The paper Aquiring Volatile Operating System Data Tools and Techniques by Iain Sutherland, Jon Evans, Theodore Tryfonas and Andrew Blyth assesses the capabilities and the impact of several tools, that are commonly used in live response and memory acquisition. The article appeared in the ACM SIGOPS Operating Systems Review, April 2008. Unfortunately, access is not free.
Beside the legal implications of using live response tools in the United Kingdom, the authors assess the impact of several popular tools on the system. The tested tools belong into the following categories:
- physical memory acquisition (e.g. Nigilant32, KnTTools, Pmdump, and FAUdd)
- network status information (e.g. Fport and tcpview)
- system status information (e.g. Psinfo, pslist, psloggedon, and tlist.exe)
Among the assessed parameters were:
- memory footprint (page file usage and working set)
- number of registry keys written
- number of files written
- number of DLL used
- elapsed time
The tests were conducted on Microsoft Windows XP SP2 running in a virtual machine. The baseline environment was restored for every test.
Understanding the impact of tools that are used for live response and forensics is imperative. This paper provides an interesting framework for reproducible and standardized tests. The results allow a first responder to choose the right tools and justify her decision.
Thanks for the heads up on the paper.