Difference between pages "Tools:Memory Imaging" and "Cloud Forensics Bibliography"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Windows Software)
 
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
'''In chronological order, oldest to most recent'''
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly.  That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation. [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
<bibtex>
 +
@article{Dykstra12,
 +
author = "Josiah Dykstra and Alan T. Sherman",
 +
title = "Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques",
 +
  journal = "Digital Investigation",
 +
volume = {9},
 +
year = {2012},
 +
pages = {S90--S98},
 +
  url="http://ww.cs.umbc.edu/~dykstra/DFRWS_Dykstra.pdf"
 +
</bibtex>
  
== Memory Imaging Techniques ==
+
<bibtex>
 +
@inproceedings{ISSA,
 +
author = "Waldo Delport and Michael Kohn and Martin S. Olivier",
 +
title = "Isolating a cloud instance for a digital forensic investigation",
 +
  booktitle={Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference},
 +
  year={August 2011},
 +
  organization={ISSA},
 +
</bibtex>
  
; Crash Dumps
+
<bibtex>
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
@article{CLSR,
; LiveKd Dumps
+
author = "Esther George and Stephen Mason",
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
title = "Digital evidence and ‘cloud’ computing",
; Hibernation Files
+
journal = "Computer Law & Security Review",
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
volume = {27},
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
issue = {5},
; Firewire
+
year = {September 2011},
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
pages = {524--528}
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
</bibtex>
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
: Goldfish is a tool that is being developed to get RAM from a Mac. Contact cybercrime.com.
+
  
== Memory Imaging Tools ==
+
<bibtex>
===x86 Hardware===
+
@article{dykstraJournal,
; Tribble PCI Card (research project)
+
  author = "Josiah Dykstra and Alan. T. Sherman",
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
  title = "Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies",
 +
  journal ={Journal of Network Forensics},
 +
  volume = {3},
 +
  number = {1},
 +
  year = {Autumn, 2011},
 +
  pages = {19--31}
 +
}
 +
</bibtex>
  
; CoPilot by Komoku
+
<bibtex>
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
@article{ruan,
 +
  title="Cloud forensics: An overview",
 +
  author={Keyun Ruan and Joe Carthy and Tahar Kechadi and Mark Crosbie},
 +
  booktitle={Advances in Digital Forensics VII},
 +
  year={2011},
 +
  url="http://cloudforensicsresearch.org/publication/Cloud_Forensics_An_Overview_7th_IFIP.pdf"
 +
}
  
; Forensic RAM Extraction Device (FRED) by BBN
+
</bibtex>
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
<bibtex>
  
===[[Windows]] Software===
+
@inproceedings{ruanSurvey,
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
  title="Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis",
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
  author={Keyun Ruan and Ibrahim Baggili and Joe Carthy and Tahar Kechadi},
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
  booktitle={Proceedings of the 2011 ADFSL Conference on Digital Forensics, Security and Law},
 +
  year={2011},
 +
  organization={ADFSL},
 +
  url="http://www.cloudforensicsresearch.org/publication/Survey_on_Cloud_Forensics_and_Critical_Criteria_for_Cloud_Forensic_Capability_6th_ADFSL.pdf"
 +
}
 +
</bibtex>
  
; [[WinDD]]
+
<bibtex>
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
@article{CloudForensics,
: http://windd.msuiche.net/
+
  author = {Mark Taylor and John Haggerty and David Gresty and David Lamb},
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
+
  title = {Forensic investigation of cloud computing systems},
 +
  journal ={Network Security},
 +
  volume = {2011},
 +
  number = {3},
 +
  year = {2011},
 +
  pages = {4--10},
 +
  url="http://www.whieb.com/download.jsp?address=/upload%2Fdoc%2F20110415%2Fforensic+investigation+of+cloud+computing+systems.pdf"
 +
}
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
</bibtex>
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
<bibtex>
: http://sourceforge.net/projects/mdd
+
  
; F-Response with FTK imager, dd, Encase, WinHex, etc
+
@inproceedings{birk,
: Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
+
  title="Technical Issues of Forensic Investigations in Cloud Computing Environments",
: http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
+
  booktitle = {Proceedings of the 6th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE)},
 +
  author={Dominik Birk and Christoph Wegener},
 +
  year={2011},
 +
  organization={IEEE},
 +
  address = {Oakland, CA, USA},
 +
  url="http://code-foundation.de/stuff/2011-birk-cloud-forensics.pdf"
 +
}
  
; MANDIANT Memoryze
+
</bibtex>
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
: http://www.mandiant.com/software/memoryze.htm
+
  
