Difference between pages "Linux Memory Analysis" and "CarvFs"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
==Linux Memory Analysis Tools==
+
CarvFs is a modular [[Fuse]] based user space file system on top op [[LibCarvPath]].
 +
CarvFS makes CarvPath style annotations as used by LibCarvPath available as files.
 +
Using CarvFs makes it possible to process carved entities as files without the need for copy-out.
  
Research Projects:
+
CarvFs is modular with respect to access to image files.
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Publication Date: 2006; Availability/License: not available)
+
The CarvFs distribution comes with a default module for access to (split) raw files.
  
Open Source Projects:
+
A separate [[LibEwf]] module is available for access to ewf images.   
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental, but available from Subversion in the [http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flinux-support linux-support branch].  (Availability/License: GNU GPL)
+
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
+
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
* The [http://people.redhat.com/anderson/ Red Hat Crash Utility] is an extensible Linux kernel core dump analysis program.  Although designed as a debugging tool, it also has been utilized for memory forensics.  See, for example, the [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html 2008 DFRWS challenge write-up by AAron Walters](Availability/License: GNU GPL)
+
  
Commercial Products:
+
[https://sourceforge.net/apps/mediawiki/carvpath/index.php?title=Main_Page CarvPath wiki]
* [[Second Look: Linux Memory Forensics]] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of May 2011, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.38.  (Availability/License: commercial)
+
 
+
==Linux Memory Analysis Challenges==
+
 
+
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
+
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
+
 
+
==Linux Memory Analysis Bibliography==
+
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
+
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
+
* [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag], by AAron Walters on the Volatile Systems Blog.
+
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
+
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
+
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
+
* [http://www.pikewerks.com/sl/ Second Look Web Page], [http://www.pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
+
* [http://blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Case De-Anonymizing Live CDs through Physical Memory Analysis] ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf Whitepaper]) ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf Slides]) Andrew Case; Blackhat USA 2010.
+
* [http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html Bringing Linux Support to Volatility], Andrew Case; Digital Forensics Solutions Blog, 2011.
+
 
+
Volatility Mailing List Threads on Support for Linux:
+
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
+
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
+

Revision as of 09:30, 12 March 2010

CarvFs is a modular Fuse based user space file system on top op LibCarvPath. CarvFS makes CarvPath style annotations as used by LibCarvPath available as files. Using CarvFs makes it possible to process carved entities as files without the need for copy-out.

CarvFs is modular with respect to access to image files. The CarvFs distribution comes with a default module for access to (split) raw files.

A separate LibEwf module is available for access to ewf images.

CarvPath wiki