Now, I know 256 TB is not going to be typical, but acquiring even 4 GB to 12 GB of paging files can take a long time. The pagefiles are in use and locked by the operating system. To gain access, tools typically parse the filesystem for access to the sectors that represent the pagefiles. This prolongs the time required to acquire the files.
 
Next time in this series, we will discuss more about time and its implication on the paging files. If this series is boring you, the memory forensics class at Black Hat contains more hands-on applications and use cases. This year, Aaron LeMasters, author of Web Historian 2.0, will be helping with the class. I hope to see you there.

First, the blog entry mainly mentions the footprint on disk, which is larger than other acquisition tools because Memoryze does both acquisition and analysis in the same package. What you may not have known is that Memoryze runs completely fine from a USB key. You can install Memoryze to your USB key and use it on the target machine. This mitigates the concern of a large disk footprint.

Second, Matthieu Suiche pointed out that some may be concerned with the memory footprint as well. Because Memoryze is a portion of MANDIANT Intelligent Response, it was built with the enterprise in mind. In an enterprise, it is not practical to acquire and bring back 15,000 or 20,000 memory images to analyze offline. With compression, analysis, and filtering capabilities, Memoryze’s memory footprint is larger. How do you mitigate this? We make use of the paging file(s). So if we force a page out of memory, Memoryze can still analyze it from the paging file(s).

Why do you do live analysis? First, as I stated above, it simply is not practical to bring back an image of RAM off of every host when the number of hosts grows larger than you can count on a hand or two. Second, by doing live analysis, we can make use of the paging file(s). If we were to acquire memory and then acquire the paging files, the synchronization issues between the two would be more severe. Third, the risk of doing the analysis on the host is similar to the risk associated with acquiring memory on the host. A.) The attacker can block access to physical memory, or B.) as Darren Bilby pointed out in his talk at Ruxcon06, the attacker can intercept the calls to map the view of physical memory. Sidebar: It is necessary to map portions of physical memory into your address space in order to acquire or analyze memory. Both attacks are possible when doing acquisition or analysis. If attack A is carried out, memory acquisition tools including Memoryze will error out. If attack B is used, neither acquisition nor analysis tools will be effective. Joanna Rutkowska demonstrated the equivalent of attack B even when doing hardware acquisition. However, attack B also requires the attacker to know the physical address of their malware in memory.

Thanks to Matthieu for engaging me in this discussion. If you have not read his work on the hibernation file in Windows, it is very interesting.

Jamie Butler

By the way, you may be asking yourself why you cannot run Memoryze or other acquisition tools from a CD. Basically, Microsoft will not load a driver from a CD. It must first be copied to the local host. This is similar to trying to map a network drive with Memoryze and using it. Microsoft will not allow you to load a driver that is located on a network share. Check back in the coming weeks. We just might copy that single driver file to the local host so you can run it from a CD.