Re: Imaging memory on Win7 64bit

[Josh Little <josh () zombietango com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
On 9/17/2010 2:33 PM, Carlos Perez wrote:
> http://moonsols.com/blog/9-moonsols-windows-memory-toolkit
>
> this should help you,
>
> for the previous ones you used If you have UAC running you will
> have to use psexec -s to run the imager as System

Thanks, that worked. It took a bit of tweaking to get it running
remotely, as I don't have hands on the box, but I got it to dump. For
the record, I ended up having to:

1. Copy win64dd.exe and win64dd.sys to system32.
2. Use psexec to spawn a cmd as system from the remote box.
3. Run win64dd.exe /r /a /f name.img

Trying to run the dump direct from a remote psexec session kept
throwing errors, as did running it through a shuttled cmd from another
place on the file system.

The next "D'oh" is that Audit Viewer/Memoryze isn't 64-bit aware yet.
Should have thought of that before this. I think I have a Volatility
build somewhere, but not sure if that is 64-bit aware yet or not.

ZT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iF4EAREIAAYFAkyTySkACgkQMRelb3QdcMcgtQD/Ti4hh7IneV+ric5gQABLatjn
DBRA0rnvYzcit+OPyjUA/ivwhUMU/EqF5RPJ7vT3Yxr/+QHN2YM4yNq6gaMovL08
=EIM7
-----END PGP SIGNATURE-----

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com