Difference between pages "Tools:Memory Imaging" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Extended Live Ram Capturer description (minor edit), added a link to the recent Live RAM article)
 
(Section A)
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
{{expand}}
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly.  That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation. [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
  
== Memory Imaging Techniques ==
+
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
 +
of multiple prefetch files.
  
; Crash Dumps
+
== Characteristics ==
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
{| class="wikitable"
; LiveKd Dumps
+
|-
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
| <b>Integers</b>
; Hibernation Files
+
| stored in little-endian
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
|-
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
| <b>Strings</b>
; Firewire
+
| Stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
|-
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
| <b>Timestamps</b>
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
| Stored as [http://msdn2.microsoft.com/en-us/library/ms724284.aspx Windows FILETIME] in UTC.
: The [http://digitalfire.ucd.ie/?page_id=430 Goldfish] tool automates this exploit for investigators needing to analyze the memory of a Mac.
+
|-
; Virtual Machine Imaging
+
|}
: There are numerous popular virtual machines that are in wide use such as xen, qemu or vmware. If the memory image is for a machine running in this kind of virtual environment, there are usually two methods for obtaining a memory image. The common method is to pause/suspend/stop the system and then collect the resulting memory image file, this has the disadvantage of taking the machine offline during the suspend time. Alternatively most of these systems support live dumping of a memory image. [http://www.qemu.org Qemu ] supports the pmemsave function, [http://www.xen.org Xen] has the xm dump-core command.
+
  
== Memory Imaging Tools ==
+
== File header ==
===x86 Hardware===
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H1
 +
| 0x0000
 +
| 4
 +
| DWORD
 +
| Format version (see format version section below)
 +
|-
 +
| H2
 +
| 0x0004
 +
| 4
 +
| DWORD
 +
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
 +
|-
 +
| H3
 +
| 0x0008
 +
| 4
 +
| DWORD?
 +
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
 +
|-
 +
| H4
 +
| 0x000C
 +
| 4
 +
| DWORD
 +
| Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
 +
|-
 +
| H5
 +
|0x0010
 +
| 60
 +
| USTR
 +
| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
 +
|-
 +
| H6
 +
|0x004C
 +
|4
 +
|DWORD
 +
|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
 +
|-
 +
| H7
 +
|0x0050
 +
|4
 +
|?
 +
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 +
|-
 +
|}
  
; [http://www.windowsscope.com WindowsSCOPE] CaptureGUARD PCIe card (commercial) - desktops, servers
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
: Publicly available, supports all Windows OS; windd and other formats.
+
: CaptureGUARD Gateway performs DRAM acquisition even on locked computers
+
: Inquire at http://www.windowsscope.com.
+
  
; [http://www.windowsscope.com WindowsSCOPE] CaptureGUARD ExpressCard (commercial) - laptop applications
+
=== Format version ===
: Publicly available, supports all Windows OS; windd and other formats.
+
: CaptureGUARD Gateway performs DRAM acquisition even on locked computers
+
: Inquire at http://www.windowsscope.com.
+
  
; Tribble PCI Card (research project)
+
{| class="wikitable"
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
|-
 +
! Value
 +
! Windows version
 +
|-
 +
| 17 (0x11)
 +
| Windows XP, Windows 2003
 +
|-
 +
| 23 (0x17)
 +
| Windows Vista, Windows 7
 +
|-
 +
| 26 (0x1a)
 +
| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)
 +
|-
 +
|}
  
; CoPilot by Komoku
+
=== File information ===
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
The format of the file information is version dependent.
  
