RE: Flushing DLLs follow-up

From: DE VILLIERS IAN (ian.devilliers@bmw.co.za)
Date: 10/24/01

• Previous message: Frank Heyne: "RE: Flushing DLLs follow-up"
• Maybe in reply to: H C: "Flushing DLLs follow-up"
• Next in thread: Frank Heyne: "RE: Flushing DLLs follow-up"
• Reply: Frank Heyne: "RE: Flushing DLLs follow-up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <4A8E2E6FBFC0D511B0590008C7336EA00E3D75@zaexc8.w9>
From: DE VILLIERS IAN <ian.devilliers@bmw.co.za>
To: "'fh@rcs.urz.tu-dresden.de'" <fh@rcs.urz.tu-dresden.de>
Subject: RE: Flushing DLLs follow-up
Date: Wed, 24 Oct 2001 08:21:23 +0200

Frank,

> Starting with NT 5.0 (= W2K), there is the *very* helpful hibernation
> option. It will just copy the entire RAM onto a file at the HD :-))

Although NT 4.0 doesn't give a hibernation function, on previous occasions
when I have needed to check the > physical RAM on NT 4.0,

I used a reasonably effective although probably unorthodox way of dumping
the memory to disk - check that your crash recovery options dump the
complete RAM to disk and cause a blue screen.

Although this is a good way to get the RAM contents to disk when you are
interested in specific programs in memory, I suppose doing something similar
for forensic investigations is not an option, but I wouldnt know much about
that...

Regards,

Ian de Villiers

-----Original Message-----
From: Frank Heyne [mailto:fh@rcs.urz.tu-dresden.de]
Sent: 23 October 2001 19:04
To: forensics@securityfocus.com; focus-ms@securityfocus.com;
keydet89@yahoo.com
Subject: Re: Flushing DLLs follow-up

On 23 Oct 2001, at 6:18, H C wrote:

> conducting 'live' forensics investigations on NT/2K (and
> ultimately XP).

I would say you first need to separate systems which are prepared for
this kind of investigation and systems which are not ;-)

Starting with NT 5.0 (= W2K), there is the *very* helpful hibernation
option. It will just copy the entire RAM onto a file at the HD :-))

I am not sure at the moment, but I think even when this option is not
enabled, you can enable it without rebooting and save the current state
to disk.

With NT 3.x and NT 4, there is no such option.

Frank Heyne

---

• Previous message: Frank Heyne: "RE: Flushing DLLs follow-up"
• Maybe in reply to: H C: "Flushing DLLs follow-up"
• Next in thread: Frank Heyne: "RE: Flushing DLLs follow-up"
• Reply: Frank Heyne: "RE: Flushing DLLs follow-up"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: OT/drift: when is a RAMdisk an appropriate solution ... include the "ram disk" component in your project. ... Sometimes, a physical RAM ... only to wind up going directly to regular old ordinary memory, ... testing the file system software. ... (comp.lang.c) Re: teaching a child - console or GUI ... >> possible to set up some pretty fancy 'accelerators' ... disk under a file name that is ... ... or are they really a bunch of pointers ... You mean that you had to be convinced of the 'CD in RAM' approach? ... (comp.lang.pascal.delphi.misc) Re: Future Linux on Bistable Storage ... One major difference between disk and RAM is the tradeoffs between size, ... resume the system -- except perhaps for I/O initialisation. ... Writing all of RAM to disk burns more power than powering RAM for several ... (Linux-Kernel) Re: Hard disk speed - Maybe OT ... This will of course all be disk cache. ... The current capture uses ... I dont think RAM will help all that much. ... (alt.os.linux.suse) OT/drift: when is a RAMdisk an appropriate solution ... include the "ram disk" component in your project. ... Sometimes, a physical RAM ... only to wind up going directly to regular old ordinary memory, ... testing the file system software. ... (comp.lang.c)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)