Please note that there is an open source version
of win32dd in
volatility (with many bug fixes):
I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.
If you want to use it with 64 bit platforms you need to sign it of course.
Michael.
On 8 March 2012 23:11, AAron Walters <awalters(a)4tphi.net> wrote:
Tom,
at least. FDPro is what was available to me here
(we use HB Gary
Responder in our environment), so that's why I was testing against
that.
That does not sound like a fun environment ;) I guess it is a little
better
than people who still use mdd. (Hopefully no one on this list still uses
mdd!).
I don't recall hearing of kntdd before (I
might have but it doesn't
ring a
bell), but I'll look at it. I'd have some other things to work out in
order
to be able to use that on our network though (not related to the tool
itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if
those issues were
fixed?
I will try to dig up the emails. Some of the issue were related to
pages
missing or being zero'd out. I mentioned it on the Volatility tumblr
and I
was told there was a thread on the Guidance portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of
physical
memory are being overwritten when a physical memory sample is acquired
on
certain hardware configurations."
HTH,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org