Hey all,
I've acquired a memory dump from a W2K3 server using Winen. I then converted the E## files to Raw(DD) format using FTK Imager.. The resulting files were named memdump.001 and memdump.002 (I used 2 Gig chunks).
I'm having trouble analyzing the dump file.. I have been told Volatility won't run on it.. and I've been trying Mandiant's Memoryze/Audit Viewer, but no luck. Does anyone know if it's possible to analyze the memory dump image for Windows 2003 Server in Memoryze? I see it gives me an error "Unable to determine the version of the OS in memory"
TIA!
Mandiant informed me that it is a problem with my image file that was converted from EnCase to Raw(DD) using FTK imager.. They indicated they are not straight dd's… /
Copy/unerasing the dump file from within EnCase seems to have solved my problem though!