Windows上でメモリダンプを取得 (FastDump Pro)
HBGary Responder
1)付属のメモリダンプツール
全てのバージョンのWindows(2000,XP,2003,Vista,2008,7 32bit/64bit)に対応
ロードするシステムDLLが少ない(kernel32.dllのみ)のが特徴
使用方法
※フルRAMイメージのダンプを取得
C:\>FDPro.exe c:\memdump.bin -driver
-= FDPro v2.0.5.10 (c)HBGary, Inc 2008 - 2011 =-
[+] Detected OS: Microsoft Windows XP Professional Service Pack 3 (build 2600)
[+] Extracting x86 driver
[+] Driver extracted successfully
[+] using driver at C:\\fastdumpx86.sys
[+] CreateService success, driver installed
[+] StartService success, driver started
[+] Driver installed and running
[+] Strict Mode: Disabled
[+] Output Filesystem Type: NTFS
[+] Block Read/Write Size: 0x100000 (1024k)
[+] Full Range = 0x0 - 0x20000000 (512 MB)
[+] Alignment Boundary: 0x00000200, Increment Size: 0x00100000
[ ** Dumping from 0x0 to 0x20000000 ** ]
[+] Dump Complete! Read Total: 0x20000 - S: 0x1FFF1 - E: 0xF - F: 0x0
[+] Stopping and removing driver...
[+] ControlService success, driver stopped
[+] DeleteService success, driver removed
[+] Driver file deleted
[++] FD execution complete!! FDPro took: 119 seconds
C:\>
※必要であれば、ページアウトされたページの調査も行ったダンプも取得
C:\>FDPro.exe c:\memdump-porbe.bin -probe smart -driver
-= FDPro v2.0.5.10 (c)HBGary, Inc 2008 - 2011 =-
[+] Detected OS: Microsoft Windows XP Professional Service Pack 3 (build 2600)
[+] Extracting x86 driver
[+] Driver extracted successfully
[+] using driver at C:\\fastdumpx86.sys
[+] CreateService success, driver installed
[+] StartService success, driver started
[+] Driver installed and running
[+] Probing Process Memory: .......................
[P] Probing complete!! 23 processes took: 2 seconds
[+] Strict Mode: Disabled
[+] Output Filesystem Type: NTFS
[+] Block Read/Write Size: 0x100000 (1024k)
[+] Full Range = 0x0 - 0x20000000 (512 MB)
[+] Alignment Boundary: 0x00000200, Increment Size: 0x00100000
[ ** Dumping from 0x0 to 0x20000000 ** ]
[+] Dump Complete! Read Total: 0x20000 - S: 0x1FFF1 - E: 0xF - F: 0x0
[+] Stopping and removing driver...
[+] ControlService success, driver stopped
[+] DeleteService success, driver removed
[+] Driver file deleted
[++] FD execution complete!! FDPro took: 114 seconds
C:\>
-= FDPro v2.0.5.10 (c)HBGary, Inc 2008 - 2011 =-
***** Usage Help *****
General Usage: FDPro.exe output_dumpfile_path [options] [modifiers]
FDPro supports dumping .bin and .hpak format files
To dump physical memory only to literal .bin format:
FDPro.exe mymemdump.bin [options] [modifiers]
To dump physical memory to an .hpak formatted file:
FDPro.exe mysysdump.hpak [options] [modifiers]
To extract a copy of a file from an NTFS volume in a forensicly sound manner:
FDPro.exe -extract c:\deleted.jpg d:\undeleted.jpg
To use the forensic command shell (FCMD) to open a local volume:
e:\FDPro.exe -fcmd <drive_letter>
*** Valid .bin [options] Are: ***
-probe [all|smart|pid|help] Pre-Dump Memory Probing
*** Valid .bin [modifiers] Are: ***
-nodriver Use old-style memory acquisition (XP/2k only)
-driver Force driver based memory acquisition
-strict Use Strict IO: Utilizes 4k reads and writes
-log Log output to disk (creates or appends to [dumpfile].log)
-md5 Calculate MD5 hash for dumpfile
*** Valid .hpak [options] Are: ***
-probe [all|smart|pid|help] Pre-Dump Memory Probing
-hpak [list|extract|help] HPAK archive management
*** Valid .hpak [modifiers] Are: ***
-nodriver Use old-style memory acquisition (XP/2k only)
-driver Force driver based memory acquisition
-nopage Skip pagefile collection
-compress Create archive compressed
-nocompress Create archive uncompressed
-strict Use Strict IO: Utilizes 4k reads and writes
-log Log output to disk (creates or appends to [dumpfile].log)
-md5 Calculate MD5 hash for memory dump only (does not hash pagefile)
