ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Rekall" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(See Also)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = Rekall |
+
  maintainer = [[Michael Cohen]] |
+
  os = {{Cross-platform}} |
+
  genre = {{Memory analysis}}, {{Memory imaging}} |
+
  license = {{GPL}} |
+
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
+
}}
+
  
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
+
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.
+
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
== Memory acquisition drivers ==
+
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
The drivers can be found under:
+
==== Examples ====
<pre>
+
{| class="wikitable"
rekall/tools/linux
+
|-
rekall/tools/osx
+
! Value
rekall/tools/windows
+
! Description
</pre>
+
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
=== Linux ===
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
+
=== File header ===
<pre>
+
*TODO*
cd rekall/tools/linux/
+
make
+
</pre>
+
  
The acquisition driver is named pmem.ko.
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
To load the driver:
+
=== File header ===
<pre>
+
*TODO*
sudo insmod pmem.ko
+
</pre>
+
  
To check if the driver is running:
+
== Data stream ==
<pre>
+
See: [[gzip]]
sudo lsmod
+
</pre>
+
 
+
The driver create a device file named:
+
<pre>
+
/dev/pmem
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
sudo rmmod pmem
+
</pre>
+
 
+
To read acquire the memory just read from the device file. e.g.
+
<pre>
+
dd if=/dev/pmem of=image.raw
+
</pre>
+
 
+
For more information see:
+
<pre>
+
rekall/tools/linux/README
+
</pre>
+
 
+
=== Mac OS X ===
+
 
+
For more information see:
+
<pre>
+
rekall/tools/osx/OSXPMem/README
+
</pre>
+
 
+
=== Windows ===
+
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
+
 
+
Both the i386 and amd64 binary version of the driver can be found in the directory:
+
<pre>
+
rekall/tools/windows/winpmem/binaries
+
</pre>
+
 
+
E.g.
+
<pre>
+
rekall/tools/winpmem/binaries/amd64/winpmem.sys
+
</pre>
+
 
+
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
+
<pre>
+
rekall/tools/winpmem/executables/Release/
+
</pre>
+
 
+
To load the driver:
+
<pre>
+
winpmem.exe -l
+
</pre>
+
 
+
The device filename is (This can not be changed without recompiling):
+
<pre>
+
\\.\pmem
+
</pre>
+
 
+
Note that running dd directly on this device file can crash the machine.
+
Use the winpmem.exe tool instead because it handles protected memory regions.
+
 
+
To read and acquire the physical memory and write it to image.raw:
+
<pre>
+
winpmem.exe image.raw
+
</pre>
+
 
+
To unload the driver:
+
<pre>
+
winpmem.exe -u
+
</pre>
+
 
+
For more information see:
+
<pre>
+
rekall/tools/windows/README
+
</pre>
+
  
 
== See Also ==
 
== See Also ==
* [[Volatility]]
+
* [[Google Chrome]]
 +
* [[gzip]]
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/rekall/ Project site]
+
 
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
+
[[Category:File Formats]]

Revision as of 18:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links