Difference between pages "Tools:Memory Imaging" and "Template:Deprecated Software"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Microsoft Windows)
 
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system.
+
<div style="border:1px solid #aaaaaa; color:#000000; background-color:#ffeeff; text-align:center;">
 +
<table border="0" align="center"><tr><td>
 +
[[Image:40px-Ambox warning pn.png]]
 +
</td><td>
 +
'''This tool is deprecated.'''
 +
<br>
 +
The tool that this page describes is deprecated and is no longer under active development.<br>
 +
Further information might be found on the [[{{TALKPAGENAME}}|discussion page]].
 +
</td></tr></table></div>
  
== Microsoft Windows ==
+
[[Category:Deprecated tools]]
 
+
; [[dd]]
+
: A version of [[dd]] by George Garner allows an Administrator user to image memory using the ''\device\physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista. This program cannot be used on Windows 2003 SP1 and above.
+
 
+
; [[hibernation]] files
+
: Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the System drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image.
+
 
+
== Exploits ==
+
 
+
At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
 
+
In theory, this could be used with the ... to send through an exploit code that would cause the system to dump the contents of its hard drive back to the [[iPod]].
+

Latest revision as of 08:33, 28 July 2012

40px-Ambox warning pn.png

This tool is deprecated.
The tool that this page describes is deprecated and is no longer under active development.
Further information might be found on the discussion page.