ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Chrome Disk Cache Format" and "Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
== Cache files ==
+
Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to [[Disk Imaging]].
The cache is stored in multiple:
+
{| class="wikitable"
+
|-
+
! Filename
+
! Description
+
|-
+
| index
+
| The index file
+
|-
+
| data_#
+
| Data block files
+
|-
+
| f_######
+
| (Separate) data stream file
+
|}
+
  
== Cache address ==
+
For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O
The cache address is 4 bytes in size and consists of:
+
{| class="wikitable"
+
|-
+
! offset
+
! size
+
! value
+
! description
+
|-
+
| <i>If file type is 0 (Separate file)</i>
+
|
+
|
+
|
+
|-
+
| 0.0
+
| 28 bits
+
|
+
| File number <br> The value represents the value of # in f_######
+
|-
+
| <i>Else</i>
+
|
+
|
+
|
+
|-
+
| 0.0
+
| 16 bits
+
|
+
| Block number
+
|-
+
| 2.0
+
| 8 bits
+
|
+
| File number (or file selector) <br> The value represents the value of # in data_#
+
|-
+
| 3.0
+
| 2 bits
+
|
+
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
+
|-
+
| 3.2
+
| 2 bits
+
|
+
| Reserved
+
|-
+
| <i>Common</i>
+
|
+
|
+
|
+
|-
+
| 3.4
+
| 3 bits
+
|
+
| File type
+
|-
+
| 3.7
+
| 1 bit
+
|
+
| Initialized flag
+
|}
+
  
=== File types ===
+
The resulting copy is stored in a [[:Category:Forensics_File_Formats|Forensics image format]].
{| class="wikitable"
+
Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.
|-
+
! Value
+
! Description
+
|-
+
| 0
+
| (Separate) data stream file
+
|-
+
| 1
+
| (Rankings) block data file (36 byte block data file)
+
|-
+
| 2
+
| 256 byte block data file
+
|-
+
| 3
+
| 1024 byte block data file
+
|-
+
| 4
+
| 4096 byte block data file
+
|-
+
|
+
|
+
|-
+
| 6
+
| Unknown; seen on Mac OS  X 0x6f430074
+
|}
+
  
==== Examples ====
+
== Methods ==
{| class="wikitable"
+
|-
+
! Value
+
! Description
+
|-
+
| 0x00000000
+
| Not initialized
+
|-
+
| 0x8000002a
+
| Data stream file: f_00002a
+
|-
+
| 0xa0010003
+
| Block data file: data_1, block number 3, 1 block of size
+
|}
+
  
== Index file format (index) ==
+
=== Reading from the Physical Memory Object ===
Overview:
+
In [[Windows]] the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [http://technet.microsoft.com/en-en/library/cc787565(v=ws.10).aspx]. A kernel-mode process is still allowed to read from this device-object.
* File header
+
* least recently used (LRU) data (or eviction control data)
+
* index table
+
  
=== File header ===
+
=== MmMapIoSpace ===
*TODO*
+
  
== Data block file format (data_#) ==
+
The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [http://msdn.microsoft.com/en-us/library/windows/hardware/ff554618(v=vs.85).aspx].
Overview:
+
* File header
+
* array of blocks
+
  
=== File header ===
+
== Also see ==
*TODO*
+
* [[Memory analysis]]
 
+
* [[:Tools:Memory_Imaging|Memory Imaging Tools]]
== Data stream ==
+
See: [[gzip]]
+
 
+
== See Also ==
+
* [[Google Chrome]]
+
* [[gzip]]
+
  
 
== External Links ==
 
== External Links ==
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
+
* [http://en.wikipedia.org/wiki/Memory-mapped_I/O Wikipedia article on Memory-mapped I/O]
 +
* [http://www.dfrws.org/2013/proceedings/DFRWS2013-13.pdf Anti-forensic resilient memory acquisition], by [[Johannes Stuettgen]], [[Michael Cohen]], August 2013
 +
* [http://takahiroharuyama.github.io/blog/2014/01/07/64bit-big-size-ram-acquisition-problem/ 64bit Big Sized RAM Image Acquisition Problem], by [[Takahiro haruyama]], January 7, 2014
 +
* [http://brimorlabs.blogspot.com/2014/01/all-memory-dumping-tools-are-not-same.html All memory dumping tools are not the same], by [[Brian Moran]], January 14, 2014
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgen]] [[Michael Cohen]], May 2014
  
[[Category:File Formats]]
+
[[Category:Memory Analysis]]

Revision as of 05:57, 27 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Memory imaging is the process of making a bit-by-bit copy of memory. In principle it is similar to Disk Imaging.

For physical memory it is common to have sections that are not accessible, e.g. because of memory-mapped I/O

The resulting copy is stored in a Forensics image format. Some of these formats have means to differentiate between an image of memory and e.g. that of a disk.

Methods

Reading from the Physical Memory Object

In Windows the Physical Memory Object, \\Device\PhysicalMemory, can be used the access physical memory. Since Windows 2003 SP1 user-mode access to this device-object is no longer permitted [1]. A kernel-mode process is still allowed to read from this device-object.

MmMapIoSpace

The MmMapIoSpace function (or routine) is kernel-mode function to map a physical address range to non-paged system space [2].

Also see

External Links