Closed Snips979 closed 3 years ago
Yes, when you dump using a software version it would affect memory in numerous ways; for one it needs to load the dump executable into memory and execute it; log it and so on.
When you attach the device it's enumerated and stored in a registry hive (i.e. it affects memory). The dumping itself (unless you insert a kernel module) should not affect memory.
To avoid the device being detected by the OS it's possible to set vendor/device id to 0xFFFF; but then you may have to use an alternative read algorithm fpga://algo=1
. Please let me know if this answers your question.
Thank you for your quick response. Yes that aswers my question.
Hi, i would like to know if there is a way to identify how much an aquisition via DMA with pcileech(fpga) affect a memory dump. Or are you aware, which impact an memory aquisition with pcileech has to the dump? I ask because in forensics the integrity and corectness of the aquired data is very important. Am I correct in my assumption, that a memory dump aquired via DMA has less impact to a dump than a sofware based method like winpmem?
Thanks in advance for your answer.