Difference between pages "Cell phones" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Forensics)
 
(External Links)
 
Line 1: Line 1:
'''Cell phones''' or '''mobile phones''' are an important target for [[forensic investigator]]s.
+
{{expand}}
  
== Technologies ==
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
+
* [[CDMA]]
+
* [[TDMA]]
+
* [[GSM]]
+
* [[iDEN]]
+
* [[EDGE]]
+
* [[GPRS]]
+
* [[UMTS]]
+
  
== Hardware ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
  
* [[RIM BlackBerry]]
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
* [[T-Mobile Sidekick  ]]
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
* [[SIM Cards]]
+
  
== Operating Systems ==
+
== Methods ==
  
* [[Microsoft PocketPC]]
+
=== Reading from the Physical Memory Object ===
* [[Microsoft Windows Mobile]]
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
* [[Palm]]
+
* [[RIM BlackBerry]]
+
* [[Symbian]]
+
* [[Linux]]
+
  
== Forensics ==  
+
=== MmMapIoSpace ===
  
'''Procedures'''
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
  
* [[Cell Phone Forensics]]
+
== Also see ==
* [[SIM Card Forensics]]
+
* [[Memory analysis]]
* [[External Memory Card Forensics]]
+
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
* [[Blackberry Forensics]]
+
* [[JTAG Forensics]]
+
* [[Chip-Off Forensics]]
+
  
== Tools ==
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
'''Flashers'''
+
[[Category:Memory Analysis]]
* [[UFS Tornado]]
+
 
+
'''Hardware'''
+
* [[Azimuth RadioProof™ Enclosures]]
+
* [[Cellebrite UFED]]
+
* [[LogiCube CellDEK]]
+
* [[LogiCube CellDEK TEK]]
+
* [http://www.msab.com/xry/field-version | Micro Systemation Field Version]
+
* [[Network Security Solutions Secure Tents]]
+
* [[Network Security Solutions Seizure Bags for Cell Phones/PDAs/Laptops]]
+
* [[Paraben CSI Stick]]
+
* [[Paraben Device Seizure Toolbox]]
+
* [[Paraben Handheld First Responder Kit]]
+
* [[Paraben StrongHold Bag]]
+
* [[Radio Frequency (RF) Jammers]]
+
* [[Radio Tactics Acesso]]
+
* [[Radio Tactics Apollo]]
+
* [[Radio Tactics Athena]]
+
* [[SIM Card Readers]]
+
 
+
'''Software'''
+
* [[BitPIM]]
+
* [[BK Forensics Cell Phone Analyzer]]
+
* [[FloAt's Mobile Agent]]
+
* [[ForensicMobile]]
+
* [[ForensicSIM]]
+
* [[Guidance Software Neutrino]]
+
* [[iDEN Companion Pro]]
+
* [[iDEN Media Downloader]]
+
* [[iDEN Phonebook Manager]]
+
* [[.XRY |MicroSystemation .XRY]]
+
* [[MOBILedit!]]
+
* [[Oxygen Forensic Suite 2010]]
+
* [[Paraben Device Seizure]]
+
* [[Paraben SIM Seizure]]
+
* [[Pandora's Box]]
+
* [[Quantaq USIMdetective]]
+
* [[Quantaq USIMcommander]]
+
* [[Quantaq USIMdetective]]
+
* [[Quantaq USIMexplorer]]
+
* [[Quantaq USIMprofiler]]
+
* [[Quantaq USIMregistrar]]
+
* [[SIMiFOR]]
+
* [[Susteen Secure View]]
+
* [[TULP2G]]
+
* [[WOLF]]
+
 
+
==See Also==
+
[[Cell phone forensics bibliography]]
+

Revision as of 00:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links