And Vista:
It works nicely and in the case of dumping XP memory, you can do analysis with Volatility afterwards. (Note: Make sure you are running the cmd as Admin.) Another nice feature is that it gives you an md5 hash of the memory image after it finishes dumping.
I also tried win32dd on Vista. It worked fine as well. (I forgot to take a screen shot but will get one soon). I was surprised at first because it seemed to work much faster than MDD, since it gave me the all clear and appeared to have finished. I then checked the size of the dump and it was too small, so at first I thought it had failed. Later I checked the dump and it was 2 GB as needed, so it did work, but must have finished dumping in the background.
No comments:
Post a Comment