Difference between pages "Mount shadow volumes on disk images" and "Rekall"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
m (Linux)
 
Line 1: Line 1:
Windows Shadow Volumes when created are automatically mounted at the
+
{{Infobox_Software |
file system root by Windows.  Unfortunately this is invisible to the
+
  name = Rekall |
user and can not be directly accessed.  Mklink, an included command
+
  maintainer = [[Michael Cohen]] |
line utility that ships with Windows is able to create a symbolic link
+
  os = {{Cross-platform}} |
that allows access to these shadow volumes.
+
  genre = {{Memory analysis}}, {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 +
}}
  
Shadow Volumes that exsit on a drive image are no different.  They too
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
can be accessed by creating a symbolic link to the location of the
+
volume.  There is a caveat here though -- the Shadow Volume is mounted
+
at the local file system's root rather than the drive image's file
+
system root.
+
  
This example will be showing how to mount a virtual disk image in the
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
VHD format using Windows 7's built in tools.  It will then proceed to
+
detail the steps of mounting a Shadow Volume that exists on the disk
+
image. Note: Windows 7 Professional or Ultimate edition are required
+
as the necessary tools are not bundled with other versions.
+
  
 +
== Memory acquisition drivers ==
  
==Mounting the Disk Image== 
+
The drivers can be found under:
 +
<pre>
 +
rekall/tools/linux
 +
rekall/tools/osx
 +
rekall/tools/windows
 +
</pre>
  
The first step is to mount the VHD. If you have a RAW image or
+
=== Linux ===
another similar format these can be converted to VHD using a tool such
+
In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.
as qemu-img (http://wiki.qemu.org/Main_Page) or vmToolkit's Vmdk2Vhd
+
utility (http://vmtoolkit.com/).
+
  
* To mount the VHD bring up the Start menu in Windows.
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
 +
<pre>
 +
cd rekall/tools/linux/
 +
make
 +
</pre>
  
* Right click on "Computer" and click "Manage". This will bring up a
+
The acquisition driver is named pmem.ko.
window titled "Computer Management". [[File:manage.png|thumb|Open the Computer Management window.]]
+
  
* Now double click on "Storage" in the center pane. [[File:storage.png|thumb|Click "storage" in the center pane.]]
+
To load the driver:
 +
<pre>
 +
sudo insmod pmem.ko
 +
</pre>
  
* Next double click the "Manage Storage" in the center pane. [[File:disk_management.png|thumb|Double click "manage storage" in the center pane.]]
+
To check if the driver is running:
 +
<pre>
 +
sudo lsmod
 +
</pre>
  
* Now click the "More Actions" menu in the right most pane and select "Attach VHD". [[File:attach_vhd.png|thumb|Select Attach VHD in the right pane.]]
+
The driver create a device file named:
 +
<pre>
 +
/dev/pmem
 +
</pre>
  
* Browse to the location of the drive image that you would like to mount and hit "OK".
+
To unload the driver:
 +
<pre>
 +
sudo rmmod pmem
 +
</pre>
  
 +
To read acquire the memory just read from the device file. e.g.
 +
<pre>
 +
dd if=/dev/pmem of=image.raw
 +
</pre>
  
Now that the image is mounted we can begin the examine the Shadow Volumes on it.
+
For more information see:
 +
<pre>
 +
rekall/tools/linux/README
 +
</pre>
  
===Command Prompt Method===
+
=== Mac OS X ===
  
These steps can also be accomplished using an administrator enabled Command Prompt. To perform these steps using the command prompt the diskpart command must be used.
+
For more information see:
 +
<pre>
 +
rekall/tools/osx/OSXPMem/README
 +
</pre>
  
* To start type "diskpart" at the command prompt.
+
=== Windows ===
<code>C:\> diskpart </code>
+
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
  
When diskpart starts the prompt will change to say DISKPART>
+
Both the i386 and amd64 binary version of the driver can be found in the directory:
 +
<pre>
 +
rekall/tools/windows/winpmem/binaries
 +
</pre>
  
*Next select the drive image by typing "select vdisk file=<path to image>" where <path to image> is the path to the vhd file.
+
E.g.
 +
<pre>
 +
rekall/tools/winpmem/binaries/amd64/winpmem.sys
 +
</pre>
  
<code>DISKPART> select vdisk file=C:\myimage.vhd</code>
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
 +
<pre>
 +
rekall/tools/winpmem/executables/Release/
 +
</pre>
  
*Last type "attach vdisk" or optionally if you'd like to mount it read only "attach vdisk readonly".
+
To load the driver:
 +
<pre>
 +
winpmem.exe -l
 +
</pre>
  
<code>DISKPART> attach vdisk readonly </code>
+
The device filename is (This can not be changed without recompiling):
 +
<pre>
 +
\\.\pmem
 +
</pre>
  
==Mounting the Shadow Volume==
+
Note that running dd directly on this device file can crash the machine.
 +
Use the winpmem.exe tool instead because it handles protected memory regions.
  
To work with the Shadow Volumes we will use the VSSAdmin tool bundled
+
To read and acquire the physical memory and write it to image.raw:
with Windows 7 Ultimate and Professional editions.  
+
<pre>
 +
winpmem.exe image.raw
 +
</pre>
  
* Start by opening an Administrator enabled command shell.  This can be done by right clicking on the Command Prompt application in Start > Accessories > Command Prompt and selecting "Run As Administrator".
+
To unload the driver:
 +
<pre>
 +
winpmem.exe -u
 +
</pre>
  
* Once the command prompt is open you can view the available Shadow Volumes by typing: "vssadmin list shadows".
+
For more information see:
 +
<pre>
 +
rekall/tools/windows/README
 +
</pre>
  
<code>C:\> vssadmin list shadows </code>
+
== See Also ==
 +
* [[Memory analysis]]
 +
* [[Memory Imaging]]
 +
* [[Volatility]]
  
* At this point you may see a long list of Shadow Volumes that were
+
== External Links ==
created both by the machine the disk image is from as well as local
+
* [https://code.google.com/p/rekall/ Project site]
shadow volumes.  To list just the Shadow Volumes associated with the
+
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
drive image you can add an optional /FOR=<DriveLetter:\> where
+
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]
DriveLetter is the drive letter that the drive image is mounted on.
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2013.html Anti-forensic resilient memory acquisition]] by [[Johannes Stüttgena]] [[Michael Cohen]], August 2013
 
+
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014
<code>C:\> vssadmin list shadows /for=E:\ </code> [[File:vssadmin_list.png|thumb|vssadmin list]]
+
 
+
* Now that we have a list of the Shadow Volumes we can mount them using the mklink tool. To do this, on the command line type:
+
 
+
<code>"mklink /D C:\</code><some directory><code> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#"</code>
+
 
+
Where <some directory> is the path that you'd like the mount the
+
Shadow Volume at, and the # in HarddiskVolumeShadowCopy is the number
+
o the Shadow Volume to mount. Please note that the trailing slash is
+
absoutely necessary. Without the slash you will receive a permissions
+
error when trying to access the directory.
+
 
+
<code>mklink /D C:\shadow_volume_1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
+
 
+
* If all was successful you should receive a message that looks like this:
+
 
+
<code>symbolic link created for <some directory> <<===>> \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy1\</code>
+
 
+
You can now browse the files contained in the Shadow Volume just like
+
any other files in your file system! [[File:success.png|thumb|Success!]]
+
 
+
== Also See ==
+
* [[Windows Shadow Volumes]]
+
 
+
[[Category:Howtos]]
+

Revision as of 03:33, 25 June 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.[1]

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links