[Vol-users] Memory imaging

evb swiver at cox.net
Sun Jul 6 14:32:14 CDT 2008


Aw,

Hello, the scenario as posed is that an employee was bypassing corporate
filters by using an unknown brand of wireless broadband on his laptop.  He
was witnessed by reliable sources downloading prohibited pictures through
this alternate connection.  

By the time security was involved, the laptop was screen locked, no user
name entered, the broadband card was removed, and it was left sitting on his
desk.  The user is sophisticated and high-level and not talking.  IT proper
has been totally useless.

Laptop is a company device formerly used by exectives, but apparently had
been decommissioned, wiped, and "borrowed" by this employee after an exec
left the company.  It was not a part of the domain and had not been subject
to auditing.  

Don't know if the LAN port was ever configured for the enterprise LAN on the
new install.  Drive may very well be encrypted and autorun appears to be
disabled.  It's a Sony PCG Vaio with USB1.1 and Firewire I, docking
station--typical laptop.

Eric 
:-----Original Message-----
:From: vol-users-bounces at volatilityfoundation.org 
:[mailto:vol-users-bounces at volatilityfoundation.org] On Behalf Of 
:AAron Walters
:Sent: Friday, July 04, 2008 8:39 PM
:To: evb
:Cc: vol-users at volatilityfoundation.org
:Subject: Re: [Vol-users] Memory imaging
:
:
:eric,
:
:That's a tough situation. Can you provide any more information 
:about the machine? For example, desktop or laptop? What other 
:peripheral ports does it have available?  There may be a 
:couple of hardware dependent mechanisms for acquiring memory 
:under these circumstances. I'm assuming there is no network 
:access because it was removed from the network as part of 
:incident response.
:
:Thanks,
:
:AW
:
:On Thu, 3 Jul 2008, evb wrote:
:
:> How does one image RAM on a Windows system with no known Windows 
:> login/password, if autorun is turned off, and if there is no 
:network access.
:>
:> Thanks!
:>
:> eric
:>
:>
:> _______________________________________________
:> Vol-users mailing list
:> Vol-users at volatilityfoundation.org
:> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
:>
:_______________________________________________
:Vol-users mailing list
:Vol-users at volatilityfoundation.org
:http://lists.volatilityfoundation.org/mailman/listinfo/vol-users



More information about the Vol-users mailing list