00000nam 2200000za 4500 9.821407 CaOODSP 20240219183451 cr ||||||||||| 160720s2013 onc|||||o f000 0 eng d CaOODSP eng eng fre n-cn--- D68-6/319-2012E-PDF Carbone, Richard. The definitive guide to Linux-based live memory acquisition tools [electronic resource] : an addendum to "State fo the art concerning memory acquisition software : a detailed examination of Linux, BSD and Solaris live memory acquisition" / by Richard Carbone and Sébastien Bourdon-Richard. [Ottawa] : Defence Research and Development Canada, c2013. xviii, 100 p. : tables, figures. Technical Memorandum ; 2012-319 "September 2013." Includes bibliographical references. This technical memorandum is an addendum to TM 2012-008, “State of the art concerning memory acquisition: A detailed examination of Linux, BSD and Solaris live memory acquisition.” It examines in detail two additional software tools, Volatility’s Pmem and LiME’s Linux kernel memory drivers, both of which can be used for the memory acquisition of Linuxbased live computer systems. The authors then compare them with Fmem and Second Look, the two best Linux-based memory acquisition tools as per TM 2012-008. Fmem and Second Look are analysed using the same methodology as for Pmem and LiME. This memorandum also amends information pertaining to the faulty memory acquisition of Fmem as conducted in the previous study. Additionally, certain inaccuracies were made in TM 2012-008. This specific text corrects them. As such, it should now be considered the authoritative reference concerning Linux, UNIX and BSD memory acquisition, although the experiments as conducted in TM 2012- 008 will continue to remain valid. Finally, upon completing the analysis of these tools, the authors recommend the use of LiME for investigative fieldwork. However, other tool-specific recommendations are found and examined in the Conclusion. gccst Technical reports Computer forensics Crash driver Memory acquisition Defence R&D Canada. Technical memorandum (Defence R&D Canada) 2012-319 (CaOODSP)9.820564 PDF 688 KB https://publications.gc.ca/collections/collection_2016/rddc-drdc/D68-6-319-2012-eng.pdf