Re: Using dd.exe to make forensic images of NTFS drives

[crazytrain <[EMAIL PROTECTED]>]

On Mon, 2003-08-11 at 04:53, Sakaba wrote:
> I want the capability to take live
> images of windows machines without having to reboot them and
> without having to use thier binaries.  

Unless you pre-install a program to do such, I believe this is currently
impossible.  There are compiled live analysis kits for Win32 but they
all (please correct me if I am wrong) call at least one or more DLLs
from the running Win32 system, based on the design of Win32.  The second
you do this you disrupt the system.  How much?  Depends.  But your goal
of wanting to do a live image of a running Win32 system just isn't
possible because of this.  Remember every step has one or more side
effects.

Now, if you're willing to compromise a bit and use system DLLs, then you
might be able to do so.  Of course certain elements will be corrupt,
such as open files, in your resultant image file(s).  But you will get
much of what you're after.


regards,

farmerdude





-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com