tag:blogger.com,1999:blog-9518042.post511074237764750335..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Memory Collection and AnalysisUnknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-9518042.post-4019883874067148912008-07-17T10:57:00.000-05:002008-07-17T10:57:00.000-05:00win32dd wont work on Vista X64 since is not X64 dr...win32dd wont work on Vista X64 since is not X64 drivers and 64bit drivers need to be signed to be loaded <BR/><BR/>have a nice day :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-82138316103557383352008-07-02T05:17:00.000-05:002008-07-02T05:17:00.000-05:00anonymous...First, as Matthieu stated, "...some pa...anonymous...<BR/><BR/>First, as <A HREF="http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/" REL="nofollow">Matthieu stated</A>, "...some part of the source code (e.g. driver source code) are missing."<BR/><BR/>Second, you really should go to the author of the tool with comments like this, or any questions you may have. I wouldn't assume that the author is waiting for comments to appear on this blog.<BR/><BR/>Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63414255734555145052008-07-02T05:12:00.000-05:002008-07-02T05:12:00.000-05:00Hi all!I'm trying to create mdd.exe from mdd versi...Hi all!<BR/>I'm trying to create mdd.exe from mdd version 1.1's zip file. I got one exe, but not working correctly<BR/><BR/>-my new mdd.exe:<BR/>output<BR/>-> ERROR: Unable to extract driver!<BR/>-> ERROR: Failed to open PhysicalMemory section!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43484743987114742812008-06-26T06:05:00.000-05:002008-06-26T06:05:00.000-05:00Ok, thanks.Btw, great blog ^_^!Ok, thanks.<BR/><BR/>Btw, great blog ^_^!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75098805824388487792008-06-25T09:36:00.000-05:002008-06-25T09:36:00.000-05:00TaU...Okay, great info. However, for win32dd, I w...TaU...<BR/><BR/>Okay, great info. However, for win32dd, I would recommend downloading DebugView from SysInternals and sending the contents of the capture to the author.<BR/><BR/>In both cases, I would try to provide as much information as I could to the authors of those specific tools.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-69833240111771857432008-06-25T09:16:00.000-05:002008-06-25T09:16:00.000-05:00Hi all!I'm trying to use these tools in a Windows ...Hi all!<BR/>I'm trying to use these tools in a Windows x64 OS with no success at all. I get this errors:<BR/><BR/>-mdd.exe:<BR/> -> StartService failed (1275)<BR/> -> ERROR: Failed to stop driver, ControlService, 1062<BR/> -> ERROR: Failed to open PhysicalMemory section!<BR/><BR/>-win32dd.exe:<BR/> -Error: StartService(), Cannot start the driver. 00000002<BR/>Cannot open \\.\win32dd.<BR/><BR/>I supose its because the tools need to be compiled specifically for wix x64 OS. Anyone know some tool like these but x64 compatible?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-71142575912646119482008-06-17T11:40:00.000-05:002008-06-17T11:40:00.000-05:00Ken,Glad to hear it! I had seen the update this m...Ken,<BR/><BR/>Glad to hear it! <BR/><BR/>I had seen the update this morning and added the following to the blog post:<BR/><BR/><I>Updated version 1.1 was released on 17 June.</I><BR/><BR/>I have yet to have the opportunity to test the output.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-28922020711951827362008-06-17T11:36:00.000-05:002008-06-17T11:36:00.000-05:00Just a note, Mantech released version 1.1 of mdd t...Just a note, Mantech released version 1.1 of mdd today and it seems to have cleared up the issues I was having.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-92094443525255917612008-06-16T13:36:00.000-05:002008-06-16T13:36:00.000-05:00I just successfully used win32dd by Matthieu Suich...I just successfully used win32dd by Matthieu Suiche. Very slick and easy to use. Some very interesting stuff I found in ram on my laptop. I have to leave for work right now, but I plan to spend more time on it later.<BR/>KPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57531443912858284362008-06-16T11:36:00.000-05:002008-06-16T11:36:00.000-05:00Hi Harlan,1. When trying to run the memdd.exe file...Hi Harlan,<BR/><BR/>1. When trying to run the memdd.exe file, I get this: The system cannot execute the specified program. I saw the other download for the source, but wasn't certain how to use it.<BR/><BR/>2. The problem I have isn't the same, but I saw a in the bug tracker on the project site an entry that it didn't work in SP3. http://tinyurl.com/5vvue5<BR/><BR/>3. No, not yet. I'm wanting to make sure this isn't user error before writing in.<BR/><BR/>BTW, am really enjoying WFA. I stayed up way too late last night reading it.<BR/>KPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-443519214967364152008-06-16T11:07:00.000-05:002008-06-16T11:07:00.000-05:00Ken,A couple of questions...1. What does "unable ...Ken,<BR/><BR/>A couple of questions...<BR/><BR/>1. What does "unable to...work" refer to? Did you get an error msg? If so, what was it?<BR/><BR/>2. When you say, others have had that problem, what do you mean? Where (link??) are you seeing others complain about it not working?<BR/><BR/>3. Have you contacted the author(s)? <BR/><BR/>Thanks,<BR/><BR/>hH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-34545831315169540172008-06-16T10:34:00.000-05:002008-06-16T10:34:00.000-05:00I'm unable to get mdd to work on XP SP3. I see ot...I'm unable to get mdd to work on XP SP3. I see others have had that problem too. Hope they're able to fix that.<BR/>KPAnonymousnoreply@blogger.com