About a Month ago I posted here about a Live Anaysis Program, Today I have just completed it. This program has the ability to Image multiple Drives\Volumes at the same time. It has the ability to Image drives "live" or while they are running. I have tested this using Bit-Locker and it does work. If you image a Bit-locked drive while it is in windows and running you can carve that image. Bitlocker appears to unencrypt the data at startup and during use, This creats an oppertunity to image the drive live. The Utility Currenlty works on Vista and XP with the Dot Net Framworks.(windows updates) I am currently looking for ways to overcome the .Net framework requirement to boost compatibility. Live Analysis uses DCFLDD for its imager however the rest of the program was created entirely by me. It keeps Logs of all activites performed within the program aswell as Captures files such as "Recent Files", "Cookies", "Temporary Internet FIles", Aswell as Searches for Thumbs.db on the system for later analysis. System Information is also harvested like Drives in system, Motherboard, Memory, User related information…etc
Please no posts about how this program should be free……it does get old after a while considering how much work I put into these programs.
And Yes its the Clasic Interface Style
you can dowload my demo
This program is designed to run from a USB Flash drive, or USB external Device (though you could probly use Firewire though less common)
Please provide comments on how you like it
Thank you,
Ryan Manley
Xabersoft
Good evening,
Perhaps these posts should go into "Commercial Software", particularly since you're making a pretty clear point that they're not free?
Also, the fact that you have a personal life that makes it hard to support the development of the tools may not be relevant, and may not be something you should make an issue of.
Next, you're asking for feedback from professionals who are giving you valuable advice. They're helping you out, at no cost, and they also have personal lives that they're taking time away from to help you out. You're also marketing your product on a forum supported by someone else (Jamie) at no cost to you, getting more valuable support for free.
Finally, there are much more mature products and tools out there that have been released by individuals at no cost (Helix) or lower cost (Harlan's book, scripts, and RegRipper) to name two.
My advice to you is to relax a bit, tone down the attitude, and be a bit more appreciative of what you're getting.
-David
All valid points IMO, moved to Commercial.
@xaberx - no more ads in the classifieds section please, it's intended for second hand items only. More generally, you might want to give some more thought to the balance between requesting feedback and blatant self promotion. Enough said?
Ryan,
What are you using to dump physical memory? I assume it's dcfldd…what command line are you using?
@keydet89
The command i run to capture physical memory is
dcfldd if=/dev/mem of=C\Ram.imz status=on totalhashformat=#hash# conv=sync,noerror hashlog=C\memory_md5.txt
It only works on windows XP and below for some reason, I believe vista limits access to the Ram.
I do appreciate all the help I obtain from professionals here in the forum and I am more than willing to share the knowledge That i have about imaging and carving. I actually found the command above on this forum and I do appreciate the help.
@kovar my appologies I'm glad that you have moved this forum, I was mistaken having it in General Discussion, however like my Carver, I am seeking feedback on features I can add, and things that may improve the program. The demo is intended to get feedback. Again My apologies for posting in the wrong forum
@jamie, I will see about removing my post, and will try to be more considerate in the future.
Thank you, My apologies above.
@keydet89
The command i run to capture physical memory isdcfldd if=/dev/mem of=C\Ram.imz status=on totalhashformat=#hash# conv=sync,noerror hashlog=C\memory_md5.txt
It only works on windows XP and below for some reason, I believe vista limits access to the Ram.
Yes, this is widely documented. In fact, it applies to all Windows OSs from Windows 2003 SP1 and up.
The reason I ask about the command line used is that in Dec 2007, an article in the Forensic Magazine from Kevin Mandia mentioned the use of dcfldd to dump physical memory from Windows XP…and the command line used in the article didn't work. In fact, there was quite a discussion in this forum about that very subject.
I do appreciate all the help I obtain from professionals here in the forum and I am more than willing to share the knowledge That i have about imaging and carving. I actually found the command above on this forum and I do appreciate the help.
Do you have any recommendations for your users on what to do with it once they have a dump of RAM?
I have found that you can string search the ram for potential data,
I believe the ram can be carved aswell, ie if they have a picture of suspected evidence on the screen it should carve it out. I think its more of a state of the system.
I think that the best approach however is to use it for string searching, for potential passwords to the system.
I will have to look into Ram capture more as far as potential uses.
The command I use I did find here on this site, I find it very Useful it works for me and i copied that straight of the code