Difference between revisions of "Tools:Memory Imaging"

From ForensicsWiki
Jump to: navigation, search
(More rearranging; the two sections at the top were odd and out of place)
m (Memory Imaging Techniques)
(7 intermediate revisions by 3 users not shown)
Line 3: Line 3:
 
One of the most vexing problems for memory imaging is verifying that the data has been imaged correctly. Because the procedure cannot be repeated (i.e. the memory changes during the process), it is impossible to do the acquisition again and compare the results. At this time the structures involved are not known well enough to determine the integrity of the image.
 
One of the most vexing problems for memory imaging is verifying that the data has been imaged correctly. Because the procedure cannot be repeated (i.e. the memory changes during the process), it is impossible to do the acquisition again and compare the results. At this time the structures involved are not known well enough to determine the integrity of the image.
  
== Memory Imaging Tools ==
+
= Memory Imaging Techniques =
  
 +
; Crash Dumps
 +
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
 +
; LiveKd Dumps
 +
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
 +
; Hibernation Files
 +
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
 +
: [[MacOS]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on FileVault and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
 
; Firewire
 
; Firewire
: http://www.storm.net.nz/projects/16
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
 +
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
 +
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
 +
 
 +
= Memory Imaging Tools =
 +
==[[Windows]] Hardware==
 
; Tribble PCI Card
 
; Tribble PCI Card
 
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
 
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
; CoPilot
+
==[[Windows]] Software==
: http://www.komoku.com/forensics/forensics.html
+
; Windows Memory Forensic Toolkit (WMFT)  
; Windows Memory Forensic Toolkit (WMFT) and Idetect (Linux)
+
 
: http://forensic.seccure.net/
 
: http://forensic.seccure.net/
 
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
 
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
 +
 
; [[Kntdd]]
 
; [[Kntdd]]
 
: http://www.gmgsystemsinc.com/knttools/
 
: http://www.gmgsystemsinc.com/knttools/
 +
 
; Nigilant32
 
; Nigilant32
 
: http://www.agilerm.net/publications_4.html
 
: http://www.agilerm.net/publications_4.html
 +
 
; winen.exe (part of Encase)
 
; winen.exe (part of Encase)
 
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
 
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
 +
 
; Win32dd
 
; Win32dd
 +
: http://win32dd.msuiche.net/
 
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
 
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
; mdd.exe ([[ManTech]])
+
 
 +
; [[Mdd]] (Memory DD) ([[ManTech]])
 
: http://sourceforge.net/projects/mdd
 
: http://sourceforge.net/projects/mdd
; [[dd]]
 
: On *nix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file. On [[Linux]], this file is <tt>/dev/mem</tt>. On [[Microsoft Windows]] systems, a version of [[dd]] by [[George Garner]] allows an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
 
  
== Memory Imaging Techniques ==
+
; [[dd]]
 +
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
  
; Crash Dumps
+
==Unix==
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
;[[dd]]
; LiveKd Dumps
+
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
; Idetect (Linux)
; Hibernation Files
+
: http://forensic.seccure.net/
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
; Firewire
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
  
== External Links ==
+
= External Links =
 
; Windows Memory Analysis (Sample Chapter)
 
; Windows Memory Analysis (Sample Chapter)
 
: http://www.syngress.com/book_catalog/sample_159749156X.PDF
 
: http://www.syngress.com/book_catalog/sample_159749156X.PDF

Revision as of 00:51, 9 October 2008

The physical memory of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between operating systems, these tools are listed by operating system. Usually memory images are used as part of memory analysis.

One of the most vexing problems for memory imaging is verifying that the data has been imaged correctly. Because the procedure cannot be repeated (i.e. the memory changes during the process), it is impossible to do the acquisition again and compare the results. At this time the structures involved are not known well enough to determine the integrity of the image.

Memory Imaging Techniques

Crash Dumps
When configured to create a full memory dump, Windows operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. Andreas Schuster has a blog post describing this technique.
LiveKd Dumps
The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
Hibernation Files
Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the system drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image. Once hiberfil.sys has been obtained, Sandman can be used to convert it to a dd image.
MacOS very kindly creates a file called /var/vm/sleepimage on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on FileVault and enables Secure Virtual Memory. [1].
Firewire
It is possible for Firewire or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.
This technique has been turned into a tool that you can download from: http://www.storm.net.nz/projects/16

Memory Imaging Tools

Windows Hardware

Tribble PCI Card
http://www.digital-evidence.org/papers/tribble-preprint.pdf

Windows Software

Windows Memory Forensic Toolkit (WMFT)
http://forensic.seccure.net/
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
Kntdd
http://www.gmgsystemsinc.com/knttools/
Nigilant32
http://www.agilerm.net/publications_4.html
winen.exe (part of Encase)
http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
Win32dd
http://win32dd.msuiche.net/
http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
Mdd (Memory DD) (ManTech)
http://sourceforge.net/projects/mdd
dd
On Microsoft Windows systems, dd can be used by an Administrator user to image memory using the \Device\Physicalmemory object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.

Unix

dd
On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem).
Idetect (Linux)
http://forensic.seccure.net/

External Links

Windows Memory Analysis (Sample Chapter)
http://www.syngress.com/book_catalog/sample_159749156X.PDF