; Forensic RAM Extraction Device (FRED) by BBN
+
Note that some other format specifications consider the file information part of the file header.  
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
  
===[[Windows]] Software===
+
==== File information - version 17 ====
There are many Windows memory acquisition tools. Most of them will not work on Windows Vista or 7, as user programs have been denied access to the ''\Device\Physicalmemory'' object starting in Windows 2003 Service Pack 1 and Windows Vista. Modern tools acquire physical memory by first installing a device driver, so administrative privileges are needed.
+
The file information – version 17 is 68 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
|
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
|
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
|
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
|
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
|
 +
| 0x0078
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
|
 +
| 0x0080
 +
| 16
 +
| ?
 +
| Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
 +
|-
 +
|
 +
| 0x0090
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
|
 +
| 0x0094
 +
| 4
 +
| DWORD?
 +
| Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
 +
|-
 +
|}
  
We have edited this list so that it only includes current tools:
+
==== File information - version 23 ====
 +
The file information – version 23 is 156 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
|
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
|
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
|
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
|
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
|
 +
| <b>0x0078</b>
 +
| <b>8</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| 0x0080
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
|
 +
| 0x0088
 +
| 16
 +
| ?
 +
| Unknown
 +
|-
 +
|
 +
| 0x0098
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
|
 +
| 0x009C
 +
| 4
 +
| DWORD?
 +
| Unknown
 +
|-
 +
|
 +
| <b>0x00A0</b>
 +
| <b>80</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|}
  
; Belkasoft Live RAM Caputer
+
==== File information - version 26 ====
: This free forensic tool, unlike many others, works in kernel-mode, which allows bypassing proactive anti-debugging protection used by many modern applications such as online games and intrusion detection systems. Kernel-mode operation yields more reliable results compared to user-mode tools.  
+
The file information – version 23 is 224 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
|
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
|
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
|
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
|
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
|
 +
| 0x0078
 +
| 8
 +
| ?
 +
| Unknown
 +
|-
 +
|
 +
| 0x0080
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
|
 +
| <b>0x0088</b>
 +
| <b>7 x 8 = 56</b>
 +
| <b>FILETIME</b>
 +
| <b>Older (most recent) latest execution time (or run time) of executable (FILETIME)</b>
 +
|-
 +
|
 +
| <b>0x00C0</b>
 +
| <b>16</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| 0x00D0
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
|
 +
| <b>0x00D4</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| <b>0x00D8</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| <b>0x00DC</b>
 +
| <b>88</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|}
  
: Designed specifically for computer forensics. Fully portable, runs off a flash drive, produces uncompressed raw binary output of the computer’s volatile memory. Includes kernel-mode drivers for all Windows OS’es including XP, Vista, 7, 8, 2003 and 2008 Server. 32 and 64-bit drivers are included.
+
== Section A - Metrics ==
 +
This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) metrics entry records.
  
: http://forensic.belkasoft.com/en/ram-capturer
+
A metrics entry records conists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0
 +
| 4
 +
| DWORD
 +
| Start time in ms
 +
|-
 +
|
 +
| 4
 +
| 4
 +
| DWORD
 +
| Duration in ms
 +
|-
 +
|
 +
| 8
 +
| 4
 +
| DWORD
 +
| Average duration in ms
 +
|-
 +
|
 +
| 12
 +
| 4
 +
| DWORD
 +
| Filename string offset <br> The offset is relative to the start of the filename string section (section C)
 +
|-
 +
|
 +
| 16
 +
| 4
 +
| DWORD
 +
| Filename string number of characters without end-of-string character
 +
|-
 +
|
 +
| 20
 +
| 4
 +
| DWORD
 +
| Unknown flags
 +
|-
 +
|
 +
| 24
 +
| 4
 +
| DWORD
 +
| Unknown
 +
|-
 +
|
 +
| 28
 +
| 4
 +
| DWORD
 +
| Unknown
 +
|}
  
; WindowsSCOPE Pro and Ultimate, available at  http://www.windowsscope.com
+
== Section B ==
: Can capture, analyze, graph in depth physical and virtual memory codes and structures
+
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
: Proprietary and standard formats (windd), snapshot repository, snapshot comparison
+
: All Windows OSs (Xp, Vista, 7), 32 and 64 bit supported
+
: Phantom Probe USB based fetch
+
: CaptureGUARD PCIe card and ExpressCard for hardware-assisted DRAM acquisition
+
: CaptureGUARD Gateway for hardware-assisted DRAM acquisition of locked computers
+
: launched in 2011
+
  
; WindowsSCOPE Live
+
The actual format and usage of these entry records is currently not known.
: available at http://www.windowsscope.com and Android market
+
: allows live memory analysis of Windows computers from Android phones and tablets
+
: launched in 2011
+
  
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
== Section C - Filename strings ==
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
At the end of the section there seems to be alignment padding that can contain remnant values.
: http://sourceforge.net/projects/mdd
+
  
; MANDIANT Memoryze
+
== Section D - Volumes information (block) ==
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
: http://www.mandiant.com/software/memoryze.htm
+
  
; [[Kntdd]]
+
Section D contains one or more subsections, each subsection refers to directories on a volume.
: http://www.gmgsystemsinc.com/knttools/
+
  
;[[Moonsols]]: [[DumpIt]]
+
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
: This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.
+
: The raw memory dump is generated in the current directory, only a confirmation question is prompted before starting.
+
: Perfect to deploy the executable on USB keys, for quick incident responses needs.
+
: http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
+
  
;[[HBGary]]: Fastdump and Fastdump Pro
+
In this section, all offsets are assumed to be counted from the start of the D section.
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
+
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
:-32 bit and 64 bit architectures
+
:-Acquisitions of greater than 4GB
+
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
:-Process probing which allows for a more complete memory image of a process of interest.
+
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
  
;[[FTK Imager]]: FTK Imager
+
=== Volume information ===
:http://accessdata.com/support/adownloads#FTKImager
+
The structure of the volume information is version dependent.
:FTK Imager can acquire live memory and paging file on 32bit and 64bit systems.
+
  
;[[OSForensics]]: OSForensics
+
==== Volume information - version 17 ====
:http://www.osforensics.com/
+
The volume information – version 17 is 40 bytes in size and consists of:
:OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process's memory space or physical memory dump can be done. Output can be a straight dump or a Microsoft crash dump file, for use with Micrsoft's WinDbg debugger.
+
  
;[https://volatility.googlecode.com/svn/branches/scudette/docs/pmem.html WinPmem]
+
{| class="wikitable"
:WinPmem is a free, actively developed, opensource forensic memory acquisition tool for Windows. It supports Windows XP to Windows 8, both 32 and 64 bit architectures. It can produce raw dumps as well as dumps in crashdump format (for analysis with Volatility or windbg). It supports output to STDOUT for piping the dump through tools like netcat or ssh. WinPmem can be used together with the Volatility Technology Preview to analyse a live windows system for live response and triaging.
+
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| VI1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume device path (Unicode, terminated by U+0000)
 +
|-
 +
| VI2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume device path (nr of characters, including terminating U+0000)
 +
|-
 +
| VI3
 +
| +0x0008
 +
| 8
 +
| FILETIME
 +
| Volume creation time.
 +
|-
 +
| VI4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| VI5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| Offset to sub section E
 +
|-
 +
| VI6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| Length of sub section E (in bytes)
 +
|-
 +
| VI7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| Offset to sub section F
 +
|-
 +
| VI8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| Number of strings in sub section F
 +
|-
 +
| VI9
 +
| +0x0024
 +
| 4
 +
| ?
 +
| Unknown
 +
|-
 +
|}
  
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/windows-memory-reader Windows Memory Reader]
+
==== Volume information - version 23 ====
:Windows Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Windows crash dump or raw binary file.  Researchers can also use Windows Memory Reader to capture memory-mapped device data, such as shared video memory.  Windows Memory Reader supports Windows XP through Windows 8, both 32-bit and 64-bit versions, and is available free of charge.
+
The volume information entry – version 23 is 104 bytes in size and consists of:
  
