Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Divorce, custody battles, and other
Win the most important battle of your life
Everything you need
Effective Expert Witness in Court
Evidence shows who is telling the truth
Subpoena power yields strong evidence
Digital evidence can build a strong defense
Go to court with compelling digital evidence
There are several methods of acquiring a memory image from a Linux system – one of the most traditional being to image the current physical memory into a single file – In this case any non-system areas would need to be padded with zeros in order to maintain the representation of physical memory. Another method involves examining the /proc/iomem file (Linux will print the current map of the systems memory in this file) to identify which memory ranges are marked as System RAM, and copying / concatenating those ranges into one file. This results in a smaller file, but lacks the representation of physical memory.
The problem we have and the reason this article and Python code has come to be is because I have a memory image (for a challenge, actually – more on that in a later article, perhaps) which has been obtained using LiME, but with LiME set to output in a raw format which simply concatenates the System RAM ranges together. Many memory forensics tools and frameworks, such as Volatility, or crash with the volatile patch cannot work with this kind of raw memory image . The tools have no way of knowing what goes where.
Please enter the result of the calculation above.
Save my name, email, and website in this browser for the next time I comment.
Speak to a Specialist Now
Get Help Now