RE: Using dd.exe to make forensic images of NTFS drives

From: Reava, Jeffrey [IT/0200] (jeffrey.reavaat_private)
Date: Tue Aug 12 2003 - 08:04:17 PDT

Next message: shrink-wrapat_private: "Re: Using dd.exe to make forensic images of NTFS drives"

Previous message: Valdis.Kletnieksat_private: "Re: Using dd.exe to make forensic images of NTFS drives"
Maybe in reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
Next in thread: shrink-wrapat_private: "Re: Using dd.exe to make forensic images of NTFS drives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
From: crazytrain [mailto:subscribeat_private]
Sent: Monday, August 11, 2003 11:29 PM
To: forensicsat_private
Subject: Re: Using dd.exe to make forensic images of NTFS drives

>>On Mon, 2003-08-11 at 04:53, Sakaba wrote:
>>I want the capability to take live
>>images of windows machines without having to reboot them and
>>without having to use thier binaries.  

>Unless you pre-install a program to do such, I believe this is currently
>impossible.  There are compiled live analysis kits for Win32 but they
>all (please correct me if I am wrong) call at least one or more DLLs
>from the running Win32 system, based on the design of Win32.  

--per Microsoft Knowledge Base Article - 164501:
"The use of KnownDLLs secures the system from someone deceptively replacing
APIs by placing a rogue DLL in the application directory."

In this case, the "protection" is being used against you.
HKLM\System\..\KnownDLLs specifies that certain DLLs must be loaded from
winnt\system32. While you can add a registry key
HKLM\..\ExcludeFromKnownDLLs, I have not been able to get it to 'take'
without a reboot. 

For DLLs not listed in the KnownDLLs key (eg. cygwin1.dll) they'll load from
the same dir as the executable, but their dependencies (kernel32.dll) will
still load from system32.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may
contain information that is legally privileged, confidential or exempt from
disclosure.  If you are not the intended recipient, please note that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited.  Anyone who receives this message in error should notify the 
sender immediately and delete it from his or her computer.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: shrink-wrapat_private: "Re: Using dd.exe to make forensic images of NTFS drives"
Previous message: Valdis.Kletnieksat_private: "Re: Using dd.exe to make forensic images of NTFS drives"
Maybe in reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
Next in thread: shrink-wrapat_private: "Re: Using dd.exe to make forensic images of NTFS drives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 06:18:39 PDT