tag:blogger.com,1999:blog-1746946614390371171.post7944909784499554847..comments2010-06-30T15:18:27.567-07:00Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1746946614390371171.post-88089404364722200232010-06-30T15:18:27.433-07:002010-06-30T15:18:27.433-07:00Mark,<br /><br />Can you contact me directly? Lance(at)forensickb.com<br /><br />LanceLance Muellernoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-3588923439019751542010-06-30T11:40:04.973-07:002010-06-30T11:40:04.973-07:00Hello,<br /><br />I know I am a little late to the game on this, but I just ran this enpack against three memory dumps, one dd file and two vmware vmem files. The enpack output in the console was &quot;A total of 0 search hits were processed, but only 0 valid MFT records were parsed&quot;. That is odd, but I used volatility to pull out other file information. Any thoughts or suggestions?<br /><br />Thanks.Markhttp://www.blogger.com/profile/18343684786509373331noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-69840026249482053932007-11-14T23:12:00.000-08:002007-11-14T23:12:00.000-08:00Well, you can still use the version that is floating around out there on the Internet. The problem is it does not work for Windows 2003 (>=sp1) or Vista because the \\.\PhysicalMemory pipe is not accessible like it was in the past.<BR/><BR/>I would recommend KnTTools by George Garner at http://www.gmgsystemsinc.com/knttools/. They are not free, but its one of the only viable solutions at this point.Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-48311734036122548612007-11-14T18:12:00.000-08:002007-11-14T18:12:00.000-08:00What do you recommend to capture memory? The venerable modified DD is not available for free anymore :(<BR/><BR/>Paul BobbyPaulhttp://www.blogger.com/profile/14948721303363357805noreply@blogger.com