Difference between pages "Barnyard2" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "==About == Barnyard is a critical tool for the parsing of Snort's unified binary files, processing and on-forwarding to a variety of output plugins. Unfortunately it has not s...")
 
(External Links)
 
Line 1: Line 1:
==About ==
+
{{expand}}
Barnyard is a critical tool for the parsing of Snort's unified binary files, processing and on-forwarding to a variety of output plugins. Unfortunately it has not seen an updated in over 4 years and is not going to be maintained by the original developers. With the new version of the unified format (ie. unified2) arriving we need something to bridge this gap.
+
To quote directly from the Snort FAQ:
+
* "Barnyard is an output system for Snort. Snort creates a special binary output format called unified. Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plug-in, Barnyard is aware of a failure to send the alert to the database, and it stops sending alerts. It is also aware when the database can accept connections again and will start sending the alerts again."
+
  
The SXL team love barnyard. So much so that we want it to stay and have been tinkering around with the code to give it a breath of new life. Here is what we have achieved to far for this reinvigorated code base:
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
Parsing of the new unified2 log files.
+
*Maintaining majority of the command syntax of barnyard.
+
*Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
+
*Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
+
  
== References ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
All information on this page is referenced to [http://www.securixlive.com/barnyard2/about.php securixlive.com] where further information about Barnyard can be found.
+
 
 +
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
 +
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
 +
 
 +
== Methods ==
 +
 
 +
=== Reading from the Physical Memory Object ===
 +
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
 +
 
 +
=== MmMapIoSpace ===
 +
 
 +
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
 +
 
 +
== Also see ==
 +
* [[Memory analysis]]
 +
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
 +
 
 +
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
 +
 
 +
[[Category:Memory Analysis]]

Revision as of 01:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links