Month: July 2014

Parsing Metadata with ExifTool

Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/) is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool (https://hvdwolf.github.io/pyExifToolGUI/). The tool not only allows you to read the metadata but also change it, if necessary. A person could also add his or her own custom tags as well. Below is an example of using the program.

Note: My JPG file name is called pic11.jpg

1) Examine the file using ExifTool

(more…)

Windows Memory Capture using DumpIt

One of the simplest tools for capturing memory from a Windows system is DumpIt. The program is very portable and saves the capture to wherever the program is ran from. Most people will run it from a flash drive but depending on your company’s security policy that may not be an option so one can run it from a network share as well. It is advised not to save the program to the system you want to capture from and run it from I was going to document the steps but there is no need, it is just that simple. Below is the link for the software and if need be, there is a video depicting the steps.

http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/

Memory Capture via Hibernation File

If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem (in most cases, C:\). That in itself is a capture of memory. The only problem is that you can’t just right-click and copy the file as it is locked. You could possibly copy by booting into safe mode (I haven’t tried it), slave the hard drive to another system and copy that way, or use some third-party program. The one that I recommend is X-ways WinHex. There is a free version of the software but due to the size of the hibernation file, you will need the licensed version, which costs $222.

Assuming you have the licensed version, below are the steps to copy the hibernation file.

1) Verify there is a hiberfil.sys file on the root of your filesystem (most likely c:\). If the file is not there, ensure hibernation is enabled and then put your system into hibernation. Once powered off, turn it back on and check again.

(more…)