[Vol-users] RFI: Failed Memory Acquisitions

AAron Walters awalters at 4tphi.net
Tue Dec 22 13:18:46 CST 2015


As you know, one of the main goals of the Volatility Foundation is to 
promote the use of memory analysis within the forensics community.  If you 
have been on this mailing list for a while or seen some of the recent 
court cases, you know that one of the main challenges facing investigators 
is the ability to reliably collect a sample of physical memory.  The 
increasing number of acquisition tools has given people a lot of options 
but has also exacerbated the challenge of knowing which tool to use and 
under what circumstances.

In order to address this and to reduce the amount of time we spend helping 
investigators troubleshoot bad memory samples, we are working on 
developing some memory acquisition guidelines for investigators.  If you 
have had experiences where you were unable to collect a valid sample from 
a system, we would like to hear from you.  This could mean that the system 
crashed during collection or the collected sample couldn’t be analyzed. 
In particular, we are interested in the details (hardware, software, etc) 
about the system the memory was being acquired from and the version of the 
tool you were using to perform the acquisition.

If you have this type of information and are able to share, please contact 
me off list.

Happy holidays and hope we can catch up in the New Year!

AAron Walters
The Volatility Foundation

More information about the Vol-users mailing list