT