Imaging physical memory in Windows xp using Helix

Twig,

You're using the wrong version of dd.exe…it appears that you're using the Cygwin version, and not the one from George M. Garner, Jr.

I use just the straight dd.exe rather than Helix (what version are you using?), so I can't tell you where it is on the CD…you'll have to look. Try locating dd.exe with a file named "md5sum*" in the same directory.

H

Thanks keydet89,

I am using the latest version of Helix version 1.8, i am not too sure which version of dd is on this. I have been trying a few different ways to get it working and did locate dd.exe inside the 'D\IR\unxutils' directory, where md5sum.exe is also located however i still get the same errors while running the commands from this directory so this must be the Cygwin version also.

When you say you "use just the straight dd.exe rather than Helix" do you mean you downloaded the version supplied by George M. Garner, Jr. and run this from a cd or a usb or something?

Twig,

Yes, that's exactly what I meant.

I don't have anything against Helix, and I believe it's a good tool. However, I prefer to build my own toolkits…I'm odd that way, I suppose.

H

I downloaded George Garners Forensic Accusition Utility from http//www.gmgsystemsinc.com/fau/ which contains his version of dd, but i am still getting the error that '\.\\PhysicalMemory' cannot be found.

Is '\.\\PhysicalMemory' the correct path that i should be using to reference the system memory?

I got it working, there was another dd.exe, thanks again!

I downloaded George Garners Forensic Accusition Utility from http//www.gmgsystemsinc.com/fau/ which contains his version of dd, but i am still getting the error that '\.\\PhysicalMemory' cannot be found.

Be aware that the latest version no longer include access to \\.\PhysicalMemory

At some point it is likely Microsoft will remove access to \\.\PhysicalMemory device object with subsequent patch releases.

Hi Twig

Sorry I havent posted a reply, I teach this stuff using Helix so could have helped earlier. The easiest way to run dd from the command line without the GUI is the following-

Put in the Helix disk with the SHIFT key held down to prevent the GUI running
Start-Run and type <cddriveletter>i.e. d\ir\xp\cmd.exe. This will open a command shell.
Next type - cmdenv and it will adjust the path to the tools on the CD. You can then run all the correct tools for the OS you are on, e.g. dd, netstat etc.

The IR directory contains a directory for each OS including Vista but as you probably know you cant use dd to acquire memory in Vista. For that you need George Garners KNT tools.

Also I noticed that you mentioned in your post \.\\PhysicalMemory, I'm sure it was a typo but its \\.\ etc and remember caps on the P and M.

Remember that Helix is just a very useful toolkit and Harlens (Keydet89) preference of building your own is a good one if you have the ability. I find a mixture of my own toolset and Helix the best. Of course Helix's greatest asset is the Linux side and the tools available there.

If you need help with the memory analysis e.g. carving out images, processes, internet activity drop me an email - nick at csitech.co.uk

Hope that helps.

Nick Furneaux