X hits on this document





29 / 47

Orion Incident Response Live CD 2

The run-win-cmd script can be used to remotely run arbitrary Windows commands. For example, ManTech’s Memory Dump Utility mdd.exe can be copied to the Windows target and executed. The output memory dump file can then be transferred to the Orion workstation using SMB or other methods.

/orion/scripts/run-win-cmd: Use winexe to execute command on remote windows host ==================================================== Remote host or IP: Command: mdd -o img.dd Remote username [administrator]: Password for [WORKGROUP\administrator]: mdd -o img.dd

  • -

    > mdd

  • -

    > ManTech Physical Memory Dump Utility

Copyright (C) 2008 ManTech Security & Mission Assurance

  • -

    > This program comes with ABSOLUTELY NO WARRANTY; for details use

option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details.

  • -

    > Dumping 511.48 MB of physical memory to file 'img.dd'.

130940 map operations succeeded (1.00)

  • 0

    map operations failed

took 112 seconds to write MD5 is: 17e52ec3c80400ecaf722551fb6ec5a9

Hit any key to close this window ->

6.6.3. Drive Imaging

Orion includes several drive imaging tools that come with BackTrack, such as dcfldd and AIR Imager. Windows-based imaging tools, such as the popular FTK Imager can also be used within the WINE Windows emulation environment (http://www.winehq.org/), especially when the raw image has already been acquired and the incident response team is ready to look at the contents.

John Jarocki, john.jarocki@gmail.com

Document info
Document views196
Page views197
Page last viewedSun Jan 22 04:27:06 UTC 2017