John, There are two ways to do it: 1) Use a debugger. If you want to get the volatile memory for a process this is the easiest way to go about it. If you want to get at the kernel you have to use a kernel debugger, you can get that from Microsoft. Get Inside Windows 2000 by Solomon and Russinovich as it comes with a great kernel debugging tool and a bunch of examples on how to use it. Get this book anyway - it is invaluable. 2) Write an application that has the ability to read process memory (this will not work if you want to get at the kernel memory. The application can use the PSAPI and the Debug Helper library to enumerate processes and threads, their memory heaps and structures, and then dump them. This is similar to using a debugger as in 1) above but would allow you to focus on exactly what you want. We, Security Toolkit, have a custom application that does 2) from the command line - you provide the PID of the process you want dumped and it will dump it to a file. It has the advantage in that it freezes the process while dumping its memory to a file. We may consider releasing it in the future. Regards, John Howie President, Security Toolkit LLC -----Original Message----- From: John Smith [mailto:for3nsicsat_private] Sent: Sunday, November 10, 2002 2:40 PM To: focus-msat_private Cc: forensicsat_private Subject: Dumping RAM contents on Win NT / 2000 Hi all, I'm conducting some test forensics work on both Windows NT and 2000 and found myself wanting to "dump" the contents of memory for volatile data investiation. Unfortunately I can not find any relevant information on tools/howto's on this subject, accept setting a Registry key which requires and initial reboot to take affect. (which will be useless because after the reboot the volatile data would be lost). And yes, the fact that the Reg Key wasn't set is an obvious one as well :) Any ideas on how this could be achieved WITHOUT setting the particular Registry setting. Thanks in advance. http://careers.yahoo.com.au - Yahoo! Careers - 1,000's of jobs waiting online for you! ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 11 2002 - 10:43:52 PST