Attempting a RAM dump for Vista. I normally use Helix but since Vista doesn't support Cygwin1.dll I can't get my standard Helix boot CD to work. Also am attempting to run Cygwin1 off a USB thumb since that's where the RAM dd is going anyway. Thought about re-writing the CD to include Cygwin1 but am looking for another (easier) method for a RAM dump in Vista first. Thanks for any advice.
Attempting a RAM dump for Vista. I normally use Helix but since Vista doesn't support Cygwin1.dll I can't get my standard Helix boot CD to work. Also am attempting to run Cygwin1 off a USB thumb since that's where the RAM dd is going anyway. Thought about re-writing the CD to include Cygwin1 but am looking for another (easier) method for a RAM dump in Vista first. Thanks for any advice.
That won't work. The RAM dump in Helix does not use Cygwin at all unless you are using Helix on something older than Win 2000. Otherwise it uses George Garners dd version. That version does not work on Vista because MS changed the way you access memory on Vista. Memory on vista is now in kernel space NOT user. So conventional tools will not work, however you can buy
Drew
Thanks Drew. Anxiously awaiting 2.0. Not too sure about Kntdd even though it appears to be a fantastic tool. L.E. grant money for forensics is drying up. Might as well wait for 2.0. . . . . of course if George might let me beta-test a copy…? When is 2.0 getting released?
All,
MS removed user-mode access to the PhysicalMemory in Windows 2003 SP1
http//
"In Windows Server 2003 SP1, user-mode access to the \Device\PhysicalMemory object is not permitted."
Mikeypopo,
I beta-tested Kntdd, and If I want a copy of the full version, I must pay for it just like everyone else.
I, too, would like to know when Helix 2.0 is being released.
BTW…my book is out. You might be interested…
Thanks keydet89,
Do you have a link to your book? We are probably going to buy Kntdd anyway. How is the user interface? GUI, cmd line, plug & play?
How does it ship? CD, or thumb?
Can you run it off a thumb?
Do you like it?
Is it user friendly?
I want to use it (or any other memory dump tool) for our examiners while doing search warrants on Vista machines. You think that would work?
The website doesn't really show screen shot or anything, but I don't expect a genius like George Garner to have to force his product.
Mikeypopo,
> Do you have a link to your book?
Not hard to find…
http//
> We are probably going to buy Kntdd anyway. How is the user interface?
CLI
> How does it ship? CD, or thumb?
No clue. You've gotta ask George.
> Do you like it?
Yeah…so far, it's the only tool that does what it does.
> Is it user friendly?
To set up, not really.
> I want to use it (or any other memory dump tool) for our examiners
> while doing search warrants on Vista machines. You think that would
> work?
I'm not sure what you're asking…so far, Kntdd is THE ONLY TOOL that will allow you to do this, unless the instance of Vista is running in a VMWare session.
I think that once you sit down and go through the docs for the tool, and get it set up, you'll be fine.
What do you intend to do with the dump once you get it? Are you also going to purchase knttools?
H
Sorry keydet89 - I didnt realize you were Harlan Carvey. ) Amazing book by the way. I was just wondering if it's "cop proof" and easy enough for the "lowest common denominator". As for Knttools - don't know yet.
> Amazing book by the way.
Thanks!
> I was just wondering if it's "cop proof" and easy enough for the "lowest
> common denominator"
Sorry, I have no idea what that means. I've actually taught the material in the book to cops, and found about 70% give me back just glassy-eyed stares.
The book is "easy enough"…all you need to have is the desire to learn. Sure, if you've never run an app from a command prompt, you're going to have issues…until you overcome them. If you've never looked into the Registry, then you're going to learn something new.
Having been a Marine, I know not to guarantee something is idiot proof, because idiots get smarter every day! 😉 Cop proof? Dude, it's written in English, AND you've got my email address! I'm not sure how much easier I can make it, really! 😉
H
I mean is Kntdd and Knttools idiot proof.
Your book sure is. I have used it as a selling point for examiners to make step 1 a live RAM dump. I am a strong proponent of live analysis - specifically RAM. The problem is most folks on the LE/Govt side are "old timers" - unplug & image is the going standard. I am not against imaging dead systems - still do it. I tell them RAM is increasingly more important with the size of RAM getting bigger and the type of data that resides there… I guess I'm preaching to the choir aren't I?
It's really just education, verify, verify, verify, document & the old timers will come around . . . "Glassy-eyed stares" - funny but true.