Margarita Shotgun – Remote Memory Acquisition Tool

Memory acquisition is one step to prepare and make the forensics analysis. taking a snapshot of the memory and analyze it offline will allow investigator to confirm the integrity of the live machine and this is better than running several tools on live system.

The risk when running tools during forensics is that they may modify some artifact that affect the investigation.Another issue with conducting investigation on live machine is that if the compromised system running a hidden malware or a rootkit it will be easier to find them in the offline memory than using a combination of tools. If you are looking to acquire memory in AWS public cloud account you can check Margarita Shotgun.

Margarita Shotgun is a command line utility that works with or without Amazon EC2 instances to parallelize remote memory acquisition.

Margarita Shotgun - Remote Memory Acquisition Tool

Margarita Shotgun – Remote Memory Acquisition Tool

When you navigate to the conf folder you will find several configuration files to configure the S3 bucket, parallel accusation and logging.  The tool will copy memory to an S3 bucket using a secure network connection. next you can run other dedicated tools to analyze the data. After that you have the images in S3 you can move them to SIFT workstation or DEFT to run the analyzes.

You can read more and download the this tool over here: