Re: Pagefile for reader/dumpers NT?

From: Brian Carrier (bcarrierat_private)
Date: Thu Aug 01 2002 - 06:56:02 PDT

Next message: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"

Previous message: Brian Carrier: "Re: 2 questions about tct and perl lfs"
Next in thread: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Reply: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jul 31, 2002 at 04:08:04PM -0400, Buck Buchanan wrote:
> Bypassing the file system and directly accessing the disk can easily dump
> any disk block.  Disk Probe from the NT Resource Kit can do this.  The hard
> part is figuring out which blocks the pagefile(s) is/are using.  I am not
> aware of any easy to use "script kiddie" tools that will accomplish this,
> but would like to find one.  

The nfi.exe (somewhere on Microsoft's site) tool will dump the MFT table
and give the sector runs for files.   

brian


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Previous message: Brian Carrier: "Re: 2 questions about tct and perl lfs"
Next in thread: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Reply: George M. Garner Jr.: "RE: Pagefile for reader/dumpers NT?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 07:38:09 PDT