RE: Using dd.exe to make forensic images of NTFS drives

From: Reava, Jeffrey [IT/0200] <jeffrey.reava(at)pharmacia.com>
Date: Tue Aug 12 2003 - 11:04:17 EDT

-----Original Message-----
From: crazytrain [mailto:subscribe@crazytrain.com] Sent: Monday, August 11, 2003 11:29 PM
To: forensics@securityfocus.com
Subject: Re: Using dd.exe to make forensic images of NTFS drives

>>On Mon, 2003-08-11 at 04:53, Sakaba wrote:

>Unless you pre-install a program to do such, I believe this is currently

--per Microsoft Knowledge Base Article - 164501: "The use of KnownDLLs secures the system from someone deceptively replacing APIs by placing a rogue DLL in the application directory."

In this case, the "protection" is being used against you. HKLM\System\..\KnownDLLs specifies that certain DLLs must be loaded from winnt\system32. While you can add a registry key HKLM\..\ExcludeFromKnownDLLs, I have not been able to get it to 'take' without a reboot.

For DLLs not listed in the KnownDLLs key (eg. cygwin1.dll) they'll load from the same dir as the executable, but their dependencies (kernel32.dll) will still load from system32.

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer.

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Aug 13 09:18:57 2003