Re: [Vol-users] Volatility and Windows 7 images
8 Mar
2012
8 Mar
'12
5:11 p.m.
Tom,
at least. FDPro is what was available to me here (we
use HB Gary
Responder in our environment), so that's why I was testing against that.
That does not sound like a fun environment ;) I guess it is a little
better than people who still use mdd. (Hopefully no one on this list still
uses mdd!).
I don't recall hearing of kntdd before (I might
have but it doesn't ring
a bell), but I'll look at it. I'd have some other things to work out in
order to be able to use that on our network though (not related to the
tool itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if those
issues were fixed?
I will try to dig up the emails. Some of the issue were related to pages
missing or being zero'd out. I mentioned it on the Volatility tumblr and
I was told there was a thread on the Guidance portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of physical
memory are being overwritten when a physical memory sample is acquired on
certain hardware configurations."
HTH,
AW