Comments on: Windd 1.3 Final! (x86 and x64) http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/ Happiness only real when shared. Sun, 07 Mar 2010 03:10:11 +0100 http://wordpress.org/?v=2.8.3 hourly 1 By: Scotty Keniry http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-24377 Scotty Keniry Sun, 07 Mar 2010 03:10:11 +0000 http://www.msuiche.net/?p=335#comment-24377 I really like the fresh perpective you did on the issue. Really was not expecting that when I started off studying. Your concepts were easy to understand that I wondered why I never looked at it before. Glad to know that there's an individual out there that definitely understands what he's discussing. Great job I really like the fresh perpective you did on the issue. Really was not expecting that when I started off studying. Your concepts were easy to understand that I wondered why I never looked at it before. Glad to know that there’s an individual out there that definitely understands what he’s discussing. Great job

]]> By: Matthieu Suiche http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-23857 Matthieu Suiche Fri, 05 Feb 2010 03:23:13 +0000 http://www.msuiche.net/?p=335#comment-23857 Look in the registry for "win32dd" delete the key -- the associated path should be the wrong path. In fact this version is not scriptable. One you try to win32dd.exe like > path/win32dd.exe /f pouet.bin you will get this error every time. You have to run it from the current directory everytime > win32dd.exe /f pouet.bin Look in the registry for “win32dd” delete the key — the associated
path should be the wrong path.

In fact this version is not scriptable.

One you try to win32dd.exe like
> path/win32dd.exe /f pouet.bin
you will get this error every time.

You have to run it from the current directory everytime
> win32dd.exe /f pouet.bin

]]> By: MrPockets http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-23829 MrPockets Wed, 03 Feb 2010 20:34:49 +0000 http://www.msuiche.net/?p=335#comment-23829 I've also run into the Error: InstallDriver Cannot start service (Err=0×00000002). -> Error: Cannot open \\.\win32dd. I've seen it on 32 bit installs of XP SP2 (2 gigs RAM) and SP3 (8 gigs, 32bit system == 4 available). I seem to run into it after killing or interrupting the imaging process. Haven't found a way to fix / repair it yet. I’ve also run into the

Error: InstallDriver Cannot start service (Err=0×00000002).
-> Error: Cannot open \\.\win32dd.

I’ve seen it on 32 bit installs of XP SP2 (2 gigs RAM) and SP3 (8 gigs, 32bit system == 4 available). I seem to run into it after killing or interrupting the imaging process. Haven’t found a way to fix / repair it yet.

]]> By: lacie http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-22574 lacie Wed, 16 Dec 2009 20:59:22 +0000 http://www.msuiche.net/?p=335#comment-22574 I'm also seeing crashes on x86 xp sp3: Error: InstallDriver Cannot start service (Err=0x00000002). -> Error: Cannot open \\.\win32dd. I’m also seeing crashes on x86 xp sp3:

Error: InstallDriver Cannot start service (Err=0×00000002).
-> Error: Cannot open \\.\win32dd.

]]> By: Sergey http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-22460 Sergey Sun, 13 Dec 2009 15:05:20 +0000 http://www.msuiche.net/?p=335#comment-22460 Win32dd 1.3 Crash on Windows32 SP3! Error: InstallDriver cannot start service (Err=0x00000002) Error: Cannot open \\.\win32dd I tested it with win32dd of USB-Dongle, CD and HDD. Is the same error! The System: Win32 XP Professional SP3 (German) Athlon AMD64-Dual Core 2100+ 4 GB DDR II RAM No writeblocker Win32dd 1.3 Crash on Windows32 SP3!

Error: InstallDriver cannot start service (Err=0×00000002)
Error: Cannot open \\.\win32dd

I tested it with win32dd of USB-Dongle, CD and HDD. Is the same error!

The System:
Win32 XP Professional SP3 (German)
Athlon AMD64-Dual Core 2100+
4 GB DDR II RAM
No writeblocker

