Today, many applications protect their memory sets against dumping. If an improper tool is used to capture a memory dump, important evidence may be destroyed.
St. Petersburg, Russia (PRWEB) March 26, 2013
Belkasoft, a developer of computer forensic software, announces the release of a free memory dumping tool for digital forensics. Featuring kernel-mode operation, the new tool is able to capture the content of the computer’s volatile memory even if an active anti-dumping protection is running. The supplied kernel-mode driver can successfully acquire volatile memory sets of applications protecting their working set against dumping, including chats occurring in Karos and other MMORPG games. The tool is available for all computers running current and legacy versions of Windows. 32-bit and 64-bit kernel-mode drivers are included. The product is available free of charge at http://forensic.belkasoft.com/en/ram-capturer
Protected Memory Sets
Today, many applications protect their memory sets against dumping. Such applications include multi-player online games, malware, custom and commercial products protected with active anti-debugging systems. In best-case scenario, an attempt to read a protected memory area will result in garbage data or zeroes returned instead of the actual information. In worst-case scenarios, if an anti-debug system detects an attempt to read protected memory areas, it may take measures to destroy affected information and/or cause a kernel mode failure, locking up the computer and making further analysis impossible. This may happen if a user-mode volatile memory analysis tool is used to dump content protected with a kernel-mode anti-debugging system.
Kernel Mode Memory Dumping
There are several techniques available to forensic specialists when acquiring the content of the computer’s volatile memory. Capturing live RAM content can be done with user-mode or kernel-mode software tools, or performed in a form of a FireWire attack (if the target computer supports FireWire and has corresponding drivers installed and active).
The majority of free memory dumping tools such as AccessData FTK Imager or PMDump can only run in user mode. In comparison, Belkasoft RAM Capturer supplied a kernel-mode driver that operates in the system’s most privileged ring in kernel mode. Running in kernel mode allows Belkasoft RAM Capturer to successfully bypass all currently available active anti-dumping protection systems such as nProtect GameGuard.
Anti-debug and anti-dumping systems such as GameGuard are designed to protect applications’ memory set against tools attempting to acquire or modify protected content. These systems run as system drivers in the most privileged kernel mode, leaving no chances to memory acquisition tools running in a less-privileged user mode.
Belkasoft RAM Capturer supplies its very own system driver, running in the same privileged kernel mode as anti-dumping systems. This allows Belkasoft RAM Capturer to successfully acquiring memory content protected by these anti-dumping systems.
Belkasoft made an internal comparison between Belkasoft RAM Capturer and latest versions of competing RAM acquisition tools. Belkasoft RAM Capturer was tried against AccessData FTK Imager 188.8.131.523 and PMDump 1.2. The test subject, Karos, was using an active anti-debugging protection specifically designed to resist memory dumping.
AccessData FTK Imager 184.108.40.2063 returned an empty memory block filled with zeroes. PMDump 1.2 was unable to capture the memory area of interest, returning random data instead of the actual content. Belkasoft RAM Capturer was the only tool to correctly recover memory areas occupied with test subject.
About Belkasoft RAM Capturer
Belkasoft RAM Capturer is a free forensic tool to acquire the content of the computer’s volatile memory, even if anti-debugging or anti-dumping protection is active. By working in system kernel mode, Belkasoft RAM Capturer can successfully bypass protection that many other tools can’t. When tested against competing RAM capturing tools, Belkasoft RAM Capturer demonstrated the best results, being able to successfully acquire protected memory areas that the other tools couldn’t. Belkasoft RAM Capturer is available to all customers at no charge.
Pricing and Availability
The new memory dumping tool is available to all customers free of charge, and can be downloaded from the company’s website.
Belkasoft RAM Capturer supports computers running 32-bit and 64-bit versions of Windows including Windows XP, Windows Vista, Windows 7, 2003 and 2008 Server in all editions and with any combination of installed service packs.
Founded in 2002, Belkasoft is an independent software vendor specializing in computer forensics and IT security software. Running on the Microsoft Windows platform, Belkasoft products back the company’s "Forensics made easier" slogan, offering IT security experts and forensic investigators solutions that work right out of the box, without requiring a steep learning curve or any specific skills to operate.
Belkasoft Evidence Center 2013 is a world renowned tool used by thousands of customers for conducting forensic investigations, as well as for law enforcement, intelligence and corporate security applications. Belkasoft customers include government and private organizations in more than 40 countries, including the FBI, US Army, DHS, police departments in Germany, Norway, Australia and New Zealand, PricewaterhouseCoopers, and Ernst & Young.
More information about the company and its products at http://belkasoft.com
# # #
Information on Belkasoft RAM Capturer as well as the free download are available at http://forensic.belkasoft.com/en/ram-capturer