Memory Forensics Question

System: Windows XP SP3 32bit
Physical RAM: 3GB
Page File (virtual): 4GB

Created backup image of the current state of memory (RAM) using dd (command below)
dd.exe if=\\.\PhysicalMemory of=C:\memorydump.img

Q1: This image file that dd created (snapshot of memory at the current state), is that memory physical RAM and Page File memory or just physical RAM?  I used live CD Helix with dd.exe.

Q2: Now that I have this image file of memory, what tool can I use to analyze the contents.  Maybe something like WindDbg or WinHex?  If so, do you just open the image file into the program?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:

DD should be extracting physical memory (RAM) not paged or virtual memory.But I will suggest that you use Win32dd instead in your Windows environment to stay close to verify the tool. There are too many variants even in Linux - dd by the way is typically used for raw bit-to-bit copy too

See @

Note that the screenshot in slide 17 indicate same no with physical memory. See slide 21, the dumped file size can be larger as to determine the size of the physical address space, it may render to using this formula :—(HighestPhysicalPage+ 1) * PAGE_SIZE


The Win32dd o/p can be used for Windbg as well as for the dd o/p. The analysis can be rather manual and if you are experience in such analysis, probably it is easier to look through the memory map else I will suggest other useful tools to highlight key aspects in analysis.

For leveraging Windbg, can see paper. It talks on the structure of the dump but can be too technical though @

For other useful tools, can check out
a) Memoryze @
b) Volatility @

In short, both free tools list down (based on command options) the critical parameters to help in revealing any suspicious activities e.g. hidden processes, stealth listening ports, rootkit detection. There are scripts provided to do it directly as well for some cases such as Memoryze's rootkit detection @

There are no hard and fast rule to check out the dump, but I supposed it is typically for incident analysis :) Nonetheless, do also take a look at this quick scenario as an example to under memory forensic use case

hope it helps


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Knowledge01Author Commented:
breadtan went above and beyond to answer this question.  This question was answered with high forensic experience.
i know this is a little late, but for Q2, you could just try data carving using foremost, which is a command-line data carving tool and can be found on the free HELIX disc.

Good help resources:

download Helix2 here:

Hope this helps.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.