Difference between pages "Tools:Memory Imaging" and "Determining OS version from an evidence image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (Windows 95/98/ME)
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly.  That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
==Windows==
  
== Memory Imaging Techniques ==
+
===Windows 95/98/ME===
  
; Crash Dumps
+
Establish the boot volume, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
; LiveKd Dumps
+
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
; Hibernation Files
+
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
; Firewire
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
: The [http://goldfish.ae Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
+
; Virtual Machine Imaging
+
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
+
  
== Memory Imaging Tools ==
+
{| class="wikitable"
===x86 Hardware===
+
|-
 +
! WinVer
 +
! OS
 +
|-
 +
| 4.00.0950
 +
| Windows 95
 +
|-
 +
| 4.00.1111
 +
| Windows 95 OSR2
 +
|-
 +
| 4.03.1212
 +
| Windows 95 OSR2.1
 +
|-
 +
| 4.03.1214
 +
| Windows 95 OSR2.5
 +
|-
 +
| 4.10.1998
 +
| Windows 98
 +
|-
 +
| 4.10.2222
 +
| Windows 98 SE
 +
|-
 +
| 4.90.3000
 +
| Windows ME
 +
|}
  
; Tribble PCI Card (research project)
+
Alternatively, establish WinDir ([Paths]WinDir in MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
  
; CoPilot by Komoku
+
===Windows NT===
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
  
; Forensic RAM Extraction Device (FRED) by BBN
+
===Windows 2000/2003/XP/Vista===
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
  
===[[Windows]] Software===
+
During a forensic examination, information regarding the version of Windows can be found in a number of places.  For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.
There are many Windows memory acquisition tools. Most of them will not work on Windows Vista or 7, as user programs have been denied access to the ''\Device\Physicalmemory'' object starting in Windows 2003 Service Pack 1 and Windows Vista. Modern tools acquire physical memory by first installing a device driver, so administrative privileges are needed.
+
  
We have edited this list so that it only includes current tools:
+
Determining the version of Windows from the Software Registry Hive file - navigate to the ''Microsoft\Windows NT\CurrentVersion'' key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
  
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file.  You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of ''Product ID''). Some of these values:
: http://sourceforge.net/projects/mdd
+
  
; MANDIANT Memoryze
+
{| class="wikitable" border="1"
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
|-
: http://www.mandiant.com/software/memoryze.htm
+
!Value (MPC)!!Version
 +
|-
 +
|55034 || Windows XP Professional English
 +
|-
 +
|55683 || Windows XP Professional Russian
 +
|-
 +
|55681 || Windows XP Home Edition Russian
 +
|}
  
; [[Kntdd]]
+
==Unix/Linux==
: http://www.gmgsystemsinc.com/knttools/
+
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
  
: [[Moonsols DumpIt]]
+
===Linux===
: This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
+
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
: The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
+
: Perfect to deploy the executable on USB keys, for quick incident responses needs.
+
: http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
+
  
;[[HBGary]]: Fastdump and Fastdump Pro
+
{| class="wikitable" border="1"
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
+
|-
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
!Distro!!Tag
:-32 bit and 64 bit architectures
+
|-
:-Acquisitions of greater than 4GB
+
|Red Hat || /etc/redhat-release
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
|-
:-Process probing which allows for a more complete memory image of a process of interest.
+
|Debian  || /etc/debian-version
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
|}
  
;[[FTK Imager]]: FTK Imager
+
===Solaris===
:http://accessdata.com/support/adownloads#FTKImager
+
:FTK Imager can acquire live memory and paging file on 32bit and 64bit systems.
+
  
===Linux/Unix===
+
===Free/Net/OpenBSD===
;[[dd]]
+
You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  In recent Linux kernels, /dev/kmem is no longer available.  In even more recent kernels, /dev/mem has additional restrictions.  And in the most recent, /dev/mem is no longer available by default, either.  Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.  On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash"). This module can also be compiled for any system with minor effort, see http://gleeda.blogspot.com/2009/08/devcrash-driver.html. Note that acquisition from the resulting /dev/crash driver needs significant testing as reading the wrong segments of memory such as PCI or BIOS mapped memory can easily lead to hung systems.
+
;[http://www.pikewerks.com/sl/ Second Look]
+
: This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network.  It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
+
; Idetect (Linux)
+
: http://forensic.seccure.net/
+
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem] (Linux)
+
: fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
+
  
