Orion Incident Response Live CD 2
The run-win-cmd script can be used to remotely run arbitrary Windows commands. For example, ManTech’s Memory Dump Utility mdd.exe can be copied to the Windows target and executed. The output memory dump file can then be transferred to the Orion workstation using SMB or other methods.
/orion/scripts/run-win-cmd: Use winexe to execute command on remote windows host ==================================================== Remote host or IP: 192.168.1.109 Command: mdd -o img.dd Remote username [administrator]: Password for [WORKGROUP\administrator]: mdd -o img.dd
> ManTech Physical Memory Dump Utility
Copyright (C) 2008 ManTech Security & Mission Assurance
> This program comes with ABSOLUTELY NO WARRANTY; for details use
option `-w' This is free software, and you are welcome to redistribute it under certain conditions; use option `-c' for details.
> Dumping 511.48 MB of physical memory to file 'img.dd'.
130940 map operations succeeded (1.00)
map operations failed
took 112 seconds to write MD5 is: 17e52ec3c80400ecaf722551fb6ec5a9
Hit any key to close this window ->
6.6.3. Drive Imaging
Orion includes several drive imaging tools that come with BackTrack, such as dcfldd and AIR Imager. Windows-based imaging tools, such as the popular FTK Imager can also be used within the WINE Windows emulation environment (http://www.winehq.org/), especially when the raw image has already been acquired and the incident response team is ready to look at the contents.