Difference between pages "Tools:Data Recovery" and "Memory analysis"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(exterrnal link)
 
(External Links)
 
Line 1: Line 1:
= Partition Recovery =
+
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
  
*[http://www.ptdd.com/index.htm Partition Table Doctor]
+
* [[Windows Memory Analysis]]
: Recover deleted or lost partitions (FAT16/FAT32/NTFS/NTFS5/EXT2/EXT3/SWAP).
+
* [[Linux Memory Analysis]]
  
*[http://www.diskinternals.com/ntfs-recovery/ NTFS Recovery]
+
== OS-Independent Analysis ==
: DiskInternals NTFS Recovery is a fully automatic utility that recovers data from damaged or formatted disks.
+
  
*[http://www.stud.uni-hannover.de/user/76201/gpart/ gpart]
+
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
: Gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted.
+
  
*[http://www.cgsecurity.org/wiki/TestDisk TestDisk]
+
== Encryption Keys ==
: [[TestDisk]] is an OpenSource software and is licensed under the GNU Public License (GPL).
+
  
== See Also ==
+
Various types of encryption keys can be extracted during memory analysis.
 +
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
 +
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
  
* [http://support.microsoft.com/?kbid=166997 Using Norton Disk Edit to Backup Your Master Boot Record]
+
== See Also ==
  
== Notes ==
+
* [[Memory Imaging]]
 +
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
 +
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
  
* "fdisk /mbr" restores the boot code in the [[Master Boot Record]], but not the partition itself. On newer versions of Windows you should use fixmbr, bootrec, mbrfix, or [http://mbrwizard.com MBRWizard]. You can also extract a copy of the specific standard MBR code from tools like bootrec.exe and diskpart.exe in Windows (from various offsets) and copy it to disk with dd (Use bs=446 count=1). For Windows XP SP2 c:\%WINDIR%\System32\diskpart.exe the MBR code is found between offset 1b818h and 1ba17h.
+
== External Links ==
 +
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
 +
* [http://cryptome.org/0003/RAMisKey.pdf RAM is Key - Extracting Disk Encryption Keys From Volatile Memory], by [[Brian Kaplan]], May 2007
 +
* [https://docs.google.com/presentation/d/1KsZGF6cQ-N8ngABFGCZf8pTQQ5CZ19VoAHq5cO5ZPdE/edit Memory Forensics With Volatility], by [[Michael Cohen]], October 2012
  
= Data Recovery =
+
=== Computer architecture ===
The term "Data Recovery" is frequently used to mean forensic recovery, but the term really should be used for recovering data from damaged media.
+
* [http://en.wikipedia.org/wiki/64-bit_computing Wikipedia: 64-bit computing]
 +
* [http://www.unix.org/version2/whatsnew/lp64_wp.html 64-Bit Programming Models: Why LP64?], The Open Group, 1997
  
*[http://www.toolsthatwork.com/bringback.htm BringBack]  
+
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
: BringBack offers easy to use, inexpensive, and highly successful data recovery for Windows and Linux (ext2) operating systems and digital images stored on memory cards, etc.
+
* [http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html MoVP 2.5: Investigating In-Memory Network Data with Volatility]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem]
 +
* [http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html HowTo: Scan for Internet Cache/History and URLs]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html MoVP 4.1 Detecting Malware with GDI Timers and Callbacks]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html MoVP 4.2 Taking Screenshots from Memory Dumps]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-records.html MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html MoVP 4.4 Cache Rules Everything Around Me(mory)]
 +
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html OMFW 2012: Malware In the Windows GUI Subsystem]
 +
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
 +
* [http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit]
 +
* [http://volatility-labs.blogspot.ca/2012/10/solving-grrcon-network-forensics.html Solving the GrrCon Network Forensics Challenge with Volatility]
 +
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analyzing-linux-kernel.html OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility]
 +
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-datalore-android-memory.html OMFW 2012: Datalore: Android Memory Analysis]
 +
* [http://volatility-labs.blogspot.ca/2012/10/movp-for-volatility-22-and-omfw-2012.html MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up]
 +
* [http://volatility-labs.blogspot.ca/2012/10/reverse-engineering-poison-ivys.html Reverse Engineering Poison Ivy's Injected Code Fragments]
 +
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
 +
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
  
*[http://www.runtime.org/raid.htm RAID Reconstructor]
+
=== Volatility Videos ===
: Runtime Software's RAID Reconstructor will reconstruct RAID Level 0 (Striping) and RAID Level 5 drives.
+
* [http://sketchymoose.blogspot.com/2011/10/set-up-to-more-memory-forensics.html Set Up to More Memory Forensics!], October 2011
 +
* [http://www.youtube.com/watch?v=8HsZLge0wWc Using Volatility: Suspicious Process (1/2)]
 +
* [http://www.youtube.com/watch?v=XTZPNk-Esok Using Volatility: Suspicious Process (Part 2/2)]
  
