This week Im going to give a talk at Shakacon entitled Challenge of Windows physical memory acquisition and exploitation — then I think it’s time to release a new version of win32dd.
Two major bugs fixed in this release are:
- System cache size was growing because the output file was mapped, then it filled the memory with a lot of junk pages. Current version of mdd and Memoryze have this problem too. Thanks to Marnix Kaart (Nederlands Forensisch Instituut) and Tomo Koida (National Police Agency of Japan) for the bug report.
- The output size for raw dump file only was wrong. Instead of using the size of the physical address space, win32dd used the size of the physical memory which is totally different. Current version of mdd also has this problem and Memoryze forget to save one page.
This version also fix a minor bug in the driver loading process, some people experienced problem to load the driver a second time when they interrupted it through Ctrl+C keyboard shortcut.
This version, as you can see on the screenshot, provides further information about memory state, memory dump, and the machine.
And now, win32dd also supports hashing (SHA1).
Your feedback is welcome if you want me to introduce new features or to improve win32dd. Feel free to share your experiences etc.
Update: Rob Lee announced (via Twitter) win32dd is “is the tool of choice in the SANS Forensic courses for obtaining memory.”
Update 2: Rob will also discuss about court-approved tools during the SANS Forensics Summit 2009. (via Twitter)