===Linux===
+
{| class="wikitable"
;[[/dev/mem]]
+
|-
: On older Linux systems, the program [[dd]] can be used to read the contents of [[physical memory]] from the device file <tt>/dev/mem</tt>. On recent Linux systems, however, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system.  On other systems it may not be available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
+
! Field
;[[/dev/crash]]
+
! Offset
:On Red Hat systems (and those running related distros such as Fedora or CentOS), the crash driver can be loaded to create pseudo-device /dev/crash for raw physical memory access (via command "modprobe crash"). This module can also be compiled for other Linux distributions with minor effort (see, for example, http://gleeda.blogspot.com/2009/08/devcrash-driver.html). When the crash driver is modified, compiled, and loaded on other systems, the resulting memory access device is not safe to image in its entirety. Care must be taken to avoid addresses that are not RAM-backed. On Linux, /proc/iomem exposes the correct address ranges to image, marked with "System RAM".
+
! Length
;[http://secondlookforensics.com Second Look: Linux Memory Forensics]
+
! Type
: This commercial memory forensics product ships with a modified version of the crash driver and a script for safely dumping memory using the original or modified driver on any given Linux system.
+
! Notes
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem]
+
|-
: fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
+
| VI1
;[http://code.google.com/p/lime-forensics/ LiME]
+
| +0x0000
: Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.
+
| 4
 +
| DWORD
 +
| Offset to volume device path (Unicode, terminated by U+0000)
 +
|-
 +
| VI2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume device path (nr of characters, including terminating U+0000)
 +
|-
 +
| VI3
 +
| +0x0008
 +
| 8
 +
| FILETIME
 +
| Volume creation time.
 +
|-
 +
| VI4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| VI5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| Offset to sub section E
 +
|-
 +
| VI6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| Length of sub section E (in bytes)
 +
|-
 +
| VI7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| Offset to sub section F
 +
|-
 +
| VI8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| Number of strings in sub section F
 +
|-
 +
| VI9
 +
| +0x0024
 +
| 4
 +
| ?
 +
| Unknown
 +
|-
 +
| <b>VI10</b>
 +
| <b>+0x0028</b>
 +
| <b>28</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
| <b>VI11</b>
 +
| <b>+0x0044</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
| <b>VI12</b>
 +
| <b>+0x0048</b>
 +
| <b>28</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
| <b>VI13</b>
 +
| <b>+0x0064</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|}
  
===Mac OS X===
+
==== Volume information - version 26 ====
;[http://digitalfire.ucd.ie/?page_id=430 Goldfish]
+
The volume information entry – version 26 appears to be similar to volume information – version 23.
:Goldfish is a [[Mac OS X]] live forensic tool. Its main purpose is to provide an easy to use interface to dump the system RAM of a target machine via a [[Firewire]] connection. It then automatically extracts the current user login password and any open AOL Instant Messenger conversation fragments that may be available. Please see [http://digitalfire.ucd.ie/?page_id=430] for more information.
+
  
;[http://cybermarshal.atc-nycorp.com/index.php/cyber-marshal-utilities/mac-memory-reader Mac Memory Reader]
+
=== Sub section E - NTFS file references ===
:Mac Memory Reader is a simple command-line utility to capture the contents of physical RAM.  Results are stored in a Mach-O binary or raw data file.  Mac Memory Reader is available free of charge.  It executes directly on 32- and 64-bit target machines running Mac OS X 10.4 through 10.7 and requires a PowerPC G4 or newer, or any Intel processor.
+
This sub section can contain NTFS file references.
  
;[https://volatility.googlecode.com/svn/branches/scudette/docs/pmem.html OSXPmem]
+
For more information see [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format].
:The OSX Memory Imager is an open source tool to acquire physical memory on an Intel based Mac. The imager supports multiple output formats, at the moment these are Mach-O, ELF and zero-padded RAW.
+
  
===Virtual===
+
=== Sub section F - Directory strings ===
; Qemu
+
This sub sections contains directory strings. The number of strings is stored in the volume information.
: Qemu allows you to dump the memory of a running image using pmemsave.
+
: e.g. pmemsave 0 0x20000000 /tmp/dumpfile
+
; Xen
+
: Xen allows you to live dump the memory of a guest domain using the dump-core command.  
+
: You can list the available machines to find the host machine you care about using xm list and see the configuration.
+
: Dumping is a matter of sudo xm dump-core -L /tmp/dump-core-6 6
+
  
==See Also==
+
A directory string is stored in the following structure:
* [[Windows Memory Analysis]]
+
{| class="wikitable"
* [[Linux Memory Analysis]]
+
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0000
 +
| 2
 +
| DWORD
 +
| Number of characters (WORDs) of the directory name. The value does not include the end-of-string character.
 +
|-
 +
|
 +
| 0x0002
 +
|
 +
| USTR
 +
| The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000).
 +
|-
 +
|}
 +
 
 +
== See Also ==
 +
* [[Prefetch]]
  
 
== External Links ==
 
== External Links ==
* [http://forensic.belkasoft.com/en/live-ram-forensics Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, © 2013
+
* [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format], by the [[libssca|libssca project]]
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF Windows Memory Analysis (Sample Chapter)]
+
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser/wiki/Home Windows Prefetch file format], by the [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser] project.
* [http://blogs.23.nu/RedTeam/0000/00/antville-5201/ RedTeam: FireWire round-up],  
+
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], by [[Antonio Martin]], 2007
+
  
[[Category:Tools]]
+
[[Category:File Formats]]

Revision as of 10:57, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Characteristics

Integers stored in little-endian
Strings Stored as UTF-16 little-endian without a byte-order-mark (BOM).
Timestamps Stored as Windows FILETIME in UTC.

File header

The file header is 84 bytes of size and consists of:

Field Offset Length Type Notes
H1 0x0000 4 DWORD Format version (see format version section below)
H2 0x0004 4 DWORD Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
H3 0x0008 4 DWORD? Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
H4 0x000C 4 DWORD Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
H5 0x0010 60 USTR The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
H6 0x004C 4 DWORD The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
H7 0x0050 4 ? Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Format version

Value Windows version
17 (0x11) Windows XP, Windows 2003
23 (0x17) Windows Vista, Windows 7
26 (0x1a) Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)

File information

The format of the file information is version dependent.

Note that some other format specifications consider the file information part of the file header.

File information - version 17

The file information – version 17 is 68 bytes of size and consists of:

Field Offset Length Type Notes
0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
0x0058 4 DWORD The number of entries in section A.
0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
0x0060 4 DWORD The number of entries in section B.
0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
0x0068 4 DWORD Length of section C.
0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
0x0070 4 DWORD The number of entries in section D.
0x0074 4 DWORD Length of section D.
0x0078 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
0x0080 16  ? Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
0x0090 4 DWORD Execution counter (or run count)
0x0094 4 DWORD? Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

File information - version 23

The file information – version 23 is 156 bytes of size and consists of:

Field Offset Length Type Notes
0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
0x0058 4 DWORD The number of entries in section A.
0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
0x0060 4 DWORD The number of entries in section B.
0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
0x0068 4 DWORD Length of section C.
0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
0x0070 4 DWORD The number of entries in section D.
0x0074 4 DWORD Length of section D.
0x0078 8 ? Unknown
0x0080 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
0x0088 16  ? Unknown
0x0098 4 DWORD Execution counter (or run count)
0x009C 4 DWORD? Unknown
0x00A0 80 ? Unknown

File information - version 26

The file information – version 23 is 224 bytes of size and consists of:

Field Offset Length Type Notes
0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
0x0058 4 DWORD The number of entries in section A.
0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
0x0060 4 DWORD The number of entries in section B.
0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
0x0068 4 DWORD Length of section C.