Re: [Vol-users] Volatility and Windows 7 images
9 Mar
2012
9 Mar
'12
12:03 p.m.
Tom,
I have done tests with fdpro 2.0.3.151 on a macbook pro running win7 sp1
x64 and have run volatility 2.1 alpha r1508 against it. Everything works
fine on my side. You said that your fdpro memory dump was a dd image. Have
you acquired memory with the hpak extension and then extract the memory
dump from the hpak format? Or you acquired directly memory with a .bin
extension?
Sebastien
Le 8 mars 2012 17:20, "Michael Cohen" <scudette(a)gmail.com> a écrit :
Please note that there is an open source version of
win32dd in
volatility (with many bug fixes):
http://code.google.com/p/volatility/source/browse/branches/scudette/tools/w…
I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.
If you want to use it with 64 bit platforms you need to sign it of course.
Michael.
On 8 March 2012 23:11, AAron Walters <awalters(a)4tphi.net> wrote:
and I
Tom,
better
at least. FDPro is what was available to me here
(we use HB Gary
Responder in our environment), so that's why I was testing against that.
That does not sound like a fun environment ;) I guess it is a little than people who still use mdd. (Hopefully no one
on this list still uses
mdd!).
> I don't recall hearing of kntdd before (I might have but it doesn't
ring a
> bell), but I'll look at it. I'd have
some other things to work out in
order
to be
able to use that on our network though (not related to the tool
itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if
those issues were fixed?
I will try to dig up the emails. Some of the issue were related to pages
missing or being zero'd out. I mentioned it on the Volatility tumblr was told there was a thread on the Guidance
portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of physical
memory are being overwritten when a physical memory sample is acquired on
certain hardware configurations."
HTH,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 3.8 KB)