; [[Kntdd]]
+
<bibtex>
: http://www.gmgsystemsinc.com/knttools/
+
@article{Araiza11,
 +
  title="Electronic Discovery in the Cloud",
 +
  author={Alberto G. Araiza},
 +
  journal={Duke Law and Technology Review},
 +
  volume = {8},
 +
  year = {2011},
 +
  url="http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1222&context=dltr"
 +
}
 +
</bibtex>
  
; [[dd]]
+
<bibtex>
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
+
@article{Cross10,
 +
  title="E-Discovery and Cloud Computing:  Control of ESI in the Cloud",
 +
  author={David D. Cross and Emily Kuwahara},
 +
  journal={EDDE Journal},
 +
  volume = {1},
 +
  number = {2},
 +
  year = {2010},
 +
  pages = {2--12},
 +
  url="http://www.crowell.com/documents/E-Discovery-and-Cloud-Computing-Control-of-ESI-in-the-Cloud.pdf"
 +
}
 +
</bibtex>
  
; Windows Memory Forensic Toolkit (WMFT)
+
<bibtex>
: http://forensic.seccure.net/
+
@book{Lil10,
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
+
  title="Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data",
 +
  author={Terrance V. Lillard},
 +
  year={2010},
 +
  publisher={Syngress},
 +
}
 +
</bibtex>
  
; Nigilant32
+
<bibtex>
: http://www.agilerm.net/publications_4.html
+
@inproceedings{Lu10,
 +
  title="Secure provenance: the essential of bread and butter of data forensics in cloud computing",
 +
  booktitle={Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10)},
 +
  author={Rongxing Lu and Xiaodong Lin and Xiaohui Liang and Xuemin Sherman Shen},
 +
  pages={282--292},
 +
  year={2010},
 +
  address={New York, NY, USA},
 +
  organization={ACM},
 +
  url="http://bbcr.uwaterloo.ca/~rxlu/paper/asiaccs185-lu.pdf"
 +
}
  
;[[HBGary]]: Fastdump and Fastdump Pro
+
</bibtex>
:http://www.hbgary.com
+
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
+
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
:-32 bit and 64 bit architectures
+
:-Acquisitions of greater than 4GB
+
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
:-Process probing which allows for a more complete memory image of a process of interest.
+
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
  
===Unix===
+
<bibtex>
;[[dd]]
+
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  In recent Linux kernels, /dev/kmem is no longer available.  In even more recent kernels, /dev/mem has additional restrictions.  And in the most recent, /dev/mem is no longer available by default, either.  The throughout the 2.6 kernel series has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
+
;[http://www.pikewerks.com/sl/ Second Look]
+
: This memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA.
+
; Idetect (Linux)
+
: http://forensic.seccure.net/
+
  
==See Also==
+
@inproceedings{Wol09,
* [[Windows Memory Analysis]]
+
  title="Overcast: Forensic Discovery in Cloud Environments",
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
+
  booktitle = {Proceedings of the 2009 Fifth International Conference on IT Security Incident Management and IT Forensics (IMF '09)},
* http://www.storm.net.nz/projects/16
+
  author={Stephen D. Wolthusen},
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
+
  pages={3--9},
 +
  year={2009},
 +
  address={Washington, DC, USA},
 +
  organization={IEEE Computer Society}
 +
}
  
== External Links ==
+
</bibtex>
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
+
  
[[Category:Tools]]
+
 
 +
 
 +
[[Category:Bibliographies]]

Revision as of 09:43, 27 June 2012

In chronological order, oldest to most recent

Josiah Dykstra, Alan T. Sherman - Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques
Digital Investigation 9:S90--S98,2012
http://ww.cs.umbc.edu/~dykstra/DFRWS_Dykstra.pdf
Bibtex
Author : Josiah Dykstra, Alan T. Sherman
Title : Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust, and techniques
In : Digital Investigation -
Address :
Date : 2012

Waldo Delport, Michael Kohn, Martin S. Olivier - Isolating a cloud instance for a digital forensic investigation
Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference ,August 2011
Bibtex
Author : Waldo Delport, Michael Kohn, Martin S. Olivier
Title : Isolating a cloud instance for a digital forensic investigation
In : Proceedings of the 2011 Information Security for South Africa (ISSA 2011) Conference -
Address :
Date : August 2011

Esther George, Stephen Mason - Digital evidence and ‘cloud’ computing
Computer Law & Security Review 27:524--528,September 2011
Bibtex
Author : Esther George, Stephen Mason
Title : Digital evidence and ‘cloud’ computing
In : Computer Law & Security Review -
Address :
Date : September 2011

