I am trying to acquire an image using the Garner's dd.exe tool. I am using a Windows XP SP3 and Windows 7 OS laptops.
The command I am using Runing as an administrator
dd if=\\.\C\pagefile.sys of=c\myimage.img
However, I get an incorrect function error and/or C\pagefile.sys is being used by another process.
Is this on a live machine?
Two things.
Instead of the \\.\C\pagefile.sys, just use C\pagefile.sys. I think the \\.\ convention is for if you are referencing a hard drive, not a file. I could be wrong though.
And yes, your problem is that Windows is using pagefile.sys, and dd isn't complex enough to bypass that lockout. FTK Imager can. Maybe if you ran DD with System privledges, such as with psexec, but I am just guessing.
It is on a live system.
sorry but I was busy and didn't see your post until now. The pagefile is opened for exclusive access so you won't be able to copy the file directly using DD unless you copy the whole volume on which the file resides. Some commercial tools are able to copy the pagefile by parsing the MFT to get the file extents. They then read those raw sectors from the volume. The contents of the pagefile are changing at a rapid rate. The physical extents also might change between the time that you determine the extents and the time when you read their contents. So a copy obtained is this way will only be more or less up-to-date.
One way to copy the pagefile using my DD utility is to copy it from the corresponding volume shadow copy. Rob Lee had a post a while back on the SANS forensic blog which showed how to use vssadmdin and my DD utility to copy an entire shadow volume
vssadmin list shadows /for=c
and then use the shadow volume device with DD to copy the pagefile
dd.exe -v if=\\.\HardDiskVolumeShadowCopy1\pagefile.sys of=whereever –log –cryptsum sha_256
Note that you do not have to mount the shadow volume to copy an individual file from a shadow volume using my DD utility. You will need to mount the shadow volume if you want to use wild cards. DD iif=\\.\HardDiskVolumeShadowCopy1\*.sys currently does not work. I don't know if there is a way to force sync an individual file in a shadow volume before doing the copy. If someone knows please let me know.
In addition to posting here, please email me when you have questions about GMG Systems, Inc.'s Forensic Acquisition Utilities (GMG).since I don't read this forum every day (gasp!). Send email to support (at) gmgsystemsinc (dot) com.
If I may, on modern system is actually quite rare AFAIK that the pagefile.sys is actually "in use" in the sense that something is actually writing anything to it.
On the XP system I am currently using the file was last accessed 15 days ago.
If this is the case, you can also try the "direct sector" approach (without needing a Commercial tool)
http//
jaclaz
The file access times aren't being updated. However data is being read and written at a rapid rate (assuming that demand paging has been enabled).
The file access times aren't being updated. However data is being read and written at a rapid rate (assuming that demand paging has been enabled).
I think we are both right and wrong at the same time. ?
Quick experiment I did
- "standard" XP SP2 PC with 2 Gb RAM
- set pagefile to 512 Mb (fixed size)
- set Sysinternals Filemon to "look after" pagefile.sys
- re-booted
- started playing around
[/listo]
Some results
Fdump DOES NOT WORK (and it's usage causes *something* to be written to C\pagefile.sys)
Using the built.in search of XP seems like causing a sequence of 4 "write-bursts", each 65536 bytes in size, to C\pagefile.sys
More generally, using Explorer seems like making use of C\pagefile.sys
Another app, getfileextents
http//
DOES NOT as well work
Then I fired up dmde
http//softdm.com/
accessed with it "PhysicalDrive0" and then the Volume in it (i.e. the C\ drive)
had no problem whatsoever in backing up C\pagefile.sys to another volume D\DMDEtest\pagefile.sys
The Filemon showed NO activity on C\pagefile.sys during the whole run of DMDE.
I then opened opera, checked a few pages, came here and wrote this post.
Still no activities on c\pagefile.sys
Fired up 7-zip and accessed C\ drive, a couple of lines about a Sharing Violation on C\pagefile.sys appeared (but still no writes to it)
Tried again to use the Search tool and immediately a number of "write bursts" to C\pagefile.sys appeared (in total 16 of them)
Once search tool finished, I ran it again (looking for the same filename) this time only 2 "write-bursts" were issued.
Once search tool finished, I ran it again (looking for another filename) this time 4 "write-bursts" were issued.
From this very preliminary result, I would say that most if not all the writes to pagefile.sys are connected to the use of explorer and of the search tool and that it is possible to dump the pagefile.sys "live" as long as you don't use the search function.
And yes, you are right, no date/time acces changed throughout the experiment.
jaclaz
From this very preliminary result, I would say that most if not all the writes to pagefile.sys are connected to the use of explorer and of the search tool and that it is possible to dump the pagefile.sys "live" as long as you don't use the search function.
And yes, you are right, no date/time acces changed throughout the experiment.
jaclaz
What does your memory usage say? Wouldn't it be true that the system wouldn't write to pagefile.sys unless memory was all, or mostly, full? If you have 16GB of RAM, and only have Windows and Internet Explorer running, it would be a waste of resources to move memory pages out of memory to the hard disk (and maybe move them back when needed). This would explain the lack of writes and the lack of updated timestamps if true, but unlikely since 2 gb is just so small.
No, you can not dump the file. It is locked by Windows. You need to copy out the sectors directly, as some have said, or just use FTK Imager (or any number of other tools that bypasses the Windows lock). DD, as the original poster was meaning to do, can't do it as far as I can tell because it runs into this same lock out.
But, I could be talking rubbish.
@twjolson
If you read attentively my posts and the ones by Rossettoecioccolato, you will see that it is EXACTLY the issue at hand.
No matter if RAM is full some MS apps do write to the pagefile.sys.
During my quick test RAM used was below 400 Mb (out of 2 Gb).
And of course the dmde "recovery" of the file is made through copying the RAW sectors.
The other programs could not prvide the info about the actual sectors where pagefile.sys resided, whilst dmde could.
Once you have this info you can use any dd-like program, included the nice GMG version to copy the raw sectors.
jaclaz