]]> By: Michael http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-21886 Michael Tue, 03 Nov 2009 13:39:09 +0000 http://www.msuiche.net/?p=335#comment-21886 Hi Matt, thanks for the quick reply. Thank you also for updating the help. It looks much more pretty now. Yes people can use piping, I like it too. But there are many investigators with some kind of fear or phobia of command lines especially of piping. So an option /l, automatically creating a log with the same name as the Dumpfile.log could help a little to get over that fear to force them to use such tools. That's not vital for me but for some of my class members... The hash computing on the receiving site (piped into a file ;-)) would document the correct network transmission of the dump in one go. Otherwise I have to use md5sum or something else after the acquisition. You know criminal procedures are procedures in writing... CU Michael Hi Matt,

thanks for the quick reply. Thank you also for updating the help. It looks much more pretty now.
Yes people can use piping, I like it too. But there are many investigators with some kind of fear or phobia of command lines especially of piping. So an option /l, automatically creating a log with the same name as the Dumpfile.log could help a little to get over that fear to force them to use such tools. That’s not vital for me but for some of my class members…
The hash computing on the receiving site (piped into a file ;-)) would document the correct network transmission of the dump in one go. Otherwise I have to use md5sum or something else after the acquisition.
You know criminal procedures are procedures in writing…

CU

Michael

]]> By: Matt http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-21826 Matt Tue, 27 Oct 2009 21:21:48 +0000 http://www.msuiche.net/?p=335#comment-21826 Hi Michael, Thank you very much for your feedback! I was not really sure about report-option-feature but it looks like people really appreciate the detailed output of windd about the memory status. I was like "Oh people can still pipe the output so it doesnt really matter" so I added the "/a" option in case people would use piping. Why would you see a such feature? What would be the difference with the piped report? Indeed, for the hash function it is only computed from sender side because this is the most critical part. I assumed the received can still use a third party software like hashdeep from Jesse Kornblum (http://jessekornblum.com/tools/) I updated the help output for "/c", "/s" and "/a" options. Thanks! Hi Michael,

Thank you very much for your feedback!
I was not really sure about report-option-feature but it looks like people really appreciate the detailed output of windd about the memory status. I was like “Oh people can still pipe the output so it doesnt really matter” so I added the “/a” option in case people would use piping.

Why would you see a such feature? What would be the difference with the piped report?

Indeed, for the hash function it is only computed from sender side because this is the most critical part. I assumed the received can still use a third party software like hashdeep from Jesse Kornblum (http://jessekornblum.com/tools/)

I updated the help output for “/c”, “/s” and “/a” options.

Thanks!

]]> By: Michael http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-21824 Michael Tue, 27 Oct 2009 18:03:50 +0000 http://www.msuiche.net/?p=335#comment-21824 Hello again, I did some testing and really like this new version very much. The inbuilt network capabilities are splendid. What I miss is an option to write a log. Currently I use a pipe to create one. The hash functionality is vital for forensic purposes. Sadly the option /s is accepted by both the sender and receiver side of the network connection but only the sender computes a hash. Could you add such procedure for the receiving side too to document that the data was transmitted unchanged anyway. TNX in advance Michael Hello again,

I did some testing and really like this new version very much. The inbuilt network capabilities are splendid.

What I miss is an option to write a log. Currently I use a pipe to create one. The hash functionality is vital for forensic purposes. Sadly the option /s is accepted by both the sender and receiver side of the network connection but only the sender computes a hash. Could you add such procedure for the receiving side too to document that the data was transmitted unchanged anyway.

TNX in advance

Michael

]]> By: Michael http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-21811 Michael Sun, 25 Oct 2009 13:32:46 +0000 http://www.msuiche.net/?p=335#comment-21811 Hey Matt, great stuff! The only minor thing I've found is a truncated description of the /d - option within the help. Seems to work anyway. ;-) Cu Michael Hey Matt,

great stuff! The only minor thing I’ve found is a truncated description of the /d – option within the help. Seems to work anyway. ;-)

Cu

Michael

]]> By: Matt http://www.msuiche.net/2009/10/11/windd-1-3-final-x86-and-x64/comment-page-1/#comment-21775 Matt Tue, 20 Oct 2009 18:09:04 +0000 http://www.msuiche.net/?p=335#comment-21775 First, I have never heard about memdmp. Secondly, dmpchk is an utility from Microsoft. Thirdly, I am not the author of volatility. Forthly, you should read the help information of the utility, the command is: win32dd.exe /d /f microsoftdump.dmp for a modern Microsoft dump, to analyze with Windbg. or win32dd.exe /f rawdump.bin for a raw dump. First, I have never heard about memdmp. Secondly, dmpchk is an utility from Microsoft. Thirdly, I am not the author of volatility. Forthly, you should read the help information of the utility, the command is:

win32dd.exe /d /f microsoftdump.dmp
for a modern Microsoft dump, to analyze with Windbg.

or

win32dd.exe /f rawdump.bin
for a raw dump.

]]>