Thursday, November 22, 2007

RAM Enscript


What will this ENSCRIPT find in a RAM Dump File?

1. Running and Exited Process Information
2. Operations System Information
3. USER ASSIST Remnants

See Output: OS Version Processes User Assist

BACKGROUND:

When I originally started I wanted to be able to search a RAM Dump file and find some of the important stuff like the EPROCESS Headers. I then wanted the OS information from the dump files I also wanted to use just one tool.

So this Enscript was redesigned from the guts of the Encase Example “File Finder Enscript”. Basically I took out most of what I didn’t need and added some complex magic numbers and specific decoding for the hits. Please see the CAUTIONS prior to copying and using this Enscript.

I could not have made this Enscript with out the prior work and help of Andreas Schuster and Harlan Carvey.

To affectively run the Enscript follow these steps:

1. Run Enscript and check box the “OS Version“ with the Bookmark Folder Name of ”OS Version”.
2. To find the Processes - Check the OS Version found in step #1 and re-run the Enscript choosing the correct OS(For Example “Vista Processes” to Find Vista Processes) and put in “Processes” Bookmark Folder
3. For USER Assist Remnants run the Enscript a third time checking “User Assist” to the User Assist Bookmark
4. Review your findings. Use the REPORT view for the “Best Look”.

You can check more then one item and the Enscript still runs properly but all of your information will be bookmarked into the same folder

Friday, November 2, 2007

RAM Enscript Download

Download RAM Enscript (SourceForge)

Concerns---Bugs---Caution

Concerns

1. Enscript is in BETA and still evolving!
2. VISTA Process Search String might not collect all processes (still researching to find out what is missed. An estimate of how many are found- probably 90-95% Solution AS IS.)

Known Bug

1. Microsoft Windows XP 2003 Edition is SP1 (Version 5.2600) reports as XPSP2 so check your findings

Caution- Caution-Caution-Caution-

Be Careful Not to Overwrite Your Default Enscripts --- the Best Plan is to Copy Your Enscripts Prior to Using the Ram Analysis Enscript and to run this Enscript form another location (like CD-ROM Drive )

This Script Does Not Play Well with Other Enscripts Because I have Modified Some of the Common Files………………You Are Warned……….