tag:blogger.com,1999:blog-9518042.post111909710101089641..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Memory collection and analysis follow-upUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-1126551223738888512005-09-12T13:53:00.000-05:002005-09-12T13:53:00.000-05:00I am posting this here since it is relevant and fi...I am posting this here since it is relevant and figured you would create a new post based on it. Have you checked out the DFRWS memory analysis forensic challenge results? Both of the "winners" used some interesting techniques to analyze a memory dump done with dd.exe from a Helix CD under Windows. The coolest tool was freshly written by Chris Betz and pulled out full process listing and individual process information. Sure beats the freaking MS Debugging Tools. http://www.dfrws.org/2005/challenge/index.htmlAnonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1119181597203910542005-06-19T06:46:00.000-05:002005-06-19T06:46:00.000-05:00Ok, don't get me wrong...I haven't really "thrown ...Ok, don't get me wrong...I haven't really "thrown out" the idea of using dd.exe and pmdump.exe for malware analysis, incident response, and forensics. I intended that comment to be tongue-in-cheek, to generate discussion. I firmly believe that the key to furthering the community is to know what tools are available, know their strengths and weaknesses, and to (most importantly) <B>engage in discussion</B> of the topic. <BR/><BR/>The fact remains that IR and forensics analysis, particularly on Windows systems, lags far behind what the "bad guys" are capable of doing...and what they are actually engaged in. By sharing information, we can improve the quality of response.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com