win32dd - New Tool to image RAM on Vista/W2K3

I think that error relates to certain files missing off your machine which are required by the application.

Try installing the VC++ 2005 redistributable package from http//www.microsoft.com/downloads/details.aspx?familyid=32BC1BEE-A3F9-4C13-9C99-220B62A191EE&displaylang=en and trying again.

HTH

)

I found that I had to create the destination directory myself, it would not create it for me. If it didn't find the directory, there was no output. All my testing with it has been on XP Pro SP3 machines and all have been hit or miss. Sometimes I get the full output, sometimes nothing.
KP

You may also be aware of two further tools which enable memory capture from machine >Win2K.

There is "winen" which comes bundled with later versions of EnCase 6 (you can find it in '\Program Files\Encase6'. I have tested it on XP Pro SP2 and 3, Server 2003 and Vista Home Premium and Ultimate. It worked fine on each example.

Also recently released is "mandd" from www.mantech.com which makes the same claims, although I haven't had the chance to try it out yet.

"winen" obviously has a cost as it is bundled with Encase. "mdd" is freely downloadable including the source.

Stu

Stu,

You may also be aware of two further tools which enable memory capture from machine >Win2K.

Just to be clear, the issue isn't Win2K…it's Windows 2003 SP 1…as of that release, MS removed user-mode access to the PhysicalMemory object.

There is "winen" which comes bundled with later versions of EnCase 6 (you can find it in '\Program Files\Encase6'. I have tested it on XP Pro SP2 and 3, Server 2003 and Vista Home Premium and Ultimate. It worked fine on each example.

The output of winen is an .E0x file…are you using the functionality within 6.11 to 'scrub' it for HBGary's Responder, in order to remove the EnCase headers?

Has anyone seen a tool based on libewf that will do this?

Also recently released is "mandd" from www.mantech.com which makes the same claims, although I haven't had the chance to try it out yet.

"winen" obviously has a cost as it is bundled with Encase. "mdd" is freely downloadable including the source.

ManTech's 'mdd' tool downloads as memdd.exe. The source is indeed included. I (and apparently others) have not been able to get this tool to work, apparently due to the hard-linking of a debug DLL during compilation. I am told that an updated version will be released soon.

Also, there are claims that some portions of the source code haven't been released.

Another tool is available, as well…win32dd from Matthieu Suiche
http//www.msuiche.net/

As of this morning, I have not been able to get this tool to work, either, but at least I can use SysInternals DebugView to send Matt some trouble-shooting info!

Look for new versions of each of the tools.

Now…the question is, with the dump of memory, what're you going to do with it?

I found that I had to create the destination directory myself, it would not create it for me.

I've always created the output directories before starting the tool - nothing in there.

I think that error relates to certain files missing off your machine which are required by the application.

I don't think that a VC runtime is necessary (no such statement on the tools website)

There is "winen" which comes bundled with later versions of EnCase 6 (you can find it in '\Program Files\Encase6'. I have tested it on XP Pro SP2 and 3, Server 2003 and Vista Home Premium and Ultimate. It worked fine on each example.

I tried that one but it seems to miss a lot of data at the beginning of the dump (I've always found the first 512K zeros), furthermore processing the dump with volatility (after converting it to a dd format with ewfexport) doesn't work either.

Now…the question is, with the dump of memory, what're you going to do with it?

What I'm trying to do is to find a reliable way to get Harddisk-Encryption passwords out of the memory dumps. For now I've had limited success, I just was able to get the Bios-Password from a memory dump - but only from a dump that I made using firewire. All the other tools I've tested (dd, dcfldd, winen, memimager) - for obivous reasons only on Windows XPSP2 - seems to miss that part of memory.

I've also done some - limited - testing with truecrypt (whole drive encryption and also using an encrypted container), but without success.

Hi all!
I'm trying to create mdd.exe from mdd version 1.1's zip file. I got one exe, but not working correctly

-my new mdd.exe
output
-> ERROR Unable to extract driver!
-> ERROR Failed to open PhysicalMemory section!

I already addressed this as a comment to my blog…

Is there any new updates of mdd source code available now?
Please reply!!!!!

dija,

I'm unclear as to why you're posting here, and in my blog, and NOT asking the authors of mdd these questions…