Re: [Vol-users] Volatility and Windows 7 images
9 Mar
2012
9 Mar
'12
1:18 p.m.
Sebastien,
In my testing I was acquiring with the .bin extension.
Tom
On Fri, Mar 9, 2012 at 11:03 AM, Sebastien Bourdon-Richard
<sebastienbr(a)gmail.com> wrote:
Tom,
I have done tests with fdpro 2.0.3.151 on a macbook pro running win7 sp1 x64
and have run volatility 2.1 alpha r1508 against it. Everything works fine on
my side. You said that your fdpro memory dump was a dd image. Have you
acquired memory with the hpak extension and then extract the memory dump
from the hpak format? Or you acquired directly memory with a .bin extension?
Sebastien
Le 8 mars 2012 17:20, "Michael Cohen" <scudette(a)gmail.com> a écrit :
Please note that there is an open source version
of win32dd in
volatility (with many bug fixes):
http://code.google.com/p/volatility/source/browse/branches/scudette/tools/w…
I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.
If you want to use it with 64 bit platforms you need to sign it of course.
Michael.
On 8 March 2012 23:11, AAron Walters <awalters(a)4tphi.net> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Tom,
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users at least. FDPro is what was available to me here
(we use HB Gary
Responder in our environment), so that's why I was testing against
that.
That does not sound like a fun environment ;) I guess it is a little
better
than people who still use mdd. (Hopefully no one on this list still uses
mdd!).
I don't recall hearing of kntdd before (I
might have but it doesn't
ring a
bell), but I'll look at it. I'd have some other things to work out in
order
to be able to use that on our network though (not related to the tool
itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if
those issues were
fixed?
I will try to dig up the emails. Some of the issue were related to
pages
missing or being zero'd out. I mentioned it on the Volatility tumblr
and I
was told there was a thread on the Guidance portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of
physical
memory are being overwritten when a physical memory sample is acquired
on
certain hardware configurations."
HTH,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users