Re: [Vol-users] Winpmem 1.4.1 - Vol-users

15 Apr 2013

      Hi Michael,

Yes, I ran winpmem on the subject machine and allowed it to save an image
file to that machine successfully. In my nbdserver test, I ran winpmem -l
and verified the service was running. I went to the nbd Linux client and
began the process of imaging pmem from the subject computer via the
network. Running nbd-client on the Linux workstation, I assigned the pmem
output coming over the network to /dev/nbd0. I used the following command
line then to image:

dd if=/dev/nbd0 of=./ramoutput.dd

This has been successful on 32 bit XP machines, but it dies on the 64 bit
machine. If this description doesn't make sense, I'll try to do a better
description later this evening.

Ken

On Mon, Apr 15, 2013 at 12:16 PM, Michael Cohen &lt;scudette(a)gmail.com&gt; wrote:

...
  Hi Ken,
    I have not had a chance to play with nbdserver. Are you saying that
 winpmem acquisition to the local disk completed ok?

 Did you manage to image with winpmem over a socket and netcat? Or are you
 trying to image to a network share?

 Thanks,
 Michael.

 On 15 April 2013 18:25, Ken Pryor &lt;kdpryor(a)gmail.com&gt; wrote:

  I recently used the latest version of winpmem in
conjunction with Jeff
 Bryner's nbdserver to acquire ram for a couple different systems in support
 of a blog post I was writing. Acquisition of 1 gb memory from an XP 32 bit
 vm via the network worked perfectly.

 However, acquiring memory from a 64 bit Win 7 physical system with 12 GB
 ram failed. It would start okay, but would freeze up and reboot the Win 7
 system at 3.5 GB every time when being acquired using nbdserver via the
 network. Using winpmem directly on the machine works successfully, but
 fails on the network.

 Any suggestions as to the problem? I can provide any data or follow up
 testing if needed.

 Ken

 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users