Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: Using dd.exe to make forensic images of NTFS drives
.

  • To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Subject: RE: Using dd.exe to make forensic images of NTFS drives
  • From: "Reava, Jeffrey [IT/0200]" <[EMAIL PROTECTED]>
  • Date: Tue, 12 Aug 2003 11:04:17 -0400
.
 

-----Original Message-----
From: crazytrain [mailto:[EMAIL PROTECTED]
Sent: Monday, August 11, 2003 11:29 PM
To: [EMAIL PROTECTED]
Subject: Re: Using dd.exe to make forensic images of NTFS drives


>>On Mon, 2003-08-11 at 04:53, Sakaba wrote:
>>I want the capability to take live
>>images of windows machines without having to reboot them and
>>without having to use thier binaries.  

>Unless you pre-install a program to do such, I believe this is currently
>impossible.  There are compiled live analysis kits for Win32 but they
>all (please correct me if I am wrong) call at least one or more DLLs
>from the running Win32 system, based on the design of Win32.  

--per Microsoft Knowledge Base Article - 164501:
"The use of KnownDLLs secures the system from someone deceptively replacing
APIs by placing a rogue DLL in the application directory."

In this case, the "protection" is being used against you.
HKLM\System\..\KnownDLLs specifies that certain DLLs must be loaded from
winnt\system32. While you can add a registry key
HKLM\..\ExcludeFromKnownDLLs, I have not been able to get it to 'take'
without a reboot. 

For DLLs not listed in the KnownDLLs key (eg. cygwin1.dll) they'll load from
the same dir as the executable, but their dependencies (kernel32.dll) will
still load from system32.








-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may
contain information that is legally privileged, confidential or exempt from
disclosure.  If you are not the intended recipient, please note that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited.  Anyone who receives this message in error should notify the 
sender immediately and delete it from his or her computer.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.