Hey everyone I'm new to the site and this is my very first question.
I'm currently using Helix to acquire an image of the physical memory. I'm not very familiar with the software or forensics for the that matter, but am getting better. I used the .dd command to image the physical memory and put it in a folder of my flash drive. It now shows that I have 3 files in the folder. An Audit log , and MD5 , and the .dd file.
My question is now that I have these files how do I analyze them to see what they contain?
Which version of Windows did you extract the contents of physical memory from?
I'm currently just looking at XP , because I know the .dd command doesn't work with Vista.
At least that's what i have been reading.
You're correct about the legacy version of dd.exe (from George M. Garner, Jr. and no longer available) not being able to dump memory from Windows 2003 SP1 systems and above, including Vista.
The best freely available tool for parsing Windows XP memory dumps is Volatility. It's free, but does require Python (also free, you can get it from ActiveState.com), and is command line…but it is extremely powerful.
You're correct about the legacy version of dd.exe (from George M. Garner, Jr. and no longer available)
Why no longer available? ?
Is it not this one?
http//
jaclaz
Thanks keydet89 I will give it a shot.
jaclaz,
Why? Probably because Mr. Garner has developed the KntTools as a commercial product.
As to the page you linked to, item 11 under Specific Remarks states
"The versions of DD distributed with this release does not support the \\.\PhysicalMemory pseudo-device as input."