I have to say I'm surprised the path this discussion has taken- the real issue I have run into is not the need to not bring systems down or get a freeze of a live system- that isn't too hard to handle in one way or another. The problem I have yet to hear a decent solution for is how to get a dump of what is in memory off a running system when you don't necessarily have root control over the system. Someone mentioned this earlier- the key reason I want to image a live system is to get to encryption and steganography keys that are stored in memory (and are very likely never written to disk). This means things like Solaris' flash imaging capabilities don't do much good as far as I can tell. Especially if this is a box that I don't have root on. So, how do I get a dump of the contents of RAM without doing anything to violently alter the system (and hence tip off any monitoring processes that would then wipe the disks and shut down the system). Thanks, Toby All opinions are my own and in no way reflect those of my employer. > -----Original Message----- > From: ed.crossleyat_private [mailto:ed.crossleyat_private] > Sent: Thursday, June 20, 2002 8:46 AM > To: forensicsat_private > Subject: Re: Imaging a "live" system > > > In-Reply-To: <3D10A42A.9070006at_private> > > Plase forgive me with this, im not an expert like the rest of you ;) > > could a read only quaranitne be put up around the drive to > image. if read > requests are required by the system these are allowed. If the > system needs > to write to the disk, could it be diverted to a secondary > drive, with the > system assuming it has gone to the original? then any request > for data > wrote would come from the secondary device. in the mean time, > the original > disk is imaged. Just a thought. Forgive me if its a stupid one!! > > ---------- --------------- ------------- > | system |<-------| |<-------| hard disk | > | |------->| | | | > ---------- | | ------------- > | l i v e | || > | | \/ > | i m a g e r | ------------- > | | | i m a g e | > | | ------------- > | | > | |------>|-------------| > | | | secondary | > | |<------| storage | > | | |-------------| > --------------- > > Regards > > Ed > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 16:01:51 PDT