Difference between pages "USBCrypt" and "Rekall"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (spelling)
 
m (Linux)
 
Line 1: Line 1:
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = USBCrypt |
+
   name = Rekall |
   maintainer = WinAbility Software |
+
   maintainer = [[Michael Cohen]] |
   os = {{Windows}} |
+
   os = {{Cross-platform}} |
   genre = {{Encryption}} |
+
   genre = {{Memory analysis}}, {{Memory imaging}} |
   license = WinAbility Software License |
+
   license = {{GPL}} |
   website = [http://www.winability.com/usbcrypt/ winability.com/usbcrypt] |
+
   website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 
}}
 
}}
  
'''USBCrypt''' is a commercial (closed source) software intended primarily to encrypt external USB drives. (However, the encryption is not limited to the external drives or to the USB connection: any drive that is recognized by Windows as a valid drive with read-write access can be encrypted with USBCrypt.) USBCrypt software is [[Windows|Windows 7, Vista, XP, 2000]]-only. It supports [[AES]], and [[Twofish]] encryption with the 128- and 256-bit keys, in the [[XTS]] and [[CBC]] encryption modes.
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
  
== Recognizing drives encrypted with USBCrypt ==
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
  
USBCrypt encrypts drives by creating the file-based Virtual Encrypted Disks on them. In addition to one or more files that contain the encrypted data, USBCrypt also puts a portable software on the drive, to enable its use on other computers. While the encrypted data files contain no identifying information (and thus support [[plausible deniability]]), the presence of other supporting files makes it easy to identify the drives encrypted with USBCrypt: the root folder of the encrypted drive contains the file USBCrypt.exe as well as a folder named USBCrypt-system. The latter contains the encrypted data files as well as USBCrypt software files (DLL and SYS). The file USBCrypt.ini is a text-only file that contains settings as well as license information (including the name of the person or business who has purchased the software).
+
== Memory acquisition drivers ==
  
== Spare-key file ==
+
The drivers can be found under:
 +
<pre>
 +
rekall/tools/linux
 +
rekall/tools/osx
 +
rekall/tools/windows
 +
</pre>
  
When the user is encrypting a drive with USBCrypt software, s/he has the option to create a "spare key" file on the user's computer. This file contains a copy of the encryption key that can be used by the user if s/he forgets the main encryption password. Or, it can be used by a system administrator to get access to the encrypted data in case the employees leave the company and take the passwords with them. Each spare key file contains a copy of just one encryption key for the specific encrypted drive it was created for. It cannot be used to decrypt any other drive, even if the user has used the same password and encryption algorithm. USBCrypt can automatically detect whether it can decrypt a specific drive with a spare key.  
+
=== Linux ===
 +
In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.
  
== Forensic Acquisition ==
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
 +
<pre>
 +
cd rekall/tools/linux/
 +
make
 +
</pre>
  
If you encounter a system that has a live USBCrypt drive, it is imperative that you capture the contents of the encrypted drive before disconnecting the drive or shutting down the system. Once the system is shutdown, the contents becomes inaccessible unless you have the proper encryption key generated by a user's password. If the encrypted drive in not live, it is imperative to secure access to the user's computer that was used to encrypt the drive: there is a possibility that the computer still has the "spare key" file stored on its hard drive, assuming the user has the selected the option to create such a file when encrypting the drive.  
+
The acquisition driver is named pmem.ko.
  
== Attacks ==
+
To load the driver:
If the "spare key" file for the encrypted drive has not been obtained, then the only option for acquiring the content of a dismounted USBCrypt drive is to do a brute-force password guessing attack. USBCrypt software itself contains a built-in command to perform the brute-force attack on the drives it encrypts.
+
<pre>
 +
sudo insmod pmem.ko
 +
</pre>
  
== External Links ==
+
To check if the driver is running:
 +
<pre>
 +
sudo lsmod
 +
</pre>
  
* [http://www.winability.com/usbcrypt/ Official website]
+
The driver create a device file named:
* [http://www.usbcrypt.com/ USBCrypt web site]
+
<pre>
 +
/dev/pmem
 +
</pre>
  
[[Category:Encryption]]
+
To unload the driver:
[[Category:Disk encryption]]
+
<pre>
 +
sudo rmmod pmem
 +
</pre>
 +
 
 +
To read acquire the memory just read from the device file. e.g.
 +
<pre>
 +
dd if=/dev/pmem of=image.raw
 +
</pre>
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/linux/README
 +
</pre>
 +
 
 +
=== Mac OS X ===
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/osx/OSXPMem/README
 +
</pre>
 +
 
 +
=== Windows ===
 +
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
 +
 
 +
Both the i386 and amd64 binary version of the driver can be found in the directory:
 +
<pre>
 +
rekall/tools/windows/winpmem/binaries
 +
</pre>
 +
 
 +
E.g.
 +
<pre>
 +
rekall/tools/winpmem/binaries/amd64/winpmem.sys
 +
</pre>
 +
 
 +
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
 +
<pre>
 +
rekall/tools/winpmem/executables/Release/
 +
</pre>
 +
 
 +
To load the driver:
 +
<pre>
 +
winpmem.exe -l
 +
</pre>
 +
 
 +
The device filename is (This can not be changed without recompiling):
 +
<pre>
 +
\\.\pmem
 +
</pre>
 +
 
 +
Note that running dd directly on this device file can crash the machine.
 +
Use the winpmem.exe tool instead because it handles protected memory regions.
 +
 
 +
To read and acquire the physical memory and write it to image.raw:
 +
<pre>
 +
winpmem.exe image.raw
 +
</pre>
 +
 
 +
To unload the driver:
 +
<pre>
 +
winpmem.exe -u
 +
</pre>
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/windows/README
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Memory analysis]]
 +
* [[Memory Imaging]]
 +
* [[Volatility]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/rekall/ Project site]
 +
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
 +
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2013.html Anti-forensic resilient memory acquisition]] by [[Johannes Stüttgena]] [[Michael Cohen]], August 2013
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014

Revision as of 04:33, 25 June 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.[1]

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links