dd & dcfldd error message

To analyze memory dumps look into the Volatility Framework. I find it quite interesting and I think its development is going well.

regards,

farmerdude

The PhysicalMemory device was disabled in Win XP SP2, so a dd isn't going to work. You now need to insert a small kernel driver to dump memory. The one I use isn't free distribution, but I can inquire about releasing it on a limited basis.

Best,

–Golden

I'd love to have access to the driver you're using, and I am sure others would as well.

-David

Golden,

The PhysicalMemory device was disabled in Win XP SP2, so a dd isn't going to work.

Do you have a reference for this? I ask, only because I can use an older version of dd.exe (prior to when George M. Garner Jr removed access to the PhysicalMemory object from his version of dd.exe), ProDiscover IR, Nigilant32 and memimager.exe to dump the contents of RAM from a WinXP SP2 system, and have done so repeatedly.

According to the below link, "In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted."

http//technet2.microsoft.com/windowsserver/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true

You now need to insert a small kernel driver to dump memory. The one I use isn't free distribution, but I can inquire about releasing it on a limited basis.

Are you referring to George M. Garner Jr's newer tool?

Thanks,

Harlan

I am also receiving an error message in John Newbigin's dd for Windows version 0.5. on both XP service pack 2 and Vista.

C\Windows\System32>dd if=\\.\PhysicalMemory of=C\Users\Butler\dump.txt
rawwrite dd for windows version 0.5.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by the GPL. See copying.txt for details
Error opening input file 2 The system cannot find the file specified
Another Question, Would it hurt if I have Mr newbigin's DD, Garner's DD and dcfldd all installed? should I use different directories or all system32?

To my knowledge, Newbigin's dd.exe has *never* had the capability to access the PhysicalMemory object.

> Would it hurt if I have Mr newbigin's DD, Garner's DD and dcfldd all installed?

I don't see why it would, with the exception of the fact that you can't put two files named "dd.exe" in the same directory…

H

Golden,

The PhysicalMemory device was disabled in Win XP SP2, so a dd isn't going to work.

Do you have a reference for this? I ask, only because I can use an older version of dd.exe (prior to when George M. Garner Jr removed access to the PhysicalMemory object from his version of dd.exe), ProDiscover IR, Nigilant32 and memimager.exe to dump the contents of RAM from a WinXP SP2 system, and have done so repeatedly.

According to the below link, "In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted."

http//technet2.microsoft.com/windowsserver/en/library/e0f862a3-cf16-4a48-bea5-f2004d12ce351033.mspx?mfr=true

You now need to insert a small kernel driver to dump memory. The one I use isn't free distribution, but I can inquire about releasing it on a limited basis.

Are you referring to George M. Garner Jr's newer tool?

Thanks,

Harlan

Sorry, you're absolutely right. I had Vista on the brain. Direct access to the PhysicalMemory device is disabled from user land applications in Vista, 2003 SP1 (and, I believe, in 64 bit XP, but don't quote me )

Regarding the tool, I wasn't referring to Garner's stuff–I have a friend who works for a security company that developed a small application that simply inserts a loadable kernel driver that accesses the physical memory device and then dumps RAM to a file. Does Garner has a tool for this?

–G

> Does Garner has a tool for this? <

http//www.gmgsystemsinc.com/knttools/.

Golden,

…–I have a friend who works for a security company that developed a small application that simply inserts a loadable kernel driver that accesses the physical memory device and then dumps RAM to a file.

Can you say who your friend is, or which company he/she works for?

H

Evidently EnCase FIM/Enterprise v6.10 now has the capability of memory acquisition, so maybe you could use that. And then there is this product http//www.hbgary.com/responder.shtml. According to this blog post it is designed for people who don't need to delve too deeply into the subject matter. http//www.rootkit.com/blog.php?user=hoglund. A couple of mouse clicks and you can generate a report to hand your boss. -)