RE: [Vol-users] Memory imaging

Aw, Hello, the scenario as posed is that an employee was bypassing corporate filters by using an unknown brand of wireless broadband on his laptop. He was witnessed by reliable sources downloading prohibited pictures through this alternate connection. By the time security was involved, the laptop was screen locked, no user name entered, the broadband card was removed, and it was left sitting on his desk. The user is sophisticated and high-level and not talking. IT proper has been totally useless. Laptop is a company device formerly used by exectives, but apparently had been decommissioned, wiped, and "borrowed" by this employee after an exec left the company. It was not a part of the domain and had not been subject to auditing. Don't know if the LAN port was ever configured for the enterprise LAN on the new install. Drive may very well be encrypted and autorun appears to be disabled. It's a Sony PCG Vaio with USB1.1 and Firewire I, docking station--typical laptop. Eric :-----Original Message----- :From: vol-users-bounces(a)volatilityfoundation.org :[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of :AAron Walters :Sent: Friday, July 04, 2008 8:39 PM :To: evb :Cc: vol-users(a)volatilityfoundation.org :Subject: Re: [Vol-users] Memory imaging : : :eric, : :That's a tough situation. Can you provide any more information :about the machine? For example, desktop or laptop? What other :peripheral ports does it have available? There may be a :couple of hardware dependent mechanisms for acquiring memory :under these circumstances. I'm assuming there is no network :access because it was removed from the network as part of :incident response. : :Thanks, : :AW : :On Thu, 3 Jul 2008, evb wrote: : :> How does one image RAM on a Windows system with no known Windows :> login/password, if autorun is turned off, and if there is no :network access. :> :> Thanks! :> :> eric :> :> :> _______________________________________________ :> Vol-users mailing list :> Vol-users(a)volatilityfoundation.org :> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users :> :_______________________________________________ :Vol-users mailing list :Vol-users@volatilityfoundation.org :http://lists.volatilityfoundation.org/mailman/listinfo/vol-users