Hosting Provided By

RE: Dumping RAM contents on Win NT / 2000

From: John Howie <JHowie(at)securitytoolkit.com>
Date: Mon Nov 11 2002 - 13:39:47 EST

John,

There are two ways to do it:

Use a debugger. If you want to get the volatile memory for a process this is the easiest way to go about it. If you want to get at the kernel you have to use a kernel debugger, you can get that from Microsoft. Get Inside Windows 2000 by Solomon and Russinovich as it comes with a great kernel debugging tool and a bunch of examples on how to use it. Get this book anyway - it is invaluable.
Write an application that has the ability to read process memory (this will not work if you want to get at the kernel memory. The application can use the PSAPI and the Debug Helper library to enumerate processes and threads, their memory heaps and structures, and then dump them. This is similar to using a debugger as in 1) above but would allow you to focus on exactly what you want.

We, Security Toolkit, have a custom application that does 2) from the command line - you provide the PID of the process you want dumped and it will dump it to a file. It has the advantage in that it freezes the process while dumping its memory to a file. We may consider releasing it in the future.

Regards,

John Howie
President, Security Toolkit LLC

-----Original Message-----
From: John Smith [mailto:for3nsics@yahoo.com.au] Sent: Sunday, November 10, 2002 2:40 PM
To: focus-ms@securityfocus.com
Cc: forensics@securityfocus.com
Subject: Dumping RAM contents on Win NT / 2000

Hi all,

I'm conducting some test forensics work on both Windows NT and 2000 and found myself wanting to "dump" the contents of memory for volatile data investiation. Unfortunately I can not find any relevant information on tools/howto's on this subject, accept setting a Registry key which requires and initial reboot to take affect. (which will be useless because after the reboot the volatile data would be lost). And yes, the fact that the Reg Key wasn't set is an obvious one as well :)

Do you need help?

Any ideas on how this could be achieved WITHOUT setting the particular Registry setting.

Thanks in advance.

http://careers.yahoo.com.au - Yahoo! Careers - 1,000's of jobs waiting online for you!

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Nov 11 13:44:07 2002

This message: [ Message body ]
Next message: Knut Eckstein: "Re: Dumping RAM contents on Win NT / 2000"
Previous message: Klaus Steding-Jessen: "Announce: November Scan of the Month Challenge"
Maybe in reply to: John Smith: "Dumping RAM contents on Win NT / 2000"
Reply: Knut Eckstein: "Re: Dumping RAM contents on Win NT / 2000"
Reply: H C: "Re: Dumping RAM contents on Win NT / 2000"
Reply: Philip Bartholomew: "RE: Dumping RAM contents on Win NT / 2000"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:41 EDT