Enemy in action sounds exciting but just yesterday in the training class someone used another tool and got all zeros, but FTK worked fine. Unless you have some other reason to believe there's dump-preventing malware on the system it's probably just the tool breaking. 

Sent from my iPhone

On Dec 5, 2012, at 7:36 AM, David Kovar <dkovar@gmail.com> wrote:

Wyatt,

The client is using FTK Imager so I'll need to check with them on the version. It dumped the first 10% or so correctly and then the rest was nulls. There is almost certainly malware on the system in question, so the cause of the error could be enemy action as it were. 

Thank you for your feedback.

-David

On Dec 4, 2012, at 7:33 PM, wyatt roersma <wyattroersma@gmail.com> wrote:

David Kovar,

I have used FTK dozens of times with images as large as 80 GB of ram. I haven't had any strange storage issues though. I have also used mdd.exe and .vsem files in analysis and had similar results with less issues with larger images.

What version of FTK imager did you use?

Regards ,
Wyatt Roersma

On Dec 4, 2012 8:02 PM, <vol-users-request@volatilityfoundation.org> wrote:
Send Vol-users mailing list submissions to
        vol-users@volatilesystems.com

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
        vol-users-request@volatilityfoundation.org

You can reach the person managing the list at
        vol-users-owner@volatilityfoundation.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Vol-users digest..."


Today's Topics:

   1. FTK Imager as RAM dumping tool? (David Kovar)


----------------------------------------------------------------------

Message: 1
Date: Tue, 4 Dec 2012 16:53:00 -0600
From: David Kovar <dkovar@gmail.com>
Subject: [Vol-users] FTK Imager as RAM dumping tool?
To: "vol-users@volatilityfoundation.org" <vol-users@volatilityfoundation.org>
Message-ID: <0186FBD7-BB31-4380-9B4D-4F0342BE19B1@gmail.com>
Content-Type: text/plain; charset=us-ascii

Good afternoon,

I was just looking at a memory dump that, when compressed, went from 4GB to about 20MB. Something is odd here, I say. Most of the file is nulls.

The dump was collected with FTK Imager. Does anyone have any opinions on its reliability as a memory acquisition tool?

Thanks.

-David



------------------------------

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


End of Vol-users Digest, Vol 54, Issue 1
****************************************
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users