Re: Dumping RAM contents on Win NT / 2000

From: Dominique Brezinski (domat_private)
Date: Tue Nov 12 2002 - 12:25:46 PST

Next message: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"

Previous message: George M. Garner Jr.: "RE: Dumping RAM contents on Win NT / 2000"
In reply to: George M. Garner Jr.: "RE: Dumping RAM contents on Win NT / 2000"
Next in thread: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Reply: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You are right...I was thinking of the work we just did to read  raw physical
*drives*, which do have a file object mapping.  Indeed the physical memory
device needs to be memory mapped and is subject to the conditions you
mention.  My bad.

Dom
----- Original Message -----
From: "George M. Garner Jr." <gmgarnerat_private>
To: <forensicsat_private>
Sent: Tuesday, November 12, 2002 11:11 AM
Subject: RE: Dumping RAM contents on Win NT / 2000


> Dom,
>
> >>You can write a simple C program that opens the file
> \\.\PhysicalMemory
> >>and uses the C runtime read() call to read the contents...<<
>
> This statement is not correct.  On *nix platforms there is a file object
> named "/dev/kmem" may be opened to read a logical view of physical
> memory.  The Win32 dd port available at
> http://users.erols.com/gmgarner/forensics uses the file object idiom
> (\\.\PhysicalMemory) in the *presentation* layer because that is what dd
> users are likely to expect.  Physical memory is not accessible via a
> file object on Windows platforms, however.  The kernel-mode object
> /Device/PhysicalMemory is a section object, not a file object.  Section
> objects may be *mapped* into a process's virtual address space, not read
> like a file.
>
> This distinction is important because the method has certain known risks
> and limitations that should be understood before attempting to dump
> physical memory using my dd port or other tools that dump "physical
> memory" from a user mode process using the memory or section mapping
> api's.  In particular, you should familiarize yourself with the risks
> associated with processor TLB corruption on the x86 platform.
>
> Regards,
>
> George.
>
>
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Previous message: George M. Garner Jr.: "RE: Dumping RAM contents on Win NT / 2000"
In reply to: George M. Garner Jr.: "RE: Dumping RAM contents on Win NT / 2000"
Next in thread: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Reply: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 13:23:55 PST