===Mac OS X===
+
{| class="wikitable" border="1"
;[http://goldfish.ae Goldfish]
+
|-
:Goldfish is a [[Mac OS X]] live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [[Firewire]] connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact [http://goldfish.ae goldfish.ae] for download information.
+
!OS!!Kernel path
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/mac-memory-reader Mac Memory Reader]
+
|-
:Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Mach-O binary file.  Mac Memory Reader is available free of charge.  It executes directly on 32- and 64-bit target machines running Mac OS X 10.4, 10.5, or 10.6 and requires a PowerPC G4 or newer, or any Intel processor.
+
|FreeBSD || /boot/kernel/kernel
 +
|-
 +
|OpenBSD || /bsd
 +
|-
 +
|NetBSD || /netbsd
 +
|-
 +
|}
  
===Virtual===
+
You can use <tt>strings</tt> and <tt>grep</tt> tools to find this information with <tt>strings kernel_path | grep os_name</tt>. (e.g.: <tt>strings /bsd | grep OpenBSD</tt>)
; Qemu
+
: Qemu allows you to dump the memory of a running image using pmemsave.
+
: e.g. pmemsave 0 0x20000000 /tmp/dumpfile
+
; Xen
+
: Xen allows you to live dump the memory of a guest domain using the dump-core command.
+
: You can list the available machines to find the host machine you care about using xm list and see the configuration.
+
: Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6
+
  
==See Also==
+
===AIX===
* [[Windows Memory Analysis]]
+
* [[Linux Memory Analysis]]
+
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
+
* http://www.storm.net.nz/projects/16
+
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
+
  
== External Links ==
+
===HP/UX===
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
+
  
[[Category:Tools]]
+
[[Category:Howtos]]

Revision as of 08:36, 26 March 2012

One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.

Windows

Windows 95/98/ME

Establish the boot volume, and locate the hidden text file \MSDOS.SYS. Locate the [Options]WinVer parameter:

WinVer OS
4.00.0950 Windows 95
4.00.1111 Windows 95 OSR2
4.03.1212 Windows 95 OSR2.1
4.03.1214 Windows 95 OSR2.5
4.10.1998 Windows 98
4.10.2222 Windows 98 SE
4.90.3000 Windows ME

Alternatively, establish WinDir ([Paths]WinDir in MSDOS.SYS), locate the %WINDIR%\SYSTEM.DAT registry file. Next, look up the registry key Software\Microsoft\Windows\CurrentVersion\, and values Version and VersionNumber. (Backup copies of SYSTEM.DAT may be found in .CAB files in %WINDIR%\SYSBCKUP.)

Windows NT

Windows 2000/2003/XP/Vista

Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).

During a forensic examination, information regarding the version of Windows can be found in a number of places. For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.

Determining the version of Windows from the Software Registry Hive file - navigate to the Microsoft\Windows NT\CurrentVersion key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.

Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file. You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script kern.pl illustrates a platform independent means of examining the PE header and ultimately locating the file version information.

In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of Product ID). Some of these values:

Value (MPC) Version
55034 Windows XP Professional English
55683 Windows XP Professional Russian
55681 Windows XP Home Edition Russian

Unix/Linux

Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.

Linux

A number of Linux distributions create a file in /etc to identify the release or version installed.

Distro Tag
Red Hat /etc/redhat-release
Debian /etc/debian-version

Solaris

Free/Net/OpenBSD

You can get the release and version of BSDs operating system inside the kernel images, even with only a disk image.

OS Kernel path
FreeBSD /boot/kernel/kernel
OpenBSD /bsd
NetBSD /netbsd

You can use strings and grep tools to find this information with strings kernel_path | grep os_name. (e.g.: strings /bsd | grep OpenBSD)

AIX

HP/UX