Difference between pages "Windows 7" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
 +
{{expand}}
  
 +
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
  
== File Structure ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
File systems are covered separately.
+
  
== SSD ==
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:
+
== Methods ==
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
  
+
=== Reading from the Physical Memory Object ===
 +
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
  
 +
=== MmMapIoSpace ===
  
== Jump Lists ==
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
  
== Registry ==  
+
== Also see ==
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
* [[Memory analysis]]
 +
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
  
== Known keys of forensic interest ==
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
'''SAM Registry'''
+
[[Category:Memory Analysis]]
 
+
SAM\\SAM\\Domains\\Account\\Users
+
 
+
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
 
+
 
+
'''Security Registry'''
+
 
+
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
 
+
Security\\Policy\\PolAdtEv
+
 
+
Security\\Policy\\Secrets
+
 
+
'''NTUSER Registry'''
+
NTUSER\\Control Panel\\Desktop
+
NTUSER\\Control Panel\\don\
+
NTUSER\\Environment
+
NTUSER\\Network
+
NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
NTUSER\\Software
+
NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
NTUSER\\Software\\Ahead
+
NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
NTUSER\\Software\\Ares
+
NTUSER\\Software\\bindshell.net\\Odysseus
+
NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
NTUSER\\Software\\Cain\\Settings
+
NTUSER\\Software\\DECAFme
+
NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
NTUSER\\Software\\Microsoft
+
NTUSER\\Software\\Microsoft\\Command Processor
+
NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\PIMSRV
+
NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
NTUSER\\Software\\Microsoft\\Windows Live Mail
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
NTUSER\\Software\\Nico Mak Computing\\WinZip
+
NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\Piriform\\CCleaner
+
NTUSER\\Software\\Privoxy
+
NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
NTUSER\\Software\\Skype
+
NTUSER\\Software\\SmartLine Vision\\aports
+
NTUSER\\Software\\SysInternals
+
NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
NTUSER\\Software\\VMware
+
NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 00:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links