Difference between pages "Tools:Memory Imaging" and "Oxygen Forensic Suite 2"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Usually memory images are used as part of [[memory analysis]].
+
<table style="padding:0.3em; float:right; margin-left:15px; margin-bottom:8px; border:1px solid #A3B1BF; background:#f5faff; text-align:center; font-size:95%; line-height:1.5em;width:220px;">
 +
<tr>
 +
<th colspan="2" style="padding:0.1em; font-size:1em; background-color:#cee0f2;">Current version</th>
 +
</tr>
 +
<tr style="font-size:1em;">
 +
  <td align="right"><b>Version Number:</b></td>
 +
  <td align="left">1.5.1</td>
 +
</tr>
 +
<tr style="font-size:1em;">
 +
  <td align="right" ><b>Date Released:</b></td>
 +
  <td align="left">02 December 2008</td>
 +
</tr>
 +
<tr>
 +
<th colspan="2" style="padding:0.1em; font-size:1em; background-color:#cee0f2;">Recent changes</th>
 +
</tr>
 +
<tr style="font-size:1em;">
 +
  <td colspan="2" align="left">
 +
    <ul>
 +
    <li>Added support of HASH calculation and verification for the extracted device data
 +
    <li>Added support for common Samsung phones based on Swift and Sysol platforms
 +
    </ul>
 +
  </td>
 +
</tr>
 +
<tr>
 +
<th colspan="2" style="padding:0.1em; font-size:1em; background-color:#cee0f2;">Screenshots</th>
 +
</tr>
 +
<tr style="font-size:1em;">
 +
  <td colspan="2" align="left">
 +
[[Image:OFS2_02_EventLog.png|200px|thumb|center|Event log]]
 +
[[Image:OFS2_04_LifeBlog.png|200px|thumb|center|LifeBlog with GPS mapping]]
 +
[[Image:OFS2_05_FileBrowser.png|200px|thumb|center|File Browser with Hex viewer]]
 +
[[Image:OFS2_08_MessagesExportPDF.png|200px|thumb|center|Sample report]]
 +
[http://www.oxygen-forensic.com/en/screenshots/ More screenshots ... ]
 +
  </td>
 +
</tr>
 +
</table>
  
One of the most vexing problems for memory imaging is verifying that the data has been imaged correctly. Because the procedure cannot be repeated (i.e. the memory changes during the process), it is impossible to do the acquisition again and compare the results. At this time the structures involved are not known well enough to determine the integrity of the image.
+
===Brief===
  
; [[dd]]
+
[http://www.oxygen-forensic.com/ Oxygen Forensic Suite 2] by [http://www.oxygen-software.com/ Oxygen Software] is a mobile forensic software for logical analysis of [[cell phones]], [[SmartPhones|smartphones]] and [[PDAs]]. The authors claim that using advanced data access protocols helps to extract much more data than usually.
: On *nix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file. On [[Linux]], this file is <tt>/dev/mem</tt>. On [[Microsoft Windows]] systems, a version of [[dd]] by [[George Garner]] allows an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
+
  
; [[hibernation]] files
+
===Regular data extraction===
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image.
+
Oxygen Forensic Suite 2 is able to extract general data like:
 +
* device information (IMEI, SW and HW versions, operator, etc),  
 +
* contacts (names, phones, notes)
 +
* calendar events,
 +
* messages ([[SMS]]),  
 +
* log records (incoming/outgoing/missed).
 +
* files (images, sounds, videos, documents, etc)
  
== Imaging with Firewire ==  
+
===Unique data extraction===
 +
Besides the general data usually extracted, Oxygen Forensic Suite 2 can extract a lot of unique information:
 +
* contacts (last date of contact modification, contacts photos, field labels, contact groups and speed dials)
 +
* calendar events (last date of event modification, all event dates, alarm status, recurrences)
 +
* messages (e-mails and MMS, messages from custom folders, message SMSC time stamp)
 +
* log records ([[GPRS]], [[EDGE]], CSD, HSCSD and Wi-Fi session traffic and time, deleted SMS details)
 +
* files (file system from phone memory and flash card)
 +
* LifeBlog data (all main phone events like sms, photos, events '''with their geographical coordinates'''),
 +
'''Important!''' The list of supported features depends on a certain phone model.
  
It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.  
+
===Device coverage===
 +
By the October, 2008 Oxygen Forensic Suite 2 supports more than '''1100 devices''': [[Nokia]], Vertu, [[Sony Ericsson]], Samsung, Motorola, [[BlackBerry|Blackberry]], Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate and other mobile phones.  
 +
Oxygen Forensic Suite 2 has a strong support for [[symbian|Symbian OS]], [[symbian|Nokia S60]], Sony Ericsson UIQ, [[Microsoft Windows Mobile|Windows Mobile 5/6]] and [[BlackBerry|Blackberry]] [[SmartPhones|smartphones]] and communicators.
  
At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.  
+
===Other===
 +
* The software access devices without using standard protocols like AT, OBEX or SyncML. The Agent installation is required to access smartphones and communicators.
 +
* The software is able to perform data search, to create and print reports.
 +
* The software has a full support of Unicode standard. So the multilanguage information is read and shown correctly.
  
This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
===History===
 +
Oxygen Forensic Suite 2 is a third generation of forensic tools by Oxygen Software.
 +
* 2004, March. Oxygen Phone Manager II for Nokia phones (Forensic Edition) is released.
 +
* 2005, November. Oxygen Phone Manager II for Symbian OS smartphones is released.
 +
* 2007, June. Oxygen Phone Manager II (Forensic Edition) becomes a stand alone project with new name "Oxygen Forensic Suite"
 +
* 2008, May. Oxygen Forensic Suite 2 is released and presented at Mobile Forensics World 2008. 
  
== Memory Imaging Tools ==
+
===Links===
 
+
* [http://www.oxygen-forensic.com/ Official web site]
; Firewire
+
* [http://www.oxygen-software.com/ Oxygen Software web site]
: http://www.storm.net.nz/projects/16
+
; Tribble PCI Card
+
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
; CoPilot
+
: http://www.komoku.com/forensics/forensics.html
+
; Windows Memory Forensic Toolkit (WMFT) and Idetect (Linux)
+
: http://forensic.seccure.net/
+
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
+
; [[KntDD]]
+
: http://www.gmgsystemsinc.com/knttools/
+
; Nigilant32
+
: http://www.agilerm.net/publications_4.html
+
; winen.exe (part of Encase)
+
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
; Win32dd
+
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
+
; mdd.exe ([[Mantech]])
+
: http://sourceforge.net/projects/mdd
+
 
+
== Memory Imaging Techniques ==
+
 
+
; Create a Crash Dump
+
: http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html
+
; Dump memory with livekd
+
: Once livekd is started, use .dump -f [output file]
+
 
+
== External Links ==
+
; Windows Memory Analysis (Sample Chapter)
+
: http://www.syngress.com/book_catalog/sample_159749156X.PDF
+

Revision as of 03:14, 2 December 2008

Current version
Version Number: 1.5.1
Date Released: 02 December 2008
Recent changes
  • Added support of HASH calculation and verification for the extracted device data
  • Added support for common Samsung phones based on Swift and Sysol platforms
Screenshots
Event log
LifeBlog with GPS mapping
File Browser with Hex viewer
Sample report

More screenshots ...

Contents

Brief

Oxygen Forensic Suite 2 by Oxygen Software is a mobile forensic software for logical analysis of cell phones, smartphones and PDAs. The authors claim that using advanced data access protocols helps to extract much more data than usually.

Regular data extraction

Oxygen Forensic Suite 2 is able to extract general data like:

  • device information (IMEI, SW and HW versions, operator, etc),
  • contacts (names, phones, notes)
  • calendar events,
  • messages (SMS),
  • log records (incoming/outgoing/missed).
  • files (images, sounds, videos, documents, etc)

Unique data extraction

Besides the general data usually extracted, Oxygen Forensic Suite 2 can extract a lot of unique information:

  • contacts (last date of contact modification, contacts photos, field labels, contact groups and speed dials)
  • calendar events (last date of event modification, all event dates, alarm status, recurrences)
  • messages (e-mails and MMS, messages from custom folders, message SMSC time stamp)
  • log records (GPRS, EDGE, CSD, HSCSD and Wi-Fi session traffic and time, deleted SMS details)
  • files (file system from phone memory and flash card)
  • LifeBlog data (all main phone events like sms, photos, events with their geographical coordinates),

Important! The list of supported features depends on a certain phone model.

Device coverage

By the October, 2008 Oxygen Forensic Suite 2 supports more than 1100 devices: Nokia, Vertu, Sony Ericsson, Samsung, Motorola, Blackberry, Panasonic, Siemens, HTC, HP, E-Ten, Gigabyte, i-Mate and other mobile phones. Oxygen Forensic Suite 2 has a strong support for Symbian OS, Nokia S60, Sony Ericsson UIQ, Windows Mobile 5/6 and Blackberry smartphones and communicators.

Other

  • The software access devices without using standard protocols like AT, OBEX or SyncML. The Agent installation is required to access smartphones and communicators.
  • The software is able to perform data search, to create and print reports.
  • The software has a full support of Unicode standard. So the multilanguage information is read and shown correctly.

History

Oxygen Forensic Suite 2 is a third generation of forensic tools by Oxygen Software.

  • 2004, March. Oxygen Phone Manager II for Nokia phones (Forensic Edition) is released.
  • 2005, November. Oxygen Phone Manager II for Symbian OS smartphones is released.
  • 2007, June. Oxygen Phone Manager II (Forensic Edition) becomes a stand alone project with new name "Oxygen Forensic Suite"
  • 2008, May. Oxygen Forensic Suite 2 is released and presented at Mobile Forensics World 2008.

Links