Friday, October 26, 2007

PTFinderFE Facts

Who Created PTFinder ?
Andreas Schuster

Who Created the OS Detection Script ?
Harlan Carvey

What does PTFinder Do ?
PTFinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. Some functional checks are also applied. (According to Andreas Schuster)
Andreas Schuster

What Memory Dumps are Supported ?
DD dumps for example dd bs=4096 if=\\.\Device\Physicalmemory of=dumpfile
By pausing a VMWARE Session and using the VMSS File
In-Vivo using Sysinternal's LiveKD and a debugger
Post-Mortem as described in Microsoft Knowledge Base Article no.244139

What Operating Systems Memory Dumps are Supported ?
Windows 2000, Windows XP SP1, Windows XP SP2 and Windows 2003

Why do I need other Programs to make PTFinder to Work ?
PTFinder is written in Perl Script– so you need a Perl complier.
PTFinder creates a DOT file which can be used to create a graphic of the output.
See the DETAILED INSTRUCTIONS for more information.

Where can I get a Good Test Dump File?

Why did you Created PTFinderFE?
Well...I was placing the dump file into the PTFinder.PL Path which could have been eliminated by typing in the directory location of the dump file for every dump file I wanted examine( c:\case 05-022\Live Acq\234566-1). A DOT File was created which you have to copy into the Grapvhiz Executable folder, type in the command line and then copy all your outputs to my forensic directory. On top of all that if you used the "Program Files" Directory the command lines needed quotes(""). Since I use PTFinder a lot I had to make it more user friendly for me.

What is PTFinderFE?
A Microsoft Visual Basic Program that creates a batch file to do your leg work between PTFinder, Graphviz and your working forensic folder.

Why is PTFinder so Important?
Live Acquisition is the current trend in computer forensics. A lot of forensic investigators are doing live acquisitions but had nothing to effectively examine the output. Thanks to Andreas Schuster we have one more tool in the toolbox.
Back to Top

No comments: