Dan,
First, I noticed that you never actually responded to your initial thread:
http://forensicfocus.com/Forums/viewtopic/t=10287/
As I'm sure you're aware, anything you do to capture memory from a live system is going to affect that memory, particularly if you use a physical system. If you are using a VM, you can always pause the VM, and copy off the memory file for analysis.
↧