John, there is an enhanced version of GNU dd for Win* which provides what you need dd.exe if=\\.\PhysicalMemory of=d:\images\PhysicalMemory.img Sorry, I don't remember the download location off my head, just google for dd.exe and physical memory... Best regards, Knut John Smith wrote: > I'm conducting some test forensics work on both > Windows NT and 2000 and found myself wanting to "dump" > the contents of memory for volatile data investiation. > Unfortunately I can not find any relevant information > on tools/howto's on this subject, accept setting a > Registry key which requires and initial reboot to take > affect. (which will be useless because after the > reboot the volatile data would be lost). And yes, the > fact that the Reg Key wasn't set is an obvious one as > well :) > > Any ideas on how this could be achieved WITHOUT > setting the particular Registry setting. > > Thanks in advance. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 11 2002 - 10:44:07 PST