Difference between pages "Cell Phone Forensics" and "Tools:Memory Imaging"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Adding & Updating links, cleaning up, and alphabetizing)
 
m (Windows Software)
 
Line 1: Line 1:
== Guidelines ==
+
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
  
# If on, switch it off. If off, leave off.  
+
One of the most vexing problems for memory imaging is verifying that the image has been created correctly.  That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
  
#* Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many [[wireless preservation]] or [[RF isolation]] techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
+
== Memory Imaging Techniques ==
  
#* Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off. You may wish to avoid having this part of the program run.  
+
; Crash Dumps
 +
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
 +
; LiveKd Dumps
 +
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
 +
; Hibernation Files
 +
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
 +
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
 +
; Firewire
 +
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
 +
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
 +
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
 +
: The [http://goldfish.ae Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
 +
; Virtual Machine Imaging
 +
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
  
#* Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
+
== Memory Imaging Tools ==
 +
===x86 Hardware===
  
# Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
+
; Tribble PCI Card (research project)
+
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
# Plug the phone in, preferably in the evidence room, as soon as possible.
+
# Retain [[search warrant]] (if necessary - [[LE]]).
+
# Return device to forensic lab if able.
+
# Use [[forensically sound]] tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
+
  
== Notes ==
+
; CoPilot by Komoku
 +
: Komoku was acquired by Microsoft and the card was not made publicly available.
  
Expand on as to what to collect:
+
; Forensic RAM Extraction Device (FRED) by BBN
 +
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
  
* [[ESN]],
+
===[[Windows]] Software===
* [[IMEI]],
+
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
* [[Carrier]],
+
: included on [http://www.e-fense.com/helix/ Helix 2.0]
* Manufacturer,
+
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
* Model Number,
+
* Color, and
+
* Other information related to [[Cell Phone]] and [[SIM Card]]...
+
  
Process:
+
; [[WinDD]]
# Photograph the [[Cell Phone]] screen during power up.
+
: included on [http://www.e-fense.com/helix/ Helix 2.0]
# Research the [[Cell Phone]] for technical specifications.  
+
: http://windd.msuiche.net/
# Research the [[Cell Phone]] for forensic information.  
+
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
# Based on phone type [[GSM]], [[CDMA]], [[iDEN]], or [[Pay As You Go]] determine acquisition tools
+
  
GSM:
+
; [[Mdd]] (Memory DD) ([[ManTech]])
# Phone and SIM Card
+
: included on [http://www.e-fense.com/helix/ Helix 2.0]
# SIM Card
+
: http://sourceforge.net/projects/mdd
  
CDMA:
+
; F-Response with FTK imager, dd, Encase, WinHex, etc
# Phone
+
: Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
 +
: http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
  
iDEN:
+
; MANDIANT Memoryze
# Three major tools exist for iDEN Phones:
+
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
* iDEN Companion Pro
+
: http://www.mandiant.com/software/memoryze.htm
* iDEN Media Downloader
+
* iDEN Phonebook Manager
+
  
Pay As You Go:
+
; [[Kntdd]]
# Phone
+
: http://www.gmgsystemsinc.com/knttools/
  
== External Links ==
+
; [[dd]]
 +
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
  
Articles and Reference Materials
+
; Windows Memory Forensic Toolkit (WMFT)
*[http://esm.cis.unisa.edu.au/new_esml/resources/publications/forensic%20analysis%20of%20mobile%20phones.pdf Forensic Analysis of Mobile Phones]
+
: http://forensic.seccure.net/
*[http://www.ijde.org/docs/03_spring_art1.pdf Forensics and the GSM Mobile Telephone System]
+
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
*[http://www.cl.cam.ac.uk/~fms27/persec-2006/goodies/2006-Naccache-forensic.pdf Law Enforcement, Forensics and Mobile Communications]
+
*[http://www.forensics.nl/mobile-pda-forensics Mobile Phone Forensics & PDA Forensics Links]
+
*[http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm Netherlands Forensic Institute: Mobile Phone Forensics Examination - Basic Workflow and Preservation]
+
*[http://csrc.nist.gov/mobilesecurity/publications.html#MF U.S. National Institute of Standards and Technology Documents]
+
  
