Difference between pages "Tools:Memory Imaging" and "Jump Lists"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Memory Imaging Tools)
 
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
{{expand}}
 +
'''Jump Lists''' are a feature found in Windows 7.
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctlyThat is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the sameThus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
== Jump Lists ==
 +
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actionsJump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) filesAutodest files are created by the operating system
  
== Memory Imaging Techniques ==
+
Jump Lists are located in the user profile path, in the C:\Users\''user''\Recent folder.  Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.
  
; Crash Dumps
+
''Author's Note'': Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes. The Jump Lists persisted after the iTunes was removed from the system.
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
; LiveKd Dumps
+
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
; Hibernation Files
+
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
; Firewire
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
: The [http://goldfish.ae Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
+
; Virtual Machine Imaging
+
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
+
  
== Memory Imaging Tools ==
+
=== AutomaticDestinations ===
===x86 Hardware===
+
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations<br>
 +
Files: *.automaticDestinations-ms
  
; Tribble PCI Card (research project)
+
'''Structure'''<br>
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
The autodest files follow the [http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx: MS-CFB] compound file binary format specification. Each of the numbered streams within the file follows the [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format specification.
 +
<p>
 +
The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list.  This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string.  The first 114 bytes of the structure contains the following information at the corresponding offsets:
  
; CoPilot by Komoku
+
<table border="1">
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
 +
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
 +
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
 +
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
 +
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
 +
</table>
  
; Forensic RAM Extraction Device (FRED) by BBN
+
=== CustomDestinations ===
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations<br>
 +
Files: *.customDestinations-ms
  
===[[Windows]] Software===
+
'''Structure'''<br>
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
  
; [[WinDD]]
+
=== Tools ===
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
* Autodest files can be opened in tools such as the [http://mitec.cz/ssv.html: MiTec Structured Storage Viewer], and each of the streams individually/manually extracted.  Each of the extracted numbered streams can then be viewed via the [http://mitec.cz/wfa.html: Windows File Analyzer].
: http://windd.msuiche.net/
+
* Another approach would be to use Mark Woan's [http://www.woanware.co.uk/?p=265: JumpLister] tool to view the information within the numbered streams of each autodest file.
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
+
* TZWorks LLC [http://tzworks.net/prototype_page.php?proto_id=20 Jump List Parser (jmp)] also has a tool that can parse both the custom and automatic Destinations type files.  For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
== See also ==
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
* [[List of Jump List IDs]]
: http://sourceforge.net/projects/mdd
+
* [[Windows]]
  
; F-Response with FTK imager, dd, Encase, WinHex, etc
+
== External Links ===
: Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
+
: http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
+
  
; MANDIANT Memoryze
+
[[Category:Windows]]
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
: http://www.mandiant.com/software/memoryze.htm
+
 
+
; [[Kntdd]]
+
: http://www.gmgsystemsinc.com/knttools/
+
 
+
; [[dd]]
+
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
+
 
+
; Windows Memory Forensic Toolkit (WMFT)
+
: http://forensic.seccure.net/
+
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
+
 
+
; Nigilant32
+
: http://www.agilerm.net/publications_4.html
+
 
+
;[[HBGary]]: Fastdump and Fastdump Pro
+
:http://www.hbgary.com
+
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
+
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
:-32 bit and 64 bit architectures
+
:-Acquisitions of greater than 4GB
+
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
:-Process probing which allows for a more complete memory image of a process of interest.
+
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
 
+
===Linux/Unix===
+
;[[dd]]
+
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  In recent Linux kernels, /dev/kmem is no longer available.  In even more recent kernels, /dev/mem has additional restrictions.  And in the most recent, /dev/mem is no longer available by default, either.  Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.  On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").
+
;[http://www.pikewerks.com/sl/ Second Look]
+
: This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network.  It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
+
; Idetect (Linux)
+
: http://forensic.seccure.net/
+
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem] (Linux)
+
: fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
+
;[http://goldfish.ae Goldfish]
+
:Goldfish is a [[Mac OS X]] live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [[Firewire]] connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact [http://goldfish.ae goldfish.ae] for download information.
+
 
+
===Virtual===
+
; Qemu
+
: Qemu allows you to dump the memory of a running image using pmemsave.
+
: e.g. pmemsave 0 0x20000000 /tmp/dumpfile
+
; Xen
+
: Xen allows you to live dump the memory of a guest domain using the dump-core command.
+
: You can list the available machines to find the host machine you care about using xm list and see the configuration.
+
: Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6
+
 
+
==See Also==
+
* [[Windows Memory Analysis]]
+
* [[Linux Memory Analysis]]
+
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
+
* http://www.storm.net.nz/projects/16
+
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
+
 
+
== External Links ==
+
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
+
 
+
[[Category:Tools]]
+

Revision as of 07:34, 10 February 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Jump Lists are a feature found in Windows 7.

Jump Lists

Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions. Jump Lists come in two flavors, automatic (autodest, or *.automaticDestinations-ms) and custom (custdest, or *.customDestinations-ms) files. Autodest files are created by the operating system

Jump Lists are located in the user profile path, in the C:\Users\user\Recent folder. Autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest files are located in the customDestinations subdirectory.

Author's Note: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system. In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., CyberSpeak podcasts) were launched via iTunes. The Jump Lists persisted after the iTunes was removed from the system.

AutomaticDestinations

Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
Files: *.automaticDestinations-ms

Structure
The autodest files follow the MS-CFB compound file binary format specification. Each of the numbered streams within the file follows the MS-SHLLINK binary format specification.

The autodest files also contain a stream named "DestList" which acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams. Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:

Offset Size Description
0x48 16 bytes NetBIOS name of the system; padded with zeros to 16 bytes
0x58 8 bytes Stream number; corresponds to the numbered stream within the jump list
0x64 8 bytes FILETIME object
0x70 2 bytes Number of Unicode characters in the string that follows

CustomDestinations

Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
Files: *.customDestinations-ms

Structure
Custdest files reportedly follow a structure of sequential MS-SHLLINK binary format segments.

Tools

  • Autodest files can be opened in tools such as the MiTec Structured Storage Viewer, and each of the streams individually/manually extracted. Each of the extracted numbered streams can then be viewed via the Windows File Analyzer.
  • Another approach would be to use Mark Woan's JumpLister tool to view the information within the numbered streams of each autodest file.
  • TZWorks LLC Jump List Parser (jmp) also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.

See also

External Links =