Re: [Vol-users] Volatility and Windows 7 images
8 Mar
2012
8 Mar
'12
4:42 p.m.
On Thu, Mar 8, 2012 at 3:01 PM, AAron Walters <awalters(a)4tphi.net> wrote:
For what it's worth, please keep in mind that you could see different
acquisition behavior on a VM, as opposed to a physical machine. I have never
used FDPro, but I have received lots of reports of people having issues in
the past. Personally, I would never use it in a production environment. When
people are looking for a commercial acquisition tool, I generally recommend
George's kntdd. George has been doing "robust" memory acquisition longer
than anyone else in the industry and has an unsurpassed understanding of the
acquisition process.
Yeah I know it'll be a bit different, but it's one more test I can do
at least. FDPro is what was available to me here (we use HB Gary
Responder in our environment), so that's why I was testing against
that.
I don't recall hearing of kntdd before (I might have but it doesn't
ring a bell), but I'll look at it. I'd have some other things to work
out in order to be able to use that on our network though (not related
to the tool itself).
Previously, EnCase also had a lot of issues with their memory acquisition as
well. I've seen samples where critical pages were missing. I'm not sure if
any of those issues have been fixed.
Are there any specific tests I can do to see if those issues were fixed?
Just a couple of things to keep in mind!
AW
Thank you for the info!
Tom