Here is a question for those of you collecting memory from systems:
What do you do when you need to acquire memory from a 32-bit operating system that is running on hardware with more than 4 GB of physical memory?
Well, if your experiences are like my experiences then you crash the system. Of course it makes sense and I should have thought of it before trying to acquire the memory. It sure is tough looking sheepishly at a system administrator and saying “Sorry about that.” This is why I recommend acquiring systems during off hours or scheduled maintenance windows. This makes the sheepish “Sorry” a little less bitter.
I can imagine that the reason for this is that memory tools such as Memoryze, Fast Dump, F-Response (in combination with FTK Imager from a remote system), and others are programs that are running on the operating system, the 32-bit operating system. Although you would think that they would only be able to see what the operating system is able to access, their functionality provides them with direct access to the physical memory. So, once the program gets to memory locations beyond what a 32-bit operating system can understand it does what all good operating systems do when they don’t understand: BSOD.
Recent experiences that I have had with acquiring physical memory that breaks the 4 GB boundary have not been successful at all. Even on 64-bit operating systems I have achieved the grand BSOD. Not sure why yet, or if this is just user error, but time and experimentation will tell.
Now, I’m not proud of crashing a customer’s system. Especially multiple systems muliple times, but if we are going to get the information we need for an incident response then sometimes that is just going to happen. However, with a little knowledge and forthought some of these system crashes can be avoided.
For now, I will just have to avoid these systems and ask that system administrators don’t buy systems with lots of memory if they are not going to run 64-bit operating systems (call your application vendors before considering this!!!). If you do have a method for overcoming these issues, please leave a comment. We would all like to know.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.