 +
; Nigilant32
 +
: http://www.agilerm.net/publications_4.html
  
Investigative Support
+
;[[HBGary]]: Fastdump and Fastdump Pro
*[http://www.forensicfocus.com ForensicFocus.com(Practitioners Forum)]
+
:http://www.hbgary.com
*[http://www.hex-dump.com Hex-Dump.com(Advanced Forum for Hex Dump and Memory Analysis)]
+
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
*[http://www.Mobile-Examiner.com Mobile-Examiner.com (Forum for Practitioners)]
+
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs. Additionally, Fastdump Pro supports:
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
+
:-32 bit and 64 bit architectures
*[http://www.mfi-training.com Mobile Forensics Training Forum (Mobile Device Investigative Support and Training)]
+
:-Acquisitions of greater than 4GB
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
+
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
*[http://www.Phone-Forensics.com Phone-Forensics.com (Advanced Forum for Practitioners)]
+
:-Process probing which allows for a more complete memory image of a process of interest.
*[http://trewmte.blogspot.com TREW Mobile Telephone Evidence (Mobile Telephone Evidence Practitioner Site)]
+
:-Acquisition of the system page file during physical memory acquisition. This allows for a more complete memory analysis.
  
Phone Research
+
;[[FTK Imager]]: FTK Imager
*[http://www.GSMArena.com GSMArena.com (Technical information regarding GSM Cell Phones)]
+
:http://accessdata.com/support/adownloads#FTKImager
*[http://www.MobileForensicsCentral.com MobileForensicsCentral.com (Information regarding Cell Phone Forensic Applications)]
+
:FTK Imager can acquire live memory and paging file on 32bit and 64bit systems.
*[http://www.PhoneScoop.com PhoneScoop.com (Technical information regarding all Cell Phones)]
+
 
 +
===Linux/Unix===
 +
;[[dd]]
 +
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  In recent Linux kernels, /dev/kmem is no longer available.  In even more recent kernels, /dev/mem has additional restrictions.  And in the most recent, /dev/mem is no longer available by default, either.  Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.  On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash"). This module can also be compiled for any system with minor effort, see http://gleeda.blogspot.com/2009/08/devcrash-driver.html. Note that acquisition from the resulting /dev/crash driver needs significant testing as reading the wrong segments of memory such as PCI or BIOS mapped memory can easily lead to hung systems.
 +
;[http://www.pikewerks.com/sl/ Second Look]
 +
: This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network.  It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
 +
; Idetect (Linux)
 +
: http://forensic.seccure.net/
 +
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem] (Linux)
 +
: fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
 +
 
 +
===Mac OS X===
 +
;[http://goldfish.ae Goldfish]
 +
:Goldfish is a [[Mac OS X]] live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [[Firewire]] connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact [http://goldfish.ae goldfish.ae] for download information.
 +
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/mac-memory-reader Mac Memory Reader]
 +
:Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Mach-O binary file.  Mac Memory Reader is available free of charge.  It executes directly on 32- and 64-bit target machines running Mac OS X 10.4, 10.5, or 10.6 and requires a PowerPC G4 or newer, or any Intel processor.
 +
 
 +
===Virtual===
 +
; Qemu
 +
: Qemu allows you to dump the memory of a running image using pmemsave.
 +
: e.g. pmemsave 0 0x20000000 /tmp/dumpfile
 +
; Xen
 +
: Xen allows you to live dump the memory of a guest domain using the dump-core command.
 +
: You can list the available machines to find the host machine you care about using xm list and see the configuration.
 +
: Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6
 +
 
 +
==See Also==
 +
* [[Windows Memory Analysis]]
 +
* [[Linux Memory Analysis]]
 +
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
 +
* http://www.storm.net.nz/projects/16
 +
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
 +
 
 +
== External Links ==
 +
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
  
Training
+
[[Category:Tools]]
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
+
*[http://www.mobileforensicstraining.com Mobile Forensics Training (Mobile Forensics Inc. Training Class site)]
+
*[http://www.paraben-training.com/training.html Paraben-Forensics.com (Paraben's Handheld Forensic Training Classes)]
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
+

Revision as of 21:26, 25 May 2011

The physical memory of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between operating systems, these tools are listed by operating system. Once memory has been imaged, it is subjected to memory analysis to ascertain the state of the system, extract artifacts, and so on.

One of the most vexing problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same. Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation. Memory analysis can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.