*[http://www.salvationdata.com Salvation Data]
+
=== WinDBG ===
: Claims to have a program that can read the "bad blocks" of Maxtor drives with proprietary commands.
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html Getting Started with WinDBG - Part 1], by Brad Antoniewicz, December 17, 2013
 +
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html Getting Started with WinDBG - Part 2], by Brad Antoniewicz, December 24, 2013
 +
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html Getting Started with WinDBG - Part 3], by Brad Antoniewicz, December 31, 2013
  
* [http://www.e-rol.com/en/ e-ROL]
+
[[Category:Memory Analysis]]
: Erol allows you to recover through the internet files erased by mistake. Recover your files online for free.
+
 
+
* [http://www.recuva.com/ Recuva]
+
: Recuva is a freeware Windows tool that will recover accidentally deleted files.
+
 
+
* [http://www.snapfiles.com/get/restoration.html Restoration]
+
: Restoration is a freeware Windows software that will allow you to recover deleted files
+
 
+
* [http://www.undelete-plus.com/ Undelete Plus]
+
: Undelete Plus is a free deleted file recovery tool that works for all versions of Windows (95-Vista), FAT12/16/32, NTFS and NTFS5 filesystems and can perform recovery on various solid state devices.
+
 
+
* [http://www.data-recovery-software.net/ R-Studio]
+
: R-Studio is a data recovery software suite that can recover files from FAT(12-32), NTFS, NTFS 5, HFS/HFS+, FFS, UFS/UFS2 (*BSD, Solaris), Ext2/Ext3 (Linux) and so on.
+
 
+
See also [[Data Recovery Stories]]
+
 
+
=Carving=
+
*[http://www.datalifter.com/products.htm DataLifter® - File Extractor Pro]
+
: Data carving runs on multiple threads to make use of modern processors
+
 
+
*[http://www.simplecarver.com/ Simple Carver Suite]
+
: Simple Carver Suite is a collection of unique tools designed for a number of purposes including data recovery, forensic computing and eDiscovery. The suite was originally designed for data recovery and has since expanded to include unique file decoding, file identification and file classification.
+
 
+
*[http://foremost.sourceforge.net/ Foremost]
+
: Foremost is a console program to recover files based on their headers, footers, and internal data structures.
+
 
+
*[http://www.digitalforensicssolutions.com/Scalpel/ Scalpel]
+
: Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions.
+
 
+
*[[EnCase]]
+
: EnCase comes with some enScripts that will do carving.
+
 
+
*[[CarvFs]]
+
: A virtual file system (fuse) implementation that can provide carving tools with the possibility to do recursive multi tool zero-storage carving (also called in-place carving). Patches and scripts for scalpel and foremost are provided. Works on raw and encase images.
+
 
+
*[[LibCarvPath]]
+
: A shared library that allows carving tools to use zero-storage carving on carvfs virtual files.
+
 
+
*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
+
: PhotoRec is file data recovery software designed to recover lost files including video, documents and archives from Hard Disks and CDRom and lost pictures (thus, its 'Photo Recovery' name) from digital camera memory.
+
 
+
*[http://www.datarescue.com/photorescue/ PhotoRescue]
+
: Datarescue PhotoRescue Advanced is picture and photo data recovery solution made by the creators of IDA Pro. PhotoRescue will undelete, unerase and recover pictures and files lost on corrupted, erased or damaged compact flash (CF) cards, SD Cards, Memory Sticks, SmartMedia and XD cards.
+
 
+
* [https://www.uitwisselplatform.nl/projects/revit RevIt]
+
: RevIt (Revive It) is an experimental carving tool, initially developed for the DFRWS 2006 carving challenge. It uses 'file structure based carving'. Note that RevIt currently is a work in progress.
+
 
+
* [http://jbj.rapanden.dk/magicrescue/ Magic Rescue]
+
: Magic Rescue is a file carving tool that uses "magic bytes" in a file contents to recover data.
+
 
+
* [[FTK]]
+
: FTK2 includes some file carvers
+

Revision as of 13:34, 12 January 2014

Memory Analysis is the science of using a memory image to determine information about running programs, the operating system, and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:

Contents

OS-Independent Analysis

At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, Virtuoso, that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.

Encryption Keys

Various types of encryption keys can be extracted during memory analysis.

See Also

External Links

Computer architecture

Volatility Labs

Volatility Videos

WinDBG