ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Dd rescue" and "Linux Memory Analysis"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Linux Memory Analysis Tools: Volatility now has better Linux support; link to SVN)
 
Line 1: Line 1:
{{Infobox_Software |
+
==Linux Memory Analysis Tools==
  name = dd_rescue |
+
  os = {{Linux}}|
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [http://www.garloff.de/kurt/linux/ddrescue/ www.garloff.de/kurt/linux/ddrescue/]
+
}}
+
  
'''dd_rescue''', is an an advanced evolution of [[dd]], a command line program that has been ported only for UNIX/Linux. The program uses a complex series of flags to allow the user to image or write data from and to [[raw image file|raw image files]]. Like [[dcfldd]], the program makes an effort to keep the user apprised of the status of the current operation.
+
Research Projects:
 +
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
  
'''[[ddrescue]]''' and '''dd_rescue''' are completely different programs which share no development between themThe two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
+
Open Source Projects:
 +
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental, but available from Subversion in the [http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flinux-support linux-support branch].  (Availability/License: GNU GPL)
 +
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures(Availability/License: GNU GPL)
 +
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 +
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  
== Sample usage ==
+
Commercial Products:
 +
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35.  (Availability/License: commercial)
  
Here is a common dd_rescue command:
+
==Linux Memory Analysis Challenges==
  
'''UNIX/Linux'''
+
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
 +
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
  
<pre>$ dd_rescue /dev/hda myfile.img</pre>
+
==Linux Memory Analysis Bibliography==
 +
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 +
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 +
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 +
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 +
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
 +
* [http://pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
  
==  Cautions ==
+
Volatility Mailing List Threads on Support for Linux:
 
+
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
Unlike regular [[dd]], dd_rescue does not use the command line arguments <tt>if</tt> or <tt>of</tt>.
+
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dcfldd]]
+
* [[dd]]
+
* [[ddrescue]]
+
* [[sdd]]
+

Revision as of 23:52, 7 March 2011

Linux Memory Analysis Tools

Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)

Open Source Projects:

  • The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental, but available from Subversion in the linux-support branch. (Availability/License: GNU GPL)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)

Commercial Products:

  • Second Look from Pikewerks Corporation can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35. (Availability/License: commercial)

Linux Memory Analysis Challenges

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: