I am working on a mock scenario for my school and one of the tasks is a live acquisition of RAM from a Windows 98 machine. I am running into problems finding a program capable of doing this. I have tried using various versions of Helix, all of which fail to work. I have even tried using dd.exe directly from the command line, though I get an error about a missing .DLL. Does anyone have any advice for how to go about getting this image? Thanks!
How about "memoryze" from Mandiant?
In addition to Memoryze check out mdd_1.3 from Mantech, Forensic Acquisition Utilities and win32dd.
What tool are you using on the Helix platform?
DD on the Helix disk should work on Win98
dd.exe if=\\.\physicalmemory of=x\drive.dd conv=noerror bs=32k
Reading a little
BitHead,
While I appreciate the faith there, my friend, unfortunately, I do not address "the other Windows"…only the NT family, particularly Win2K and beyond.
I'll admit that I haven't tried any of the tools on Win98…and likely won't. However, something to keep in mind is, even if you do find a way to make a dump, what will you do with it? Run strings or grep?
I'd suggest doing away with Win98 all together. If you don't have a memory dump you can use and don't have a system you can dump memory from, there are a couple of places online (NIST being one of them) were you can get some samples.
Since this is a school assignment I thought the OP might want to expand their horizon, thus the reason for my link to your article.
BitHead,
I'm sure, but that wasn't the point I was trying to make…