Difference between pages "Setting up a Flash Emulator" and "GRR"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Created page with "Experiments with flash file system forensics can be done usefully using a flash emulator, such as the MTD device. This stores the "contents" of a simulated flash memory in a disk...")
 
(Publications)
 
Line 1: Line 1:
Experiments with flash file system forensics can be done usefully using a flash emulator, such as the MTD device. This stores the "contents" of a simulated flash memory in a disk file. You can then use that disk file with JFFS2 or YAFFS. Follow these instructions.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
First, you need to have MTD working. Use this:
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
   
+
    modprobe mtd jffs2 mtdram mtdchar mtdblock
+
    cat /proc/mtd
+
  
We will use the RAM MTD device, and then dump it into a file to get the results.
+
= See also =
 +
* [[rekall]]
  
===JFFS2===
+
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
(from http://wiki.openmoko.org/wiki/Userspace_root_image)
+
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser], [[Michael Cohen]], Digital Investigation, 2013.
  
<pre>
+
== Presentations ==
mkfs.jffs2 --pad=0x700000 -o rootfs.jffs2 -e 0x4000 -n -d/tmp/jffsroot/ # for GTA01?
+
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
mkfs.jffs2 --pad=0x700000 -o rootfs.jffs2 -e 0x20000 -n -d/tmp/jffsroot/ # for GTA02
+
  
export loop=$(losetup -f)
+
== Workshops ==
losetup $loop <rootfs.jffs2>
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013] , by [[Darren Bilby]]
modprobe block2mtd block2mtd=$loop,131072
+
modprobe jffs2
+
modprobe mtdblock
+
mkdir /mnt/jffs2
+
mount -t jffs2 -o ro /dev/mtdblock0 /mnt/jffs2
+
</pre>
+
 
+
===YAFFS===
+
 
+
<pre>
+
flash_eraseall
+
mtd_debug write /dev/mtd1 0 16777216 /dev/zero
+
mount /dev/mtdblock1 /mnt/yaffs
+
do smoething
+
umount /mnt/yaffs
+
mtd_debug read /dev/mtd1 0 16777216 mtd-output # writes to the file mtd-output
+
</pre>
+

Revision as of 14:20, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

Contents

See also

External Links

Publications

Presentations

Workshops