Tom,

I have done tests with fdpro 2.0.3.151 on a macbook pro running win7 sp1 x64 and have run volatility 2.1 alpha r1508 against it. Everything works fine on my side. You said that your fdpro memory dump was a dd image. Have you acquired memory with the hpak extension and then extract the memory dump from the hpak format? Or you acquired directly memory with a .bin extension?

Sebastien

Le 8 mars 2012 17:20, "Michael Cohen" <scudette@gmail.com> a écrit :
Please note that there is an open source version of win32dd in
volatility (with many bug fixes):

http://code.google.com/p/volatility/source/browse/branches/scudette/tools/windows/win32dd.py

I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.

If you want to use it with 64 bit platforms you need to sign it of course.

Michael.



On 8 March 2012 23:11, AAron Walters <awalters@4tphi.net> wrote:
>
> Tom,
>
>
>> at least.  FDPro is what was available to me here (we use HB Gary
>> Responder in our environment), so that's why I was testing against that.
>
>
> That does not sound like a fun environment ;) I guess it is a little better
> than people who still use mdd. (Hopefully no one on this list still uses
> mdd!).
>
>
>> I don't recall hearing of kntdd before (I might have but it doesn't ring a
>> bell), but I'll look at it.  I'd have some other things to work out in order
>> to be able to use that on our network though (not related to the tool
>> itself).
>
>
> It is definitely worth checking out. kntdd is by far the most robust
> acquisition tool and George is a great guy (and member of this list ;).
>
>
>> Are there any specific tests I can do to see if those issues were fixed?
>
>
> I will try to dig up the emails.  Some of the issue were related to pages
> missing or being zero'd out.  I mentioned it on the Volatility tumblr and I
> was told there was a thread on the Guidance portal. Granted, it was late
> 2008:
>
> "In each instance, users have reported that critical sections of physical
> memory are being overwritten when a physical memory sample is acquired on
> certain hardware configurations."
>
> HTH,
>
> AW
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users