I've been having a few problems doing memory dumps with dd and dcfldd on an XP Pro workstation, and I was wondering if anyone might be able to give me a bit of insight as to what I might be doing wrong.
When I open a command prompt and type in any variation on the following (with both dd and dcfldd - as well as with conv=sync,noerror and other options)
dcfldd if=\\.\PhysicalMemory of=dump.dd
I get the following error message
dcfldd\\.\PhysicalMemory No such file or directory
Any suggestions?
Interestingly enough, I can pop in a Helix CD and have it do a memory snapshot without any problem.
I've been having a few problems doing memory dumps with dd and dcfldd on an XP Pro workstation, and I was wondering if anyone might be able to give me a bit of insight as to what I might be doing wrong.
When I open a command prompt and type in any variation on the following (with both dd and dcfldd - as well as with conv=sync,noerror and other options)
dcfldd if=\\.\PhysicalMemory of=dump.dd
I get the following error message
dcfldd\\.\PhysicalMemory No such file or directory
Any suggestions?
Interestingly enough, I can pop in a Helix CD and have it do a memory snapshot without any problem.
No suggestions, but a questions…why are you using dcfldd to dump the contents of PhysicalMemory?
Suggestion -)
Try using
dcfldd if=\\\\.\\PhysicalMemory of=dump.dd
Apologies for not having been able to test this, but it seems similar to http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2037
Suggestion -)
Try using
dcfldd if=\\\\.\\PhysicalMemory of=dump.dd
Apologies for not having been able to test this, but it seems similar to http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2037
Heh - I tested it, and it doesn't work -P Well, was only a suggestion 😉
Perhaps as a way to answer my own question, I found this
http//
This page states that "The latest version of DCFLDD is available for download at http//dcfldd.sourceforge.net/.", and that the \\.\PhysicalMemory syntax works. The authors state that this works.
I downloaded the latest available version (1.34), and ran it on my XP SP2 system…results follow
D\tools\dcfldd>dcfldd if=\\.\PhysicalMemory
dcfldd\\.\PhysicalMemory No such file or directory
This syntax is also stated here
http//
Oh, well…
Hmmm …
All good fun really …
I've been fiddling and …
I can get results out of
dcfldd.exe if=/dev/mem of=memdump.dd conv=sync,noerror
It generates a few odd messages in the process …
snip ...
dcfldd/dev/mem Invalid argument
26+7 records in
33+0 records out
dcfldd/dev/mem Invalid argument
26+8 records in
34+0 records out
dcfldd/dev/mem Invalid argument
26+9 records in
35+0 records out
16128 blocks (504Mb) written.
16357+11 records in
16368+0 records out
But, at the end of it all, generates a 511.5 meg file for my supposed 512 meg of memory from this test machine …
21/12/2007 1057 536,346,624 dump.dd
Looking at the file ( not actually _processing_ it - just visual ), it looks like it may well be the memory dump …
Thanks for all the input - the /dev/mem worked for me too although just as with Azrael's dump the output file seems a little small.
/dev/mem had (briefly) crossed my mind, but I figured it would only work on Unix/Linux/MAC boxes.
As for why I was doing all this; I'm working on putting together some tools for a live response CD.
Any suggestions on alternative tools to dump memory with, or tools to carve/analyze the dumps?
I know FTK can carve out cached images as well as index the dumps for text searches, but I was wondering if anyone else had any favourite tools to recommend.
Hmmm …
All good fun really …
I've been fiddling and …[snip]
But, at the end of it all, generates a 511.5 meg file for my supposed 512 meg of memory from this test machine …
What was the test machine? Linux? XP? If XP…one has to wonder what is being accessed as "/dev/mem".
Azrael, can you provide any insight?
H
…I was wondering if anyone else had any favourite tools to recommend.
Windows Forensic Analysis
Hmmm …
All good fun really …
I've been fiddling and …[snip]
But, at the end of it all, generates a 511.5 meg file for my supposed 512 meg of memory from this test machine …
What was the test machine? Linux? XP? If XP…one has to wonder what is being accessed as "/dev/mem".
Azrael, can you provide any insight?
H
Sure. Sorry - WinXP SP 2 -) I have to agree that it isn't clear exactly what it _is_ accessing … The size is interesting, but close enough to suggest that something to do with memory has happened, and the contents, of my dump at least "look" promising …