[Vol-dev] Re: Pylint and code questions

Hello Mike, thanks a lot for the efforts you spent on that code optimization. I am a programming noob (I am a forensics guy) but will look at it too to learn. The firewire-access is quite funny but doesn't work with Vista at the moment (the raw1394 is unable to see the Vista PC). I have applied an extension (idea found at https://www.moonloop.org/bin/view/Moonloop/Stream?tag=ida) to winlockpwn so it works fine with any uptodate SP3 system I have testet. But a live analysis of the memory may be not the best idea because its to volatile, even a memory dump is not as consistent as a hiberfil.sys or memory.dmp would be. I would suggest making a memory dump first before analysis, except code injection techniques. ;-) Btw. Do you know how to extract the LSA-key from a SP3 registry, see cachedump.py. Jon, F-Response is a real great tool, you're right. It uses the iSCSI-protocol for communication and silently drops every write attempt. Both ways (FW / iSCSI) give the investigator the unlimited remote access to the 'living' memory of the target. F-response prevents writing but needs it own memory space, firewire does create a new device on the target system but does not consume memory. The main danger for changing evidences is its ability to write to the target. Cu Mic -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser