Difference between pages "Chrome Disk Cache Format" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
== Cache files ==
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
The cache is stored in multiple:
+
{| class="wikitable"
+
|-
+
! Filename
+
! Description
+
|-
+
| index
+
| The index file
+
|-
+
| data_#
+
| Data block files
+
|-
+
| f_######
+
| (Separate) data stream file
+
|}
+
  
== Cache address ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
The cache address is 4 bytes in size and consists of:
+
{| class="wikitable"
+
|-
+
! offset
+
! size
+
! value
+
! description
+
|-
+
| <i>If file type is 0 (Separate file)</i>
+
|
+
|
+
|
+
|-
+
| 0.0
+
| 28 bits
+
|
+
| File number <br> The value represents the value of # in f_######
+
|-
+
| <i>Else</i>
+
|
+
|
+
|
+
|-
+
| 0.0
+
| 16 bits
+
|
+
| Block number
+
|-
+
| 2.0
+
| 8 bits
+
|
+
| File number (or file selector) <br> The value represents the value of # in data_#
+
|-
+
| 3.0
+
| 2 bits
+
|
+
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
+
|-
+
| 3.2
+
| 2 bits
+
|
+
| Reserved
+
|-
+
| <i>Common</i>
+
|
+
|
+
|
+
|-
+
| 3.4
+
| 3 bits
+
|
+
| File type
+
|-
+
| 3.7
+
| 1 bit
+
|
+
| Initialized flag
+
|}
+
  
=== File types ===
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
{| class="wikitable"
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
|-
+
! Value
+
! Description
+
|-
+
| 0
+
| (Separate) data stream file
+
|-
+
| 1
+
| (Rankings) block data file (36 byte block data file)
+
|-
+
| 2
+
| 256 byte block data file
+
|-
+
| 3
+
| 1024 byte block data file
+
|-
+
| 4
+
| 4096 byte block data file
+
|-
+
|
+
|
+
|-
+
| 6
+
| Unknown; seen on Mac OS  X 0x6f430074
+
|}
+
  
==== Examples ====
+
== Methods ==
{| class="wikitable"
+
|-
+
! Value
+
! Description
+
|-
+
| 0x00000000
+
| Not initialized
+
|-
+
| 0x8000002a
+
| Data stream file: f_00002a
+
|-
+
| 0xa0010003
+
| Block data file: data_1, block number 3, 1 block of size
+
|}
+
  
== Index file format (index) ==
+
=== Reading from the Physical Memory Object ===
Overview:
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
* File header
+
* least recently used (LRU) data (or eviction control data)
+
* index table
+
  
=== File header ===
+
=== MmMapIoSpace ===
*TODO*
+
  
== Data block file format (data_#) ==
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
Overview:
+
* File header
+
* array of blocks
+
  
=== File header ===
+
== Also see ==
*TODO*
+
* [[Memory analysis]]
 
+
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
== Data stream ==
+
See: [[gzip]]
+
 
+
== See Also ==
+
* [[Google Chrome]]
+
* [[gzip]]
+
  
 
== External Links ==
 
== External Links ==
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
+
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
[[Category:File Formats]]
+
[[Category:Memory Analysis]]

Revision as of 01:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links