BlackHat Webcast – New Frontiers In Forensics [Slides]
First, I would like to thanks people who attended to this Webcast and to BlackHat folks for inviting me and making this webcast great!
If you missed it, slides are now available at the following link: New Frontiers In Forensics [PDF]
People can access to Win[32|64]DD page here: http://windd.msuiche.net.
And media materials should be available on BH Website.
Windd 1.3 Final! (x86 and x64)
EDIT: 1.3.20091113 version contains a fix for incorrect size bug and raw memory dump.
EDIT: 1.3.20091024 version contains a fix for networking feature under Vista and Later.
Download windd 1.3
Win32dd and Win64dd are finally mature enough to be released which is a very good news.
First, I would like to thanks Nicolas Ruff, Andreas Schuster, Scott Noone from OSR Online, Rob T. Lee, Laurent Gaffie, Jimmy Marchetto and Sol_Ksacap for providing either assistance, feedbacks and/or beta-testing for this version.
Compability List:
Raw memory dump:
- Windows 2000 (32-Bits)
- Windows XP (32-Bits and 64-Bits)
- Windows 2003 (32-Bits and 64-Bits)
- Windows Vista (32-Bits and 64-Bits)
- Windows 2008 (32-Bits and 64-Bits)
- Windows 7 (32-Bits and 64-Bits)
- Windows 2008 R2 (32-Bits and 64-Bits)
Microsoft crash dump:
- Windows XP (32-Bits and 64-Bits)
- Windows 2003 (32-Bits and 64-Bits)
- Windows Vista (32-Bits and 64-Bits)
- Windows 2008 (32-Bits and 64-Bits)
- Windows 7 (32-Bits and 64-Bits)
- Windows 2008 R2 (32-Bits and 64-Bits)
Features:
- Raw dump generation
- Standalone Microsoft crash dump generation
- Network support (client + server)
- SMB path support
- MD5, SHA-1 and SHA-256 hash support
- Support 3 mapping methods for both full crash dump and raw memory dump generation
- Support 3 content rules
- Fast
- 32-bits and 64-bits support
- Can hibernate the system.
- Can generate a Blue Screen of the Death
- Support of machine with more than 4GB of RAM.
Microsoft Windows has an internal limitation which does not allow to generate a Microsoft Full Crash dump if the local machine has more than 2GB of physical memory. Of course, this limitation does not affect windd but it was funny and a good surprise to see Windbg correctly works with 8GB Microsoft crash dump (successfuly tested by Jimmy).
Links:
windd main page
Download windd 1.3
How to rule Windbg?
Debug Tutorial Part 4: Writing WINDBG Extensions
R.I.P. Xpress – Welcome TLZ
I was reading an article about Windows 8 and 9 (which should support IA-128 architecture) when I highlighted:
Researched new algorithms and programming methods to build Hibernate/Resume Integration API that can integrate and utilize the new TLZ file compression engine for the Hibernate/Resume component of new Windows 8 Operating System.
Using C and C++ programming languages in SourceInsight, developed a 100% functional C wrapper for C++ functions and the Hibernate/Resume Integration API, which will be used in Windows 8 replacing Windows Vista’s Xpress compression engine.
Apparently and according to his resume the author, Bo Qin, is a student at University of Washington. That is cool to see that some academics are working on cool projects (while some people are wasting time to find a way to write an exploit which will be used by script-kiddies or stupid consultants and while media are claiming white-hats are challenging Microsoft).
Anyway, Xpress compression algorithm, introduced in Windows XP and still used in Windows 7 and actually used for Windows Hibernation, Hyper-V, Windows Mobile, SMB protocol etc., should be replaced by TLZ algorithm that should be introduced in Windows 8.
