topic Re: Perform Memory Acquisition Using XDR in Cortex XDR Discussions

Perform Memory Acquisition Using XDR

KanwarSingh01 — Fri, 16 Sep 2022 03:46:43 GMT

Hi,

Is it possible to acquire memory using Cortex XDR for digital forensics? We are not looking for process dump but a complete memory dump of the system which we can further use with tool like volatility or something.

Thanks in advance.

Regards

Kanwar

Re: Perform Memory Acquisition Using XDR

neelrohit — Fri, 16 Sep 2022 05:24:06 GMT

@KanwarSingh01 ,

Thank you for writing to Live Community!

WIth the advent of Cortex XDR 3.4, we support memory collection using forensics add on module. Please navigate to forensics> Triage>Configurations and create a configuration of your choice with memory collection enabled.

Please be advised that as of now memory collection is available as an offline collector only and should not be run on endpoints running Cortex XDR agents as the agent code conflict will prevent a memory collection.

There is a fix to this conflict targetted for XDR agent version 7.9 which also in turns targets to bring agent based memory dump collection.

Hope that answers you question!

Regards.

Re: Perform Memory Acquisition Using XDR

Cyber1985 — Sat, 17 Sep 2022 08:56:58 GMT

Hey neelrohit,

So as I understand, if we want to use the offline collector for forensics we should deactivate or uninstall the agent until agent Version 7.9?

Rob

Re: Perform Memory Acquisition Using XDR

neelrohit — Sat, 17 Sep 2022 09:15:57 GMT

Hi @Cyber1985 ,

That is correct. As of now, if we have to perform memory collection, we might have to disable the agent service or pause endpoint protection for this capability to work seamlessly.

Regards.

Re: Perform Memory Acquisition Using XDR

Cyber1985 — Sat, 17 Sep 2022 10:38:50 GMT

Hello Neelrohit,

Does this protection afect Tools like in the link too?

https://medium.com/@balqurneh/bypass-crowdstrike-falcon-edr-protection-against-process-dump-like-lsass-exe-3c163e1b8a3e

Rob