Thursday, November 22, 2007

RAM Enscript


What will this ENSCRIPT find in a RAM Dump File?

1. Running and Exited Process Information
2. Operations System Information
3. USER ASSIST Remnants

See Output: OS Version Processes User Assist

BACKGROUND:

When I originally started I wanted to be able to search a RAM Dump file and find some of the important stuff like the EPROCESS Headers. I then wanted the OS information from the dump files I also wanted to use just one tool.

So this Enscript was redesigned from the guts of the Encase Example “File Finder Enscript”. Basically I took out most of what I didn’t need and added some complex magic numbers and specific decoding for the hits. Please see the CAUTIONS prior to copying and using this Enscript.

I could not have made this Enscript with out the prior work and help of Andreas Schuster and Harlan Carvey.

To affectively run the Enscript follow these steps:

1. Run Enscript and check box the “OS Version“ with the Bookmark Folder Name of ”OS Version”.
2. To find the Processes - Check the OS Version found in step #1 and re-run the Enscript choosing the correct OS(For Example “Vista Processes” to Find Vista Processes) and put in “Processes” Bookmark Folder
3. For USER Assist Remnants run the Enscript a third time checking “User Assist” to the User Assist Bookmark
4. Review your findings. Use the REPORT view for the “Best Look”.

You can check more then one item and the Enscript still runs properly but all of your information will be bookmarked into the same folder

No comments: