Difference between pages "Dd rescue" and "Linux Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Linux Memory Analysis Tools: Volatility now has better Linux support; link to SVN)
 
Line 1: Line 1:
{{Infobox_Software |
+
==Linux Memory Analysis Tools==
  name = dd_rescue |
+
  os = {{Linux}}|
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [http://www.garloff.de/kurt/linux/ddrescue/ www.garloff.de/kurt/linux/ddrescue/]
+
}}
+
  
'''dd_rescue''', is an an advanced evolution of [[dd]], a command line program that has been ported only for UNIX/Linux. The program uses a complex series of flags to allow the user to image or write data from and to [[raw image file|raw image files]]. Like [[dcfldd]], the program makes an effort to keep the user apprised of the status of the current operation.
+
Research Projects:
 +
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
  
'''[[ddrescue]]''' and '''dd_rescue''' are completely different programs which share no development between themThe two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
+
Open Source Projects:
 +
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental, but available from Subversion in the [http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flinux-support linux-support branch].  (Availability/License: GNU GPL)
 +
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures(Availability/License: GNU GPL)
 +
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 +
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  
== Sample usage ==
+
Commercial Products:
 +
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35.  (Availability/License: commercial)
  
Here is a common dd_rescue command:
+
==Linux Memory Analysis Challenges==
  
'''UNIX/Linux'''
+
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
 +
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
  
<pre>$ dd_rescue /dev/hda myfile.img</pre>
+
==Linux Memory Analysis Bibliography==
 +
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 +
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 +
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 +
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 +
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
 +
* [http://pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
  
==  Cautions ==
+
Volatility Mailing List Threads on Support for Linux:
 
+
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
Unlike regular [[dd]], dd_rescue does not use the command line arguments <tt>if</tt> or <tt>of</tt>.
+
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dcfldd]]
+
* [[dd]]
+
* [[ddrescue]]
+
* [[sdd]]
+

Revision as of 19:52, 7 March 2011

Linux Memory Analysis Tools

Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)

Open Source Projects:

  • The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental, but available from Subversion in the linux-support branch. (Availability/License: GNU GPL)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)

Commercial Products:

  • Second Look from Pikewerks Corporation can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35. (Availability/License: commercial)

Linux Memory Analysis Challenges

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: