Difference between pages "Tools:Memory Imaging" and "Slack"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Memory Imaging Tools)
 
m
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Usually memory images are used as part of [[memory analysis]].
+
{{Expand}}
  
One of the most vexing problems for memory imaging is verifying that the data has been imaged correctly. Because the procedure cannot be repeated (i.e. the memory changes during the process), it is impossible to do the acquisition again and compare the results. At this time the structures involved are not known well enough to determine the integrity of the image.
+
== Definition ==
  
; [[dd]]
+
In Computer Forensics '''slack''' refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.
: On *nix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file. On [[Linux]], this file is <tt>/dev/mem</tt>. On [[Microsoft Windows]] systems, a version of [[dd]] by [[George Garner]] allows an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
+
  
; [[hibernation]] files
+
== Slack Types ==
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image.
+
  
== Imaging with Firewire ==  
+
=== RAM Slack ===
  
It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
=== File Slack ===
  
At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
== External Links ==
 
+
This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
 
+
== Memory Imaging Tools ==
+
 
+
; Firewire
+
: http://www.storm.net.nz/projects/16
+
; Tribble PCI Card
+
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
; CoPilot
+
: http://www.komoku.com/forensics/forensics.html
+
; Windows Memory Forensic Toolkit (WMFT) and Idetect (Linux)
+
: http://forensic.seccure.net/
+
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
+

Revision as of 11:19, 3 March 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Definition

In Computer Forensics slack refers to the bytes after the logical end of a file and the end of the cluster wherein the final byte of the valid file resides.

Slack Types

RAM Slack

File Slack

External Links