※フルRAMイメージのダンプを取得 C:\>FDPro.exe c:\memdump.bin -driver -= FDPro v2.0.5.10 (c)HBGary, Inc 2008 - 2011 =- [+] Detected OS: Microsoft Windows XP Professional Service Pack 3 (build 2600) [+] Extracting x86 driver [+] Driver extracted successfully [+] using driver at C:\\fastdumpx86.sys [+] CreateService success, driver installed [+] StartService success, driver started [+] Driver installed and running [+] Strict Mode: Disabled [+] Output Filesystem Type: NTFS [+] Block Read/Write Size: 0x100000 (1024k) [+] Full Range = 0x0 - 0x20000000 (512 MB) [+] Alignment Boundary: 0x00000200, Increment Size: 0x00100000 [ ** Dumping from 0x0 to 0x20000000 ** ] [+] Dump Complete! Read Total: 0x20000 - S: 0x1FFF1 - E: 0xF - F: 0x0 [+] Stopping and removing driver... [+] ControlService success, driver stopped [+] DeleteService success, driver removed [+] Driver file deleted [++] FD execution complete!! FDPro took: 119 seconds C:\> ※必要であれば、ページアウトされたページの調査も行ったダンプも取得 C:\>FDPro.exe c:\memdump-porbe.bin -probe smart -driver -= FDPro v2.0.5.10 (c)HBGary, Inc 2008 - 2011 =- [+] Detected OS: Microsoft Windows XP Professional Service Pack 3 (build 2600) [+] Extracting x86 driver [+] Driver extracted successfully [+] using driver at C:\\fastdumpx86.sys [+] CreateService success, driver installed [+] StartService success, driver started [+] Driver installed and running [+] Probing Process Memory: ....................... [P] Probing complete!! 23 processes took: 2 seconds [+] Strict Mode: Disabled [+] Output Filesystem Type: NTFS [+] Block Read/Write Size: 0x100000 (1024k) [+] Full Range = 0x0 - 0x20000000 (512 MB) [+] Alignment Boundary: 0x00000200, Increment Size: 0x00100000 [ ** Dumping from 0x0 to 0x20000000 ** ] [+] Dump Complete! Read Total: 0x20000 - S: 0x1FFF1 - E: 0xF - F: 0x0 [+] Stopping and removing driver... [+] ControlService success, driver stopped [+] DeleteService success, driver removed [+] Driver file deleted [++] FD execution complete!! FDPro took: 114 seconds C:\>
-= FDPro v2.0.5.10 (c)HBGary, Inc 2008 - 2011 =- ***** Usage Help ***** General Usage: FDPro.exe output_dumpfile_path [options] [modifiers] FDPro supports dumping .bin and .hpak format files To dump physical memory only to literal .bin format: FDPro.exe mymemdump.bin [options] [modifiers] To dump physical memory to an .hpak formatted file: FDPro.exe mysysdump.hpak [options] [modifiers] To extract a copy of a file from an NTFS volume in a forensicly sound manner: FDPro.exe -extract c:\deleted.jpg d:\undeleted.jpg To use the forensic command shell (FCMD) to open a local volume: e:\FDPro.exe -fcmd <drive_letter> *** Valid .bin [options] Are: *** -probe [all|smart|pid|help] Pre-Dump Memory Probing *** Valid .bin [modifiers] Are: *** -nodriver Use old-style memory acquisition (XP/2k only) -driver Force driver based memory acquisition -strict Use Strict IO: Utilizes 4k reads and writes -log Log output to disk (creates or appends to [dumpfile].log) -md5 Calculate MD5 hash for dumpfile *** Valid .hpak [options] Are: *** -probe [all|smart|pid|help] Pre-Dump Memory Probing -hpak [list|extract|help] HPAK archive management *** Valid .hpak [modifiers] Are: *** -nodriver Use old-style memory acquisition (XP/2k only) -driver Force driver based memory acquisition -nopage Skip pagefile collection -compress Create archive compressed -nocompress Create archive uncompressed -strict Use Strict IO: Utilizes 4k reads and writes -log Log output to disk (creates or appends to [dumpfile].log) -md5 Calculate MD5 hash for memory dump only (does not hash pagefile)