I was quite surprised to actually see parts of the main memory survive a reboot for the first time. Well, Farmer and Venema were not the first to describe this. Here are two more interesting papers on that topic.
If you followed through the first part of this tutorial, you might wonder if there shouldn't be a simpler way to extract the binary. Of course there is one.
Over the weekend Harlan Carvey has released two tools to analyze full memory dumps of computers running Microsoft Windows 2000.
The Netherlands Forensic Institute has just released a new version of TULP2G. This program acquires and analyzes data from mobile phones.
In their book Forensic Discover Dan Farmer and Wietse Venema talk about the persistence of information in the main memory. However I haven't seen traces of a process surviving a reboot - until I analyzed the images of the DFRWS Memory Analysis Challenge.
It is possible to reconstruct the program binary of process from a memory dump. This enables you to scan a binary for viruses even if it has been deleted from the disk. This article outlines the process.
For certain examinations it might be helpful to be able to extract the memory of a single process from the full dump. If the dump was obtained with "dd" the reconstruction of the process' memory is quite simple.
