Re: [Vol-users] Re: Vol-users Digest, Vol 54, Issue 1
5 Dec
2012
5 Dec
'12
8:11 a.m.
Enemy in action sounds exciting but just yesterday in the training class someone used
another tool and got all zeros, but FTK worked fine. Unless you have some other reason to
believe there's dump-preventing malware on the system it's probably just the tool
breaking.
Sent from my iPhone
On Dec 5, 2012, at 7:36 AM, David Kovar <dkovar(a)gmail.com> wrote:
Wyatt,
The client is using FTK Imager so I'll need to check with them on the version. It
dumped the first 10% or so correctly and then the rest was nulls. There is almost
certainly malware on the system in question, so the cause of the error could be enemy
action as it were.
Thank you for your feedback.
-David
On Dec 4, 2012, at 7:33 PM, wyatt roersma <wyattroersma(a)gmail.com> wrote:
David Kovar,
I have used FTK dozens of times with images as large as 80 GB of ram. I haven't had
any strange storage issues though. I have also used mdd.exe and .vsem files in analysis
and had similar results with less issues with larger images.
What version of FTK imager did you use?
Regards ,
Wyatt Roersma
On Dec 4, 2012 8:02 PM, <vol-users-request(a)volatilityfoundation.org> wrote:
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Vol-users digest..."
Today's Topics:
1. FTK Imager as RAM dumping tool? (David Kovar)
----------------------------------------------------------------------
Message: 1
Date: Tue, 4 Dec 2012 16:53:00 -0600
From: David Kovar <dkovar(a)gmail.com>
Subject: [Vol-users] FTK Imager as RAM dumping tool?
To: "vol-users(a)volatilityfoundation.org"
<vol-users(a)volatilityfoundation.org>
Message-ID: <0186FBD7-BB31-4380-9B4D-4F0342BE19B1(a)gmail.com>
Content-Type: text/plain; charset=us-ascii
Good afternoon,
I was just looking at a memory dump that, when compressed, went from 4GB to about 20MB.
Something is odd here, I say. Most of the file is nulls.
The dump was collected with FTK Imager. Does anyone have any opinions on its reliability
as a memory acquisition tool?
Thanks.
-David
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 54, Issue 1
****************************************
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- attachment.html (text/html — 5.8 KB)