Windows Kernel memory dumps

Have you tried using encase? It analyzes dump.

Is some info on the file format useful?
Here
http//computer.forensikblog.de/en/2006/03/dmp-file-structure.html

jaclaz

Responder Pro does that, though it probably exceeds the scope of a "tool" in this case.

Responder Pro is supporting kernel memory dumps and is producing some nice reports of various stuff. But I can't make it reassemble and export registry hives. @C.S.R. do you know if it is possible with Responder Pro, and if so how?

Encase is untested (I have my doubts it will support it).

So, unless there is a tool out there that can do this, I think my best shot would be to programatically automate the (long) procedure I already have with WinDbg and that works for reassembling complete registry hives out of kernel memory dumps.

It is not a built-in function, you'd need to script Responder, too. However, I think it is much easier than automating WinDbg.

I acknowledge that Responder Pro have some nice features, and seems like a robust tool. Regarding its scripting as compared to windbg's scriptability it feels a little bit like managed coding compared to native coding. Thanks for the input. In my case I feel like sticking to WinDbg because it can do so many great things when you master it, because of its extreme power. I like to be in control over the power of WinDbg (still learning )).

However I find it strange that there's no tool out there that can reconstruct registry hives out of kernel memory dumps. I would assume that such MEMORY.DMP's, which is the default system configuration, is not unusual to find, as systems probably bluescreen'ed at least once during the entire lifetime.

Anyways, there's a very good reading to be found at http//amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ He also reconstructed and extracted registry hives, and gave me some good hints. See appendix 21. But it's geared towards 32-bit and older Windows versions, and is very manual in the process. Still, it let's you achieve the goal.