Difference between revisions of "Memory Imaging"

From ForensicsWiki
Jump to: navigation, search
(External Links)
Line 16: Line 16:
  
 
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
 
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
 +
 +
== Memory Imaging Techniques ==
 +
 +
; Crash Dumps
 +
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
 +
; LiveKd Dumps
 +
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
 +
; Hibernation Files
 +
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
 +
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
 +
; Firewire
 +
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
 +
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
 +
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
 +
: The [http://digitalfire.ucd.ie/?page_id=430 Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
 +
; Cold and Warm reboots
 +
: Typical RAM-modules retain memory during reboots as long as power is provided. The modules typically support a self-refresh. Whether the data is retained depend on BIOS-es that do or do not clear the RAM during their initialisation of the motherboards. Warm reboots refer to reboot methods in which power is never removed from the memory module. Tools like [http://mcgrewsecurity.com/oldsite/projects/msramdmp.1.html msramdump] or [http://www.sei.cmu.edu/digitalintelligence/tools/afterlife/ afterlife] act like minimal OS-es with a memory footprint around a few 100k that can save memory to disk (Nowadays often only upto 4G afaik). When the RAM is cleared by the standard BIOS, [https://ohm2013.org/wiki/Village:Garrison#Lecture:_RAM_Memory_acquisition_using_live-BIOS_modification replacing the bios] can be an option. Depending on the motherboard this method works fine. [http://en.wikipedia.org/wiki/Cold_boot_attack Cold boot] refers to the cooling of RAM te increase the time the RAM module will retain data without power. Opinions on how practical cold boot is are discussed in "[http://www1.cs.fau.de/filepool/projects/coldboot/fares_coldboot.pdf On the Practicability of Cold Boot Attacks]".
 +
; Virtual Machine Imaging
 +
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
  
 
== Also see ==
 
== Also see ==

Revision as of 14:51, 1 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Memory Imaging Techniques

Crash Dumps
When configured to create a full memory dump, Windows operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. Andreas Schuster has a blog post describing this technique.
LiveKd Dumps
The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
Hibernation Files
Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the system drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image. Once hiberfil.sys has been obtained, Sandman can be used to convert it to a dd image.
Mac OS X very kindly creates a file called /var/vm/sleepimage on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on File Vault and enables Secure Virtual Memory. [3].
Firewire
It is possible for Firewire or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.
This technique has been turned into a tool that you can download from: http://www.storm.net.nz/projects/16
The Goldfish tool automates this exploit for investigators needing to analyze the memory of a Mac.
Cold and Warm reboots
Typical RAM-modules retain memory during reboots as long as power is provided. The modules typically support a self-refresh. Whether the data is retained depend on BIOS-es that do or do not clear the RAM during their initialisation of the motherboards. Warm reboots refer to reboot methods in which power is never removed from the memory module. Tools like msramdump or afterlife act like minimal OS-es with a memory footprint around a few 100k that can save memory to disk (Nowadays often only upto 4G afaik). When the RAM is cleared by the standard BIOS, replacing the bios can be an option. Depending on the motherboard this method works fine. Cold boot refers to the cooling of RAM te increase the time the RAM module will retain data without power. Opinions on how practical cold boot is are discussed in "On the Practicability of Cold Boot Attacks".
Virtual Machine Imaging
There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. Qemu supports the pmemsave function, Xen has the xm dump-core command.

Also see

External Links