Difference between pages "Bibliography" and "Rekall"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Disk Disposal and Data Recovery: Added SSD article)
 
m (Linux)
 
Line 1: Line 1:
=Disk Disposal and Data Recovery=
+
{{Infobox_Software |
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
+
  name = Rekall |
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
+
  maintainer = [[Michael Cohen]] |
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
+
  os = {{Cross-platform}} |
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
+
  genre = {{Memory analysis}}, {{Memory imaging}} |
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
+
  license = {{GPL}} |
 +
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 +
}}
  
<bibtex>
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
@Article{garfinkel:remembrance,
+
  author =      "Simson Garfinkel and Abhi Shelat",
+
  author_a =      "Simson L. Garfinkel and Abhi Shelat",
+
  title =        "Remembrance of Data Passed",
+
  journal =      "{IEEE} Security and Privacy Magazine",
+
  publisher =    "IEEE",
+
  year      =        "2002",
+
  month    = Jan,
+
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
+
}
+
</bibtex>
+
  
=Evidence Gathering=
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
  
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
+
== Memory acquisition drivers ==
  
=Fake Information=
+
The drivers can be found under:
 +
<pre>
 +
rekall/tools/linux
 +
rekall/tools/osx
 +
rekall/tools/windows
 +
</pre>
  
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
+
=== Linux ===
 +
In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.
  
=Feature Extraction and Data Fusion=
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
Computer Location Determination Through Geoparsing and Geocoding of
+
<pre>
Extracted Features
+
cd rekall/tools/linux/
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
+
make
<bibtex>
+
</pre>
@inproceedings{garfinkel:cda,
+
  title="Forensic feature extraction and cross-drive analysis",
+
  author="Simson Garfinkel",
+
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
+
  address = "Lafayette, Indiana",
+
  journal="Digital Investigation",
+
  year=2006,
+
  month=Aug,
+
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
+
  location="Lafayette, Indiana"
+
}
+
</bibtex>
+
  
=Text Mining=
+
The acquisition driver is named pmem.ko.
  
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
+
To load the driver:
 +
<pre>
 +
sudo insmod pmem.ko
 +
</pre>
  
=Signed Evidence=
+
To check if the driver is running:
<bibtex>
+
<pre>
@article{duerr-2004,
+
sudo lsmod
  title="Information Assurance Applied to Authentication of Digital Evidence",
+
</pre>
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
+
  year=2004,
+
  journal="Forensic Science Communications",
+
  volume=6,
+
  number=4,
+
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
+
}
+
</bibtex>
+
  
 +
The driver create a device file named:
 +
<pre>
 +
/dev/pmem
 +
</pre>
  
<bibtex>
+
To unload the driver:
@article{OppligerR03,
+
<pre>
  author    = {Rolf Oppliger and Ruedi Rytz},
+
sudo rmmod pmem
  title    = {Digital Evidence: Dream and Reality},
+
</pre>
  journal  = {IEEE Security {\&} Privacy},
+
  volume    = {1},
+
  number    = {5},
+
  year      = {2003},
+
  pages    = {44-48},
+
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
+
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
+
}
+
</bibtex>
+
  
=Theory=
+
To read acquire the memory just read from the device file. e.g.
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
+
<pre>
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
+
dd if=/dev/pmem of=image.raw
 +
</pre>
  
=Other Papers=
+
For more information see:
 +
<pre>
 +
rekall/tools/linux/README
 +
</pre>
  
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
+
=== Mac OS X ===
  
[[Category:Bibliographies]]
+
For more information see:
 +
<pre>
 +
rekall/tools/osx/OSXPMem/README
 +
</pre>
 +
 
 +
=== Windows ===
 +
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
 +
 
 +
Both the i386 and amd64 binary version of the driver can be found in the directory:
 +
<pre>
 +
rekall/tools/windows/winpmem/binaries
 +
</pre>
 +
 
 +
E.g.
 +
<pre>
 +
rekall/tools/winpmem/binaries/amd64/winpmem.sys
 +
</pre>
 +
 
 +
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
 +
<pre>
 +
rekall/tools/winpmem/executables/Release/
 +
</pre>
 +
 
 +
To load the driver:
 +
<pre>
 +
winpmem.exe -l
 +
</pre>
 +
 
 +
The device filename is (This can not be changed without recompiling):
 +
<pre>
 +
\\.\pmem
 +
</pre>
 +
 
 +
Note that running dd directly on this device file can crash the machine.
 +
Use the winpmem.exe tool instead because it handles protected memory regions.
 +
 
 +
To read and acquire the physical memory and write it to image.raw:
 +
<pre>
 +
winpmem.exe image.raw
 +
</pre>
 +
 
 +
To unload the driver:
 +
<pre>
 +
winpmem.exe -u
 +
</pre>
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/windows/README
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Memory analysis]]
 +
* [[Memory Imaging]]
 +
* [[Volatility]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/rekall/ Project site]
 +
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
 +
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2013.html Anti-forensic resilient memory acquisition]] by [[Johannes Stüttgena]] [[Michael Cohen]], August 2013
 +
* [http://www.rekall-forensic.com/docs/References/Papers/DFRWS2014EU.html Robust Linux memory acquisition with minimal target impact], [[Johannes Stüttgena]] [[Michael Cohen]], May 2014

Revision as of 03:33, 25 June 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.[1]

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

In rekall RC11 the advanced Linux acquisition tool (LMAP) was added. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version. See the corresponding DFRWS EU 2014 paper for more information about LMAP.

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links