Does anyone have a copy of Garner's DD that supports \\.\PhysicalMemory that they could send my way? Am also curious as to why he removed it from the most recent version of anyone knows.
If you need my e-mail to send the file to, toss me a PM.
Thanks
Am also curious as to why he removed it from the most recent version of anyone knows.
Well, most folks would probably email Mr. Garner directly, rather than post to a list/group that he doesn't frequent. However, I would think that since he'd produced a for-pay tool called kntdd/knttools, why support the free one any longer?
Am also curious as to why he removed it from the most recent version of anyone knows.
Well, most folks would probably email Mr. Garner directly, rather than post to a list/group that he doesn't frequent. However, I would think that since he'd produced a for-pay tool called kntdd/knttools, why support the free one any longer?
Thanks, I didn't realize that was the reason he no longer supported that functionality. Just wanted to try it out after reading it in your book.
If you're looking for free tools for memory collection, check out my blog…there are several out there now that have replaced Garner's dd, such as win32dd and mdd. In addition, these tools allow you collect the contents of PhysicalMemory from Vista systems, as well.
I remember seeing this posted before Try using
dd if=/dev/mem of=ram.000
If this does not work try using DCFLDD to image the ram
dcfldd if=/dev/mem of=ram.imz status=on totalhashformat=#hash# conv=sync,noerror hashlog=hash.txt
Hope this helps
Ryan Manley
Xabersoft