SecureArtisan

My Road to Digital Forensics Excellence

Calculating System RAM

Posted by Paul Bobby on November 4, 2008

How can one determine System RAM against a dead-box analysis?

The only registry hive that would make sense to me is HKLM, and then the Hardware subkey (with all its values).

The hardware key is only stored in volatile ram, not as a file on your
hard drive – it is populated with data from the boot process. So for a
dead-box analysis, you wont be able to get any information from this.

The only key I found that may be of use is

HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\System Resources

There are three keys under here: Loader Reserved, Physical Memory and Reserved, each one has a value of REG_RESOURCE_LIST.

That’s as much as I know, I’m going to have to google this stuff to figure out what the data in these arrays mean.

Read the last 4 bytes of the “HKEY_LOCAL_MACHINE\HARDWARE\RESOURCEMAP\Syste m Resources\Physical Memory” key.

Mine is 0×00 0×00 0xF6 0×3E

Memory algorithm:

1. a = 0×3E (62) * 16,777,216
2. b = 0xF6 (246) * 65536
3. c = 0×00 * 256
4. d = 0×00
5. e = a+b+c+d+16,371,712
6. Memory = e / 1,048,576

For example, using the values from my registry.

a = 1040187392
b = 16121856
c = 0
d = 0
e = 1072680960

Memory = 1022.98828125 or ~1022Mb or ~1Gb

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: