Difference between pages "Libdnet" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(References)
 
(External Links)
 
Line 1: Line 1:
== Abstract ==
+
{{expand}}
  
* libdnet provides a simplified, portable interface to several low-level networking routines, including
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
* network address manipulation
+
* kernel arp(4) cache and route(4) table lookup and manipulation
+
* network firewalling (IP filter, ipfw, ipchains, pf, PktFilter, ...)
+
* network interface lookup and manipulation
+
* IP tunnelling (BSD/Linux tun, Universal TUN/TAP device)
+
* raw IP packet and Ethernet frame transmission
+
  
== Supported languages ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
  
* C, C++
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
* Python
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
* Perl, Ruby (see below)
+
  
== Supported platforms ==
+
== Methods ==
  
* BSD (OpenBSD, FreeBSD, NetBSD, BSD/OS)
+
=== Reading from the Physical Memory Object ===
* Linux (Redhat, Debian, Slackware, etc.)
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
* MacOS X
+
* Windows (NT/2000/XP)
+
* Solaris
+
* IRIX
+
* HP-UX
+
* Tru64
+
  
== External Links ==
+
=== MmMapIoSpace ===
* [http://search.cpan.org/~vman/Net-Libdnet-0.01/ Net::Libdnet] - Perl interface to libdnet
+
* [http://www.shmoo.com/~bmc/software/ruby/ruby-dnet/ dnet.rb] - Ruby interface to libdnet
+
* [http://www.tcpdump.org/ libpcap] - portable packet capture library
+
* [http://winpcap.polito.it/ winpcap] - libpcap for Windows
+
* [http://monkey.org/~dugsong/pypcap/ pypcap] - libpcap Python module
+
* [http://monkey.org/~dugsong/dpkt/ dpkt] - fast, simple packet creation and parsing in Python
+
* [http://www.packetfactory.net/projects/libnet/ libnet] - packet construction library
+
* [http://www.hsc.fr/ressources/outils/pktfilter/index.html.en PktFilter] - win32 service to configure the IPv4 filtering driver in Windows 2000/XP/Server 2003
+
* [http://vtun.sourceforge.net/tun/ Universal TUN/TAP driver] - virtual point-to-point network tunnel device
+
* [http://www-user.rhrk.uni-kl.de/~nissler/tuntap/ TUN/TAP driver for MacOS X]
+
* [http://libdnet.sourceforge.net/tun-1.1-sol80.sparc64.gz Tunnel driver for Solaris 8 (sparc64)]
+
  
== References ==
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
 +
 
 +
== Also see ==
 +
* [[Memory analysis]]
 +
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
All information obtained on this page can be found at [http://libdnet.sourceforge.net/]
+
[[Category:Memory Analysis]]

Revision as of 00:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links