Difference between pages "Windows Memory Analysis" and "GRR"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (See Also)
 
(See also)
 
Line 1: Line 1:
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
== Sample Memory Images ==
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
Getting started with memory analysis can be difficult without some known images to practice with.  
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
  
* The 2005 [[Digital Forensic Research Workshop]] [http://www.dfrws.org/2005/challenge/ Memory Analysis Challenge] published two Windows 2000 Service Pack 1 memory images with some [[malware]] installed.
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
  
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
+
= See also =
 +
* [[pytsk]]
 +
* [[rekall]]
 +
* [[sleuthkit]]
  
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
+
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
== See Also ==
+
== Publications ==
* [[Memory Analysis]]
+
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
* [[Pagefile.sys]]
+
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
+
  
== History ==  
+
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
  
During the 1990s, it became a [[best practice]] to capture a [[Tools:Memory_Imaging|memory image]] during [[Incident Response|incident response]]. At the time, the only way to analyze such memory images was using [[strings]]. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.
+
== Workshops ==
 
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]
In the summer 2005 the [[Digital Forensic Research Workshop]] published a ''Memory Analysis Challenge''. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by [[Chris Betz]], introduced a tool called [[memparser]]. The second, by [[George Garner]] and [[Robert-Jan Mora]] produced [[KnTList]].
+
 
+
At the [[Blackhat (conference)|Blackhat Federal]] conference in March 2007, [[AAron Walters]] and [[Nick Petroni]] released a suite called [[volatools]]. Although it only worked on [[Windows XP]] Service Pack 2 images, it was able to produce a number of useful data. [[volatools]] was updated and re-released as [[Volatility]] in August 2007, and is now maintained and distributed by [https://www.volatilesystems.com/ Volatile Systems].
+
 
+
==Bibliography==
+
; 2008
+
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
+
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
+
* [http://www.dfrws.org/2008/proceedings/p58-schuster.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics], Andreas Schuster, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf [slides]]
+
* [http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Burdach/bh-fed-06-burdach-up.pdf Finding Digital Evidence In Physical Memory], Mariusz Burdach, Black Hat Federal, 2008
+
* [http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf Forensic Memory Analysis: Files mapped in memory], Ruud van Baar, DFRWS 2008, [http://www.dfrws.org/2008/proceedings/p52-vanBaar_pres.pdf [slides]]
+
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
+
; 2007
+
* [http://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case)], Joanna Rutkowska COSEINC Advanced Malware Labs
+
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
+
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
+
; 2006
+
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
+
 
+
[[Category:Bibliographies]]
+
 
+
== External Links ==
+
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
+
: http://cyberspeak.libsyn.com/index.php?post_id=98104
+
; Memory Analysis Bibliography
+
: http://www.4tphi.net/fatkit/#links
+

Revision as of 15:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

See also

External Links

Publications

Presentations

Workshops