ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Libdnet" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "== Abstract == * libdnet provides a simplified, portable interface to several low-level networking routines, including * network address manipulation * kernel arp(4) cache an...")
 
(External Links)
 
Line 1: Line 1:
== Abstract ==
+
{{expand}}
  
* libdnet provides a simplified, portable interface to several low-level networking routines, including
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
* network address manipulation
+
* kernel arp(4) cache and route(4) table lookup and manipulation
+
* network firewalling (IP filter, ipfw, ipchains, pf, PktFilter, ...)
+
* network interface lookup and manipulation
+
* IP tunnelling (BSD/Linux tun, Universal TUN/TAP device)
+
* raw IP packet and Ethernet frame transmission
+
  
== Supported languages ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
  
* C, C++
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
* Python
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
* Perl, Ruby (see below)
+
  
== Supported platforms ==
+
== Methods ==
  
* BSD (OpenBSD, FreeBSD, NetBSD, BSD/OS)
+
=== Reading from the Physical Memory Object ===
* Linux (Redhat, Debian, Slackware, etc.)
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
* MacOS X
+
 
* Windows (NT/2000/XP)
+
=== MmMapIoSpace ===
* Solaris
+
 
* IRIX
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
* HP-UX
+
 
* Tru64
+
== Also see ==
 +
* [[Memory analysis]]
 +
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
  
 
== External Links ==
 
== External Links ==
[http://search.cpan.org/~vman/Net-Libdnet-0.01/ Net::Libdnet] - Perl interface to libdnet
+
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
[http://www.shmoo.com/~bmc/software/ruby/ruby-dnet/ dnet.rb] - Ruby interface to libdnet
+
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
[http://www.tcpdump.org/ libpcap] - portable packet capture library
+
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
[http://winpcap.polito.it/ winpcap] - libpcap for Windows
+
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
[http://monkey.org/~dugsong/pypcap/ pypcap] - libpcap Python module
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
[http://monkey.org/~dugsong/dpkt/ dpkt] - fast, simple packet creation and parsing in Python
+
 
[http://www.packetfactory.net/projects/libnet/ libnet] - packet construction library
+
[[Category:Memory Analysis]]
[http://www.hsc.fr/ressources/outils/pktfilter/index.html.en PktFilter] - win32 service to configure the IPv4 filtering driver in Windows 2000/XP/Server 2003
+
[http://vtun.sourceforge.net/tun/ Universal TUN/TAP driver] - virtual point-to-point network tunnel device
+
[http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ TUN/TAP driver for MacOS X]
+
[http://libdnet.sourceforge.net/tun-1.1-sol80.sparc64.gz Tunnel driver for Solaris 8 (sparc64)]
+

Revision as of 05:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links