Memory Imaging Techniques

Crash Dumps
When configured to create a full memory dump, Windows operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. Andreas Schuster has a blog post describing this technique.
LiveKd Dumps
The Sysinternals tool LiveKd can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
Hibernation Files
Windows 98, 2000, XP, 2003, and Vista support a feature called hibernation that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of physical memory, is written to the disk on the system drive, usually C:, as hiberfil.sys. This file can be parsed and decompressed to obtain the memory image. Once hiberfil.sys has been obtained, Sandman can be used to convert it to a dd image.
Mac OS X very kindly creates a file called /var/vm/sleepimage on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on File Vault and enables Secure Virtual Memory. [1].
Firewire
It is possible for Firewire or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
At CanSec West 05, Michael Becher, Maximillian Dornseif, and Christian N. Klein discussed an exploit which uses DMA to read arbitrary memory locations of a firewire-enabled system. The paper lists more details. The exploit is run on an iPod running Linux. This can be used to grab screen contents.
This technique has been turned into a tool that you can download from: http://www.storm.net.nz/projects/16
The Goldfish tool automates this exploit for investigators needing to analyze the memory of a Mac.
Virtual Machine Imaging
There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. Qemu supports the pmemsave function, Xen has the xm dump-core command.

Memory Imaging Tools

x86 Hardware

Tribble PCI Card (research project)
http://www.digital-evidence.org/papers/tribble-preprint.pdf
CoPilot by Komoku
Komoku was acquired by Microsoft and the card was not made publicly available.
Forensic RAM Extraction Device (FRED) by BBN
Not publicly available. http://www.ir.bbn.com/~vkawadia/

Windows Software

winen.exe (Guidance Software - included with Encase 6.11 and higher)
included on Helix 2.0
http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
WinDD
included on Helix 2.0
http://windd.msuiche.net/
http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
Mdd (Memory DD) (ManTech)
included on Helix 2.0
http://sourceforge.net/projects/mdd
F-Response with FTK imager, dd, Encase, WinHex, etc
Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
MANDIANT Memoryze
Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
http://www.mandiant.com/software/memoryze.htm
Kntdd
http://www.gmgsystemsinc.com/knttools/
dd
On Microsoft Windows systems, dd can be used by an Administrator user to image memory using the \Device\Physicalmemory object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
Windows Memory Forensic Toolkit (WMFT)
http://forensic.seccure.net/
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
Nigilant32
http://www.agilerm.net/publications_4.html
HBGary
Fastdump and Fastdump Pro
http://www.hbgary.com
Fastdump (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
Fastdump Pro Can acquire physical memory on Windows 2000 through Windows 2008, all service packs. Additionally, Fastdump Pro supports:
-32 bit and 64 bit architectures
-Acquisitions of greater than 4GB
-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
-Process probing which allows for a more complete memory image of a process of interest.
-Acquisition of the system page file during physical memory acquisition. This allows for a more complete memory analysis.
FTK Imager
FTK Imager
http://accessdata.com/support/adownloads#FTKImager
FTK Imager can acquire live memory and paging file on 32bit and 64bit systems.

Linux/Unix

dd
On Unix systems, the program dd can be used to capture the contents of physical memory using a device file (e.g. /dev/mem and /dev/kmem). In recent Linux kernels, /dev/kmem is no longer available. In even more recent kernels, /dev/mem has additional restrictions. And in the most recent, /dev/mem is no longer available by default, either. Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/. On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash"). This module can also be compiled for any system with minor effort, see http://gleeda.blogspot.com/2009/08/devcrash-driver.html. Note that acquisition from the resulting /dev/crash driver needs significant testing as reading the wrong segments of memory such as PCI or BIOS mapped memory can easily lead to hung systems.
Second Look
This commercial memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA or over the network. It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
Idetect (Linux)
http://forensic.seccure.net/
fmem (Linux)
fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.

Mac OS X

Goldfish
Goldfish is a Mac OS X live forensic tool for use only by law enforcement. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a Firewire connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Law Enforcement may contact goldfish.ae for download information.
Mac Memory Reader
Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM. Results are stored in a Mach-O binary file. Mac Memory Reader is available free of charge. It executes directly on 32- and 64-bit target machines running Mac OS X 10.4, 10.5, or 10.6 and requires a PowerPC G4 or newer, or any Intel processor.

Virtual

Qemu
Qemu allows you to dump the memory of a running image using pmemsave.
e.g. pmemsave 0 0x20000000 /tmp/dumpfile
Xen
Xen allows you to live dump the memory of a guest domain using the dump-core command.
You can list the available machines to find the host machine you care about using xm list and see the configuration.
Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6

See Also

External Links