TimsterMon / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Winpmem writes its driver to %UserProfile%\AppData\Local\Temp\ #417

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Run Winpmem
2. Look at console output
3. Observe path driver is written to

What is the expected output? What do you see instead?

The driver should not be created on the local machine, especially for a live 
response situation (at least as far as law enforcement goes. The less thats 
changed, the better). Rather, it should write itself out parallel to the main 
executable or provide a command line switch to use for the path to extract the 
driver. I realize the driver is small, but its one more thing we have to 
explain change wise.

What version of the product are you using? On what operating system?

1.4.1 on Windows 8

Please provide any additional information below.

Original issue reported on code.google.com by SAEricZi...@gmail.com on 11 May 2013 at 12:42

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 11 May 2013 at 5:04

GoogleCodeExporter commented 9 years ago
Unfortunately windows can only load a driver from a local file - so we need to 
write the file somewhere. It may not be possible to write the driver at the 
same location as the main binary (e.g. if its on a read only media), so writing 
to the temp folder is guaranteed to work every time.

I have changed this to a feature request to add a command line option for the 
output driver path, if people think its useful. I will try to make it into the 
next release.

Original comment by scude...@gmail.com on 11 May 2013 at 7:52

GoogleCodeExporter commented 9 years ago
Sounds like its safe to close this issue? If not, feel free to re-open. 

Original comment by michael.hale@gmail.com on 5 Nov 2013 at 7:41