Surge Collect Provides Reliable Memory Acquisition Across Windows, Linux, and macOS

June 12, 2018

by Volexity

Over the last 10 years, memory acquisition has proven to be one of the most important and precarious aspects of digital investigations.  Unfortunately, many investigators blindly trust free and commercial tools without understanding the associated risks and limitations. Consequently, they often end up with corrupt memory samples, or they crash systems containing volatile data that is critical to their investigations.  While these tools may be readily accessible, many are unsupported or have been effectively abandoned by their original developers.

In addition, a recent empirical study showed that most open source or commercial Windows memory acquisition tools either failed to collect or crashed systems with modern security features enabled. Based on user feedback, we determined there was a growing need within the industry to provide reliable and actively supported memory acquisition capabilities across Windows, Linux, and macOS.

Acquisition Challenges

When we set out to develop Volatility, we decided to focus our attention on memory analysis.  At the time, operating systems exposed a number of simple and reliable mechanisms for accessing memory. Unfortunately, over the years those methods evolved and eroded. Increasingly, we encountered corrupt or invalid memory samples.  As a result, we were frequently spending time troubleshooting and submitting patches to vendors and open source developers in order to make sure Volatility had valid data to analyze.  Despite our patches and advice, most of the tool maintainers lacked the expertise or resources to keep up with the rapid changes associated with modern operating systems.

Scarcity of Supported Solutions

Given the increasing importance of memory analysis and the unreliability of existing collection tools, the time had come for us to invest in building a full-stack solution that addressed the challenges of both collection and analysis. In addition to providing a more robust collection solution that we could actively maintain and support, we also saw an opportunity to exploit a tighter integration between collection and analysis, thereby improving the overall user experience. Towards this goal, three years ago we started recruiting an amazing team of computer scientists and operating system developers to build a reliable suite of acquisition tools.  Based on their years of hard work, we are excited to publicly announce Surge Collect.

Introducing Surge Collect

Surge Collect provides a reliable and commercially supported collection capability with flexible storage options and an intuitive command-line interface. Through Volexity’s Early Adopters Program, Surge Collect is currently in use by many of the largest federal and local law enforcement agencies around the world.  Surge Collect is also actively used by leading incident response firms, technology companies, telecommunication providers, universities, Fortune companies, and branches of the military. These organizations face some of the most advanced adversaries, and they require reliable tools they can depend on.

Highlighted features and benefits of Surge Collect include:

• Windows, Linux, and macOS support
• Cryptographic integrity checks
• Robust error and audit logging
• Local and network collections using SSL/TLS
• Compression support
• API and file system collection capabilities
• Page file(s) support
• Cloud storage support
• Rigorous testing and documentation
• Dedicated development and support team

A Flexible Solution

A major design goal of Surge Collect was to ensure that it could integrate with existing security software easily. This is extremely important for many of our larger enterprise customers who frequently have pre-deployed security products that either don’t support memory acquisition or are unable to preserve the state of memory in a reliable manner.  Surge Collect can be easily integrated with Tanium, Carbon Black, and other enterprise software agents. It is our hope that these types of integrations will finally give users a reliable, flexible acquisition capability that they can depend on and facilitate advanced memory analytics.

Learn More

Contact us to learn more about Volexity Surge Collect.