Question: Identifying changes to the memory when aquisition happens

[Snips979]

Hi, i would like to know if there is a way to identify how much an aquisition via DMA with pcileech(fpga) affect a memory dump. Or are you aware, which impact an memory aquisition with pcileech has to the dump? I ask because in forensics the integrity and corectness of the aquired data is very important. Am I correct in my assumption, that a memory dump aquired via DMA has less impact to a dump than a sofware based method like winpmem?

Thanks in advance for your answer.

[ufrisk]

Yes, when you dump using a software version it would affect memory in numerous ways; for one it needs to load the dump executable into memory and execute it; log it and so on.

When you attach the device it's enumerated and stored in a registry hive (i.e. it affects memory). The dumping itself (unless you insert a kernel module) should not affect memory.

To avoid the device being detected by the OS it's possible to set vendor/device id to 0xFFFF; but then you may have to use an alternative read algorithm fpga://algo=1. Please let me know if this answers your question.

[Snips979]

Thank you for your quick response. Yes that aswers my question.