Windows physical memory analysis

Are you aware that WinHEX RAM editor in the Tools menu allows the examining of the virtual memory of a process? It can dump to a file, but its not the entire physical memory in one go like dd would do.

Harlan,

You left out pmodump.pl from the TRUMAN project by Joe Stewart from LURHQ.

Sorry, jsawyer. I've been searching all over the Net for the past couple of weeks, and in particular the past couple of days, and never saw a single reference to this at all. I've searched using combinations of "Windows", "physical memory", "RAM", "analysis", and "dd.exe"…so, I can't say that I really forgot it, as I never knew about it. Thanks for the pointer, though.

Harlan

I posted a link to it on Feb 28 in response to your post on the "volatile memory on windows" thread.

Sorry, I missed that one…I caught your previous post, however.

Harlan

Andy, thanks, but that's really not what I'm looking for…

Harlan

Are you aware that WinHEX RAM editor in the Tools menu allows the examining of the virtual memory of a process? It can dump to a file, but its not the entire physical memory in one go like dd would do.

WinHex and X-Ways Forensics can dump the entire, physical RAM. You can open RAM, double-click Physical Memory, block the entire contents, and save it to a file. X-Ways also produces X-Ways Capture, which is designed for live acquisition, including physical RAM. I have a copy, but have to play with it some before I can comment further, although it seems quite handy and configurable.

I have no idea about DD but one more interesting thing I would like to share (might be known to the forum) is that the iPod can be used for memory dump analysis.
detail can be seen at-
http// www.pacsec.jp/psj04/psj04-dornseif-e.ppt

sachin,

Thanks…but I'm not really clear on how that fits into the thread…

Harlan