Conservation of volatile data is one of the most challenging tasks in computer forensics. In the Microsoft Windows environment, dd provides a convenient way to copy the memory into a file. There's only one flaw: it won't work from Windows Server 2003 SP 1 onwards.
It didn't require time-consuming preparations and at least under Microsoft Windows 2000 it worked out of the box, flawlessly. That tiny dd, as seen on UNIX, was my tool of trade whenever an image of Windows' physical memory was required. Invocation is straight forward:
dd if=\\.\Device\PhysicalMemory of=memory.bin bs=4096
On Windows 2003 and Vista (formerly code-named Longhorn) PhysicalMemory is no longer readable from userland. As an article on Microsoft TechNet confirms, only kernel-mode drivers are allowed to access that device.
Advantages for dd are:
- no need to install software (like kernel-mode drivers!) on the system under examination
- dd and the created memory dump usually fit onto a USB memory stick
- simple file format, file offset equals the address in physical memory
- no need to bring down the system
Of course there are also some disadvantages:
- the system continues to run during the dump, resulting in a "blurred image" instead of a sharp snapshot
- Microsoft's kernel debugger can't handle the file format
- there are no publicly available tools to analyze a memory dump
- Administrator privileges are required
Several ports of the dd utility are available for the Microsoft Windows platform. I obtained the best results with the Forensic Acquisition Utilities by George M. Garner Jr.