Josiah Dykstra, Alan. T. Sherman - Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies
Journal of Network Forensics 3(1):19--31,Autumn, 2011
Bibtex
Author : Josiah Dykstra, Alan. T. Sherman
Title : Understanding Issues in Cloud Forensics: Two Hypothetical Case Studies
In : Journal of Network Forensics -
Address :
Date : Autumn, 2011

Keyun Ruan, Joe Carthy, Tahar Kechadi, Mark Crosbie - Cloud forensics: An overview
,2011
http://cloudforensicsresearch.org/publication/Cloud_Forensics_An_Overview_7th_IFIP.pdf
Bibtex
Author : Keyun Ruan, Joe Carthy, Tahar Kechadi, Mark Crosbie
Title : Cloud forensics: An overview
In : -
Address :
Date : 2011

Keyun Ruan, Ibrahim Baggili, Joe Carthy, Tahar Kechadi - Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis
Proceedings of the 2011 ADFSL Conference on Digital Forensics, Security and Law ,2011
http://www.cloudforensicsresearch.org/publication/Survey_on_Cloud_Forensics_and_Critical_Criteria_for_Cloud_Forensic_Capability_6th_ADFSL.pdf
Bibtex
Author : Keyun Ruan, Ibrahim Baggili, Joe Carthy, Tahar Kechadi
Title : Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis
In : Proceedings of the 2011 ADFSL Conference on Digital Forensics, Security and Law -
Address :
Date : 2011

Mark Taylor, John Haggerty, David Gresty, David Lamb - Forensic investigation of cloud computing systems
Network Security 2011(3):4--10,2011
http://www.whieb.com/download.jsp?address=/upload%2Fdoc%2F20110415%2Fforensic+investigation+of+cloud+computing+systems.pdf
Bibtex
Author : Mark Taylor, John Haggerty, David Gresty, David Lamb
Title : Forensic investigation of cloud computing systems
In : Network Security -
Address :
Date : 2011

Dominik Birk, Christoph Wegener - Technical Issues of Forensic Investigations in Cloud Computing Environments
Proceedings of the 6th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE) , Oakland, CA, USA,2011
http://code-foundation.de/stuff/2011-birk-cloud-forensics.pdf
Bibtex
Author : Dominik Birk, Christoph Wegener
Title : Technical Issues of Forensic Investigations in Cloud Computing Environments
In : Proceedings of the 6th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE) -
Address : Oakland, CA, USA
Date : 2011

Alberto G. Araiza - Electronic Discovery in the Cloud
Duke Law and Technology Review 8,2011
http://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1222&context=dltr
Bibtex
Author : Alberto G. Araiza
Title : Electronic Discovery in the Cloud
In : Duke Law and Technology Review -
Address :
Date : 2011

David D. Cross, Emily Kuwahara - E-Discovery and Cloud Computing: Control of ESI in the Cloud
EDDE Journal 1(2):2--12,2010
http://www.crowell.com/documents/E-Discovery-and-Cloud-Computing-Control-of-ESI-in-the-Cloud.pdf
Bibtex
Author : David D. Cross, Emily Kuwahara
Title : E-Discovery and Cloud Computing: Control of ESI in the Cloud
In : EDDE Journal -
Address :
Date : 2010

Terrance V. Lillard - Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data
Syngress,2010
Bibtex
Author : Terrance V. Lillard
Title : Digital Forensics for Network, Internet and Cloud Computing: A Forensic Evidence Guide for Moving Targets and Data
In : -
Address :
Date : 2010

Rongxing Lu, Xiaodong Lin, Xiaohui Liang, Xuemin Sherman Shen - Secure provenance: the essential of bread and butter of data forensics in cloud computing
Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10) pp. 282--292, New York, NY, USA,2010
http://bbcr.uwaterloo.ca/~rxlu/paper/asiaccs185-lu.pdf
Bibtex
Author : Rongxing Lu, Xiaodong Lin, Xiaohui Liang, Xuemin Sherman Shen
Title : Secure provenance: the essential of bread and butter of data forensics in cloud computing
In : Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS '10) -
Address : New York, NY, USA
Date : 2010

Stephen D. Wolthusen - Overcast: Forensic Discovery in Cloud Environments
Proceedings of the 2009 Fifth International Conference on IT Security Incident Management and IT Forensics (IMF '09) pp. 3--9, Washington, DC, USA,2009
Bibtex
Author : Stephen D. Wolthusen
Title : Overcast: Forensic Discovery in Cloud Environments
In : Proceedings of the 2009 Fifth International Conference on IT Security Incident Management and IT Forensics (IMF '09) -
Address : Washington, DC, USA
Date : 2009