[<prev] [next>] [day] [month] [year] [list]
Message-ID: <447F223B.6080106@ntsecurity.nu>
Date: Thu, 01 Jun 2006 19:22:03 +0200
From: Arne Vidstrom <arne.vidstrom@...ecurity.nu>
To: bugtraq@...urityfocus.com
Subject: Forensic memory dumping intricacies - PhysicalMemory, DD, and caching
issues
Summary:
Memory dumping tools that use the PhysicalMemory device in Windows XP
can be blocked by allocating memory buffers with special memory types.
In older versions of Windows the tools instead could possibly cause
cache incoherence with some processor types, or other adverse side
effects. The problem can also occur on a system that has not been
manipulated at all by any attacker. One *example* of an affected tool is
DD from the Forensic Acquisition Utilities.
Full text:
http://ntsecurity.nu/onmymind/2006/2006-06-01.html
Regards /Arne Vidstrom
http://ntsecurity.nu
http://vidstrom.net
Powered by blists - more mailing lists