Re: Flushing DLLs follow-up

From: Frank Heyne (fh@rcs.urz.tu-dresden.de)
Date: 10/23/01

• Previous message: Kinsey, Robert: "RE: Flushing DLLs from memory"
• In reply to: H C: "Flushing DLLs follow-up"
• Next in thread: DE VILLIERS IAN: "RE: Flushing DLLs follow-up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Frank Heyne <fh@rcs.urz.tu-dresden.de>
To: forensics@securityfocus.com, focus-ms@securityfocus.com, keydet89@yahoo.com
Date: Tue, 23 Oct 2001 19:03:36 +0200
Subject: Re: Flushing DLLs follow-up
Message-ID: <3BD5BF08.5596.8E0135@localhost>

On 23 Oct 2001, at 6:18, H C wrote:

> conducting 'live' forensics investigations on NT/2K (and
> ultimately XP).

I would say you first need to separate systems which are prepared for
this kind of investigation and systems which are not ;-)

Starting with NT 5.0 (= W2K), there is the *very* helpful hibernation
option. It will just copy the entire RAM onto a file at the HD :-))

I am not sure at the moment, but I think even when this option is not
enabled, you can enable it without rebooting and save the current state
to disk.

With NT 3.x and NT 4, there is no such option.

Frank Heyne

---

• Previous message: Kinsey, Robert: "RE: Flushing DLLs from memory"
• In reply to: H C: "Flushing DLLs follow-up"
• Next in thread: DE VILLIERS IAN: "RE: Flushing DLLs follow-up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)