Frank, > Starting with NT 5.0 (= W2K), there is the *very* helpful hibernation > option. It will just copy the entire RAM onto a file at the HD :-)) Although NT 4.0 doesn't give a hibernation function, on previous occasions when I have needed to check the > physical RAM on NT 4.0, I used a reasonably effective although probably unorthodox way of dumping the memory to disk - check that your crash recovery options dump the complete RAM to disk and cause a blue screen. Although this is a good way to get the RAM contents to disk when you are interested in specific programs in memory, I suppose doing something similar for forensic investigations is not an option, but I wouldnt know much about that... Regards, Ian de Villiers -----Original Message----- From: Frank Heyne [mailto:fhat_private-dresden.de] Sent: 23 October 2001 19:04 To: forensicsat_private; focus-msat_private; keydet89at_private Subject: Re: Flushing DLLs follow-up On 23 Oct 2001, at 6:18, H C wrote: > conducting 'live' forensics investigations on NT/2K (and > ultimately XP). I would say you first need to separate systems which are prepared for this kind of investigation and systems which are not ;-) Starting with NT 5.0 (= W2K), there is the *very* helpful hibernation option. It will just copy the entire RAM onto a file at the HD :-)) I am not sure at the moment, but I think even when this option is not enabled, you can enable it without rebooting and save the current state to disk. With NT 3.x and NT 4, there is no such option. Frank Heyne ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 17:50:29 PDT