"I mean is Kntdd and Knttools idiot proof."
Sorry, I thought I already addressed that
"I think that once you sit down and go through the docs for the tool, and get it set up, you'll be fine."
But again, it depends on the idiot. 😉
I hear what you're saying about volatile data collection…it's important, needs to be done, and yes, the folks (cops included) who are "kickin' it old school" are going to get left behind.
If you read through my book and think about what I've read, you'll see that there's more than enough info there to address the "Trojan Defense" *before* it gets raised…that includes collecting RAM.
Now, all that's needed is the appropriate tools to parse RAM contents.
H
I've actually taught the material in the book to cops, and found about 70% give me back just glassy-eyed stares.
Hoy! 😉
I mean is Kntdd and Knttools idiot proof.
I believe that George intended it more for administrators, but as H. has implied if you read the documentation then you should be able to get your head around using it. I find the best way is to use the documented method suggested, i.e. edit the go.bat batch file, I'm used to the command line but even so it can get intense (I always find cli under Linux easier than Windows for some reason)
The problem is most folks on the LE/Govt side are "old timers"
Ouch!
unplug & image is the going standard.
Sadly true, hopefully people will begin to realise that may not be the best course of action considering the challenges ahead.
I normally use Helix but since Vista doesn't support Cygwin1.dll …
In what way? I use Cygwin apps under Vista daily, and pretty much all their apps depend on this DLL.
mikeypopo wrote
unplug & image is the going standard.
While generally a good idea, you might consider a quick check to see if the drive might be encrypted before unplugging the system. Otherwise, you will have a nice image of encrypted data. Especially neccessary now that VITSA machines might have bitlocker enabled.
Rob
If you're going to to a quick check to see if the drive is encrypted, why not also grab volatile data? I'm seeing more and more where "unplug & image" isn't generally a good idea…
unplug and image is the going standard BUT it's changing fast and people should make it standard practice to acquire volatile data.
Yea, I agree. If you're going to be there anyway you might as well grab volatile data. That was the initial reason for the post - to find something that can do a RAM dump in Vista. Just in case bitlocker is enabled might as well perform the image live to be on the safe side. Can't wait for Knttools and Helix3. We're doing RAM dumps standard now but I know A LOT of LE folks still shun it. I guess old habits are hard to break. )
> Can't wait for Knttools and Helix3.
Where are you getting Knttools?
When is Helix3 coming out? Drew hasn't even released 2 yet…
> We're doing RAM dumps standard now
What are you doing with them now that you have them?
> I guess old habits are hard to break.
I don't think that it has anything to do with habits at all. I think that if you take a look at where current LEO procedures originated, it was what was already being done in the private sector, then some standards added to it. Most LEOs are too overwhelmed with caseloads and a lack of training/knowledge to explore anything else.
H
Where are you getting Knttools?
Most LEOs are too overwhelmed with caseloads and a lack of training/knowledge to explore anything else.
That's part of the problem. The other issues have been discussed elsewhere on this forum previously. I think a lot of it may also be down to fear of the unkown, the burden of prove in civil action is lower than criminal and the scrutiny can be more fearce at trial. How many criminal cases are you aware of where evidence from volatile data has been tested?
Garner's tools are ideal for the purpose of capturing physical memory. The tool can be automated, it is highly configurable which assists it avoiding detection by malevolent processes. The tool is not difficult to use admittedly it doesn't have a GUI but then its purpose is to be as minimally invasive as possible. The license is not too restrictive either in as much as it allows you to have additional copies on deployment media for investigations.
Gathering volatile data is now important and people should become familiar with the tools and techniques to capture it.
Jon,
Thanks for the link to George's site, but MikeyPopo seems to be implying that Drew is releasing knttools on Helix3. I'm trying to get clarification of this.
I purchased my copy of kntdd basic this week…