Re: [Vol-users] Volatility and Windows 7 images
8 Mar
2012
8 Mar
'12
4:01 p.m.
Tom,
FDPro does work with Windows 7 (32 and 64-bit) with
the 2.1_alpha of
Volatility. So it may be how the Windows 7 box I'm using for testing is
configured. I'm going to fire up a Win7 VM that I have and run FDPro
against that and see what happens.
For what it's worth, please keep in mind that you could see different
acquisition behavior on a VM, as opposed to a physical machine. I have
never used FDPro, but I have received lots of reports of people having
issues in the past. Personally, I would never use it in a production
environment. When people are looking for a commercial acquisition tool, I
generally recommend George's kntdd. George has been doing "robust" memory
acquisition longer than anyone else in the industry and has an unsurpassed
understanding of the acquisition process.
Finally I did acquire the memory again with EnCase
Enterprise, but set
it up for no compression. I converted it to a DD image with FTK Imager
(command line version in this case) and it worked perfectly. So it looks
like the EnCase problem is being caused by the compression settings
(which I guess makes sense when I think about it). I tested that image
against both OS X and Ubuntu (with 2.1_alpha).
Previously, EnCase also had a lot of issues with their memory acquisition
as well. I've seen samples where critical pages were missing. I'm not sure
if any of those issues have been fixed.
Just a couple of things to keep in mind!
AW