Difference between pages "Linux Memory Analysis" and "SuperFetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
The output of a [[Tools:Memory_Imaging|memory acquisition tool]] is a memory image which contains the raw physical memory of a system.  A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.
+
{{Expand}}
  
==Linux Memory Analysis Tools==
+
SuperFetch is a performance enhancement introduced in [[Microsoft]] [[Windows|Windows Vista]] to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the [[Prefetch]] technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.
  
Research Projects:
+
From [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx]: SuperFetch prioritizes the following kinds of pages to remain in memory:
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
+
* Pages of applications that are used most frequently overall.  
 +
* Pages of applications that are commonly used when resuming:  
 +
** After extensive hibernation (for example, first thing in the morning).
 +
** After shorter periods of sleep or hibernation (for example, after lunch).
  
Open Source Projects:
+
If SuperFetch detects that the system drive is a fast solid-state drive (SSD) (as measured by Windows Experience Index Disk score), then SuperFetch turns off [[ReadyBoot]].
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental--see the [http://code.google.com/p/volatility/wiki/LinuxMemoryForensics LinuxMemoryForensics] page on the Volatility wiki.  (Availability/License: GNU GPL)
+
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
+
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
* The [http://people.redhat.com/anderson/ Red Hat Crash Utility] is an extensible Linux kernel core dump analysis program.  Although designed as a debugging tool, it also has been utilized for memory forensics.  See, for example, the [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html 2008 DFRWS challenge write-up by AAron Walters].  (Availability/License: GNU GPL)
+
* Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.  
+
  
Commercial Products:
 
* [[Second Look: Linux Memory Forensics]] from [http://www.pikewerks.com Raytheon Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, unauthorized applications and services, and stealthy user-level malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels, while an online pagehash database provides the baselines for verification of hundreds of thousands of Linux software packages.  As of April 2012, it supports x86 and x86_64 targets running any 2.6-series kernel and 3-series kernels up to 3.2.  (Availability/License: commercial)
 
  
==Linux Memory Analysis Challenges==
+
== Configuration ==
  
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
+
Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the <tt>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch</tt> [[Registry]] key [http://www.codinghorror.com/blog/archives/000688.html]. A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, <tt>services.msc</tt> [http://tiredblogger.wordpress.com/2007/03/27/superfetch-not-so-super-for-gaming/].
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
+
* [http://www.honeynet.org/challenges/2011_7_compromised_server Challenge 7 of the Honeynet Project's Forensic Challenge 2011] included forensic analysis of a memory image from a potentially compromised Linux server.
+
  
==Linux Memory Images==
+
== File Formats ==
  
Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.
+
Data for SuperFetch is gathered by the <tt>%SystemRoot%\System32\Sysmain.dll</tt>, part of the Service Host process, <tt>%SystemRoot%\System32\Svchost.exe</tt>, and stored in a series of files in the <tt>%SystemRoot%\Prefetch</tt> directory [http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/]. These files appear to start with the prefix <tt>Ag</tt> and have a <tt>.db</tt> extension. The format of these files is not fully known, there is available unofficial partial specification [http://blog.rewolf.pl/blog/?p=214] and open source (GPL) dumper for .db files [http://code.google.com/p/rewolf-superfetch-dumper/]. Some information can be gleaned from these files by searching for [[Unicode]] [[strings]] in them.
  
==Linux Memory Analysis Bibliography==
+
The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [http://channel9.msdn.com/showpost.aspx?postid=242429].
* [http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf Digital Forensics of the Physical Memory] M. Burdach, March 2005.
+
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
+
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
+
* [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag], by AAron Walters on the Volatile Systems Blog.
+
* [http://www.dfrws.org/2008/proceedings/p65-case.pdf FACE: Automated digital evidence discovery and correlation], Andrew Case, Andrew Cristina, Lodovico Marziale, Golden G. Richard, Vassil Roussev, DFRWS 2008
+
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
+
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
+
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
+
* [http://secondlookforensics.com/ Second Look Web Page]
+
* [http://blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Case De-Anonymizing Live CDs through Physical Memory Analysis] ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf Whitepaper]) ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf Slides]) Andrew Case; Blackhat DC 2011.
+
* [http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html Bringing Linux Support to Volatility], Andrew Case; Digital Forensics Solutions Blog, 2011.
+
* [http://blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Case Workshop - Linux Memory Analysis with Volatility] ([http://www.digitalforensicssolutions.com/papers/blackhat-workshop-full-presentation.pdf Slides]) Andrew Case; Blackhat Vegas 2011.
+
  
Volatility Mailing List Threads on Support for Linux:
+
== See Also ==
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
+
* [[Prefetch]]
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
+
* [[ReadyBoost]]
 +
* [[ReadyBoot]]
 +
* [[Windows SuperFetch Format|SuperFetch Format]]
 +
* [[Windows]]
  
[[Category:Memory Analysis]]
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Windows_Vista_I/O_technologies#SuperFetch Wikipedia: Windows Vista I/O technologies - SuperFetch]
 +
* [http://channel9.msdn.com/showpost.aspx?postid=242429 Channel 9 Interview with Michael Fortin of Microsoft on SuperFetch]
 +
* [http://www.informationweek.com/news/showArticle.jhtml?articleID=196902178 Microsoft Predicts The Future With Vista's SuperFetch] from Information Week
 +
* [http://jessekornblum.com/presentations/dodcc08-2.pdf DC3 Presentation: My You Look SuperFetching], by Jesse Kornblum
 +
 
 +
== Tools ==
 +
=== Open Source ===
 +
* [https://code.google.com/p/rewolf-superfetch-dumper/ rewolf-superfetch-dumper]
 +
 
 +
[[Category:Windows]]

Revision as of 01:48, 24 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the Prefetch technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.

From [1]: SuperFetch prioritizes the following kinds of pages to remain in memory:

  • Pages of applications that are used most frequently overall.
  • Pages of applications that are commonly used when resuming:
    • After extensive hibernation (for example, first thing in the morning).
    • After shorter periods of sleep or hibernation (for example, after lunch).

If SuperFetch detects that the system drive is a fast solid-state drive (SSD) (as measured by Windows Experience Index Disk score), then SuperFetch turns off ReadyBoot.


Configuration

Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch Registry key [2]. A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, services.msc [3].

File Formats

Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory [4]. These files appear to start with the prefix Ag and have a .db extension. The format of these files is not fully known, there is available unofficial partial specification [5] and open source (GPL) dumper for .db files [6]. Some information can be gleaned from these files by searching for Unicode strings in them.

The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [7].

See Also

External Links

Tools

Open Source