tag:blogger.com,1999:blog-6447283518071683105.post44271811017593871..comments2023-04-02T10:17:04.631-04:00Comments on Forensic Incident Response: Collecting physical memoryhogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-6447283518071683105.post-15456145990309569572007-12-06T07:30:00.000-05:002007-12-06T07:30:00.000-05:00George,But are you aware of anyone (reputable) who...George,<BR/><BR/><I>But are you aware of anyone (reputable) who has sought to purchase the KnTTools (private consultant or otherwise) and been denied?</I><BR/><BR/>I would have hoped that you would have contacted me privately with this regard, but I'll respond to you here...<BR/><BR/>When I purchased the kntdd from you, after participating in the beta program, my understanding was that I was H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-46366142378134904812007-12-05T11:55:00.000-05:002007-12-05T11:55:00.000-05:00The reason why we capture network and other state ...The reason why we capture network and other state information using user mode API's is because we found that it was impossible to prove that some resource was hidden unless we first documented what the "bad guy" wants us to see. KnTList uses the user system state programmatically to implement a cross-view detection algorithm. That's why the output is in XML. A smart attacker may use an Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-75601049589453852952007-12-05T07:47:00.000-05:002007-12-05T07:47:00.000-05:00KntDD is available for use...However, the availabi...<I>KntDD is available for use...</I><BR/><BR/>However, the availability is limited by the author, AND there is a cost associated with it.<BR/><BR/><I>Farmer and Venema state(ch.1 p6 table 1.2) that Main memory has a lifespan of nanoseconds while network state has a lifespan of milliseconds.</I><BR/><BR/>Sure, but to what level of granularity? There has been information to show that remnants of H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-89394017520880604372007-12-04T16:34:00.000-05:002007-12-04T16:34:00.000-05:00I agree, there are no more *free* tools available....I agree, there are no more *free* tools available. KntDD is available for use, as is Livewire.<BR/><BR/>Farmer and Venema state(ch.1 p6 table 1.2) that Main memory has a lifespan of nanoseconds while network state has a lifespan of milliseconds.<BR/><BR/>Rfc3227 states an example only. It does not once mention network state. It simply mentions the routing table and arp cache. Neither of thesehogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-4494761614174681392007-12-04T13:22:00.000-05:002007-12-04T13:22:00.000-05:00This is an issue where informed discussion needs t...This is an issue where informed discussion needs to take place.<BR/><BR/>The reality is that right now, there are no tools legitimately available to consultants to dump the contents of RAM from Windows systems, with the exception of old, no-longer-supported versions of Garner's dd.exe, and ProDiscover. License agreements rule out the use of tools like Nigilant32 for consultants. For Windows H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com