Rob Fuler, aka Mubix, of joins us to expand on last week’s discussion about the Cold Boot attacks. We cover retrieving memory from live systems, analysis with tools like volatility, and file recovery with foremost. Mubix calls it forensics for the gray hat.

Download HD Download MP4 Download XviD Download WMV

Rob Fuller, aka Mubix of joins us to expand on last weeks discussion about the cold boot attack.

This time we’re imaging memory from live systems. Windows boxes specifically. I point out my favorite open source app win32dd, which allows retrieval of physical memory in a couple of methods. Mubix is a fan of ManTech’s MDD. Both of these tools are capable of capturing memory on Windows 2003 SP1 (Vista+) and later machines. More tools can be found at the Forensics Wiki.

Once we’ve captured our memory it’s time to run it through a few tools to extract the good bits. Last week we touched on AESKeyFinder and RSAKeyFinder as well as Strings. This week we’re using the epic memory artifact extraction utility Volatility.

This gem allows us to see deep into what a Windows box was doing at time of memory capture, including running processes, open network connections, DLLs loaded for each process, registry handles, and more. The tool can even extract executables from memory. It’s a nifty little cross platform tool that’s worth a spin. If you’re looking to get your feet wet you might want to try it against some example data, courtesy of the NIST.

Best of all, Volatility if a framework that supports third party scripts. One such target=”_blank”>plugin makes it pretty simple to extract the Windows SAM from a memory sample.

We also cover using foremsot, an excellent tool for recovering data from memory based on headers, footers and data structures. I can say from experience that using the

-t ALL

option on a dump of Mubix’s memory that A TON of files are recovered, all nice and neat in their own folders based on extension. Thanks for the mem dump Mubix ;). If you don’t have a capture of Mubix’s memory you can find samples to play with Foremost at the Digital Forensics Tool Testing Images site.

We’ll be back in studio next week with Matt. Of course be sure to send your feedback to, post in the forums or respond in the comments.

And don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at or RSVP on Facebook.

Episode 522 – Whats in your RAM?


  • Hans

    I dd’d the image to my pen drive (dd if=scraper.bin of=/dev/sdi), and there’s no longer a readable partition. The ram dump seems to chug along just fine, though. How do I get the image off my thumb drive without a readable partition?

  • AltarCrystal

    Great info. I did some experimenting out of curiosity. TweetDeck has your twitter password in the oh-so user friendly format of username:password, which I just used strings and grep to find.

    Great show guys, keep up the great work.

  • whedgit

    Must say, I’ve had my fingers crossed for more forensics to come up and I can’t wait to watch the new ep.

    Keep up the great work!!

  • Tecky

    Ok, so I made a copy of the memory with win32dd, then I used aes to extract the keys. Then what? How do I use the keys ( not plain text passwords ) to open an encrypted file/drive of truecrypt ?

  • Arthur G Pym

    First of all,I like you bunch of nerds, thank ya!
    Can´t the memory be manually cleared though a little gem at the shutdownprocess?

    best regards…

  • Ken

    Lovin’ the forensics stuff…keep it up! I do forensics in my job and love trying out new stuff. Check out the malfind plugin for Volatility. Very cool stuff.
    Keep up the good work!

  • hackbot

    Great show! Do you use a steadycam?

    Johnny Chung Lee, Human Interface Interaction Researcher at Carnegie Mellon University, has some great instrucitons on how to build your own $14 steadycam.

    If you don’t already have a solution in place, maybe it’d make a good, quick topic for the show.

  • Chris

    Great show. I’m one of the people who subscribes through my Tivo. It’s a sweet way to watch podcasts on my big screen TV. Just a little fyi, the links on your lower thirds had the left side cut off. That can be resolved by keeping them in TV safe area when you’re editing. I’m a video editor for a TV station (and THE I.T. Dept/Sys Admin) and I also post our news broadcasts (converted from mpeg to flash with Sorenson)to our TV station’s website so I’ve seen the difference between what shows in a flash player (everything) and what you see on TV. It’s not a big deal, I came here to find the links to formost and the other tools you mentioned. I’d love to see more shows on forensics.

    Since I’m here, it’s a good time to tell you I’m a long time viewer. I think I found you when you were still in your first season about the 4th episode in. I’m an old Sch00l3r. Which means I’m 40 and started with an Apple ][+ in ’82 and a 300 baud modem. I consider myself pretty knowledgeable about “computer/network security” and really like your show because you teach this 0ld Dawg some new tricks. If you see Dr-Gonzo on your irc server, that’s me. Anyways, thanks for all the shows and info! And keep up the great work! Thanks for teaching me to Trust My Technolust 😉

  • steveo17

    gr8 shows dudes i loved all d info in it, this show is 100% more qualified to teach computer skills than any ecdl courses im involved with, although the show was gr8 i missed d multiple segments from matt and snubs and the multitude of topics consequently making the show shorter however i got a crash course in ram and its contents while watching it so tyvm guys

  • Pingback: Ró?ne takie

  • Carl Campbell

    I’ve been watching for a while now but have to stop and say your show is the best thing that ever happened to my tv experience

  • pakhet

    Snubbs dresses Darren. It a whole ger-animals deal. The tiger paw shirt matching the tiger paw pants. I miss having geranimals they made mornings so much easier. Sigh.

  • Jefferson

    Hi, why can’t some memory be dumped?

    -> Dumping 1014.11 MB of physical memory to file ‘C:\dumpram.img’.
    -> WARNING: Failed to map at offset 00000000 00002000! 487
    -> WARNING: Failed to map at offset 00000000 00003000! 487
    -> WARNING: Failed to map at offset 00000000 00004000! 487
    -> WARNING: Failed to map at offset 00000000 00005000! 487
    -> WARNING: Failed to map at offset 00000000 00006000! 487
    -> WARNING: Failed to map at offset 00000000 00007000! 487
    -> WARNING: Failed to map at offset 00000000 00008000! 487
    -> WARNING: Failed to map at offset 00000000 00009000! 487
    -> WARNING: Failed to map at offset 00000000 09100000! 487

    259603 map operations succeeded (1.00)
    9 map operations failed

  • Pingback: Mantech Memory DD | PenTestIT

  • Kurt Oestreich

    One of the interesting breadcrumbs that you left was for the forensics wiki at:

    Excellent site. I followed the links there to the system internals tool livekd at:

    Which led me to grab the kernel debugger (now free!!! I have Ida, but this is so cool!!! I knew my masm was worthwhile) at:

    Which gives the debugger. And this led me to… Free kernel symbols!!! at:

    Whew. The tools Darren and the other bloke, Mubix referenced required administrator login. The tools from Microsoft/Sysinternals don’t, and can be made portable, for the most part, except perhaps for the symbols, but I think I could make that work too.

    In any case, you two uber dudes left me a really cool trail of breadcrumbs to follow and get some massive memory hacking/debugger tools for my computer. I never bought the msoft tools because they were 1. expensive and 2. bloated. But just having the kernel debugger, combined with masm and tasm (Borland orphan) tools, makes for some real butt kicking fun!



  • naghu

    Good morning dude,
    I used win32dd to extract image of my pc’s RAM. When i use the image file(.dmp file) in volatility framework am getting an error volatility: error: Unable to lacate valid DTB n image.Whats the prob dude..?

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>