ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows 7" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
 +
{{expand}}
  
 +
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
  
== File Structure ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
File systems are covered separately.
+
  
== SSD ==
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
== Methods ==
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
  
+
=== Reading from the Physical Memory Object ===
 +
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
  
 +
=== MmMapIoSpace ===
  
== Jump Lists ==
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
  
== Registry ==  
+
== Also see ==
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
* [[Memory analysis]]
 +
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
  
== Known keys of forensic interest ==
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
'''SAM Registry'''
+
[[Category:Memory Analysis]]
 
+
SAM\\SAM\\Domains\\Account\\Users
+
 
+
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
 
+
 
+
'''Security Registry'''
+
 
+
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
 
+
Security\\Policy\\PolAdtEv
+
 
+
Security\\Policy\\Secrets
+
 
+
'''NTUSER Registry'''
+
NTUSER\\Control Panel\\Desktop
+
NTUSER\\Control Panel\\don\
+
NTUSER\\Environment
+
NTUSER\\Network
+
NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
NTUSER\\Software
+
NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
NTUSER\\Software\\Ahead
+
NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
NTUSER\\Software\\Ares
+
NTUSER\\Software\\bindshell.net\\Odysseus
+
NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
NTUSER\\Software\\Cain\\Settings
+
NTUSER\\Software\\DECAFme
+
NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
NTUSER\\Software\\Microsoft
+
NTUSER\\Software\\Microsoft\\Command Processor
+
NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\PIMSRV
+
NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
NTUSER\\Software\\Microsoft\\Windows Live Mail
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
NTUSER\\Software\\Nico Mak Computing\\WinZip
+
NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\Piriform\\CCleaner
+
NTUSER\\Software\\Privoxy
+
NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
NTUSER\\Software\\Skype
+
NTUSER\\Software\\SmartLine Vision\\aports
+
NTUSER\\Software\\SysInternals
+
NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
NTUSER\\Software\\VMware
+
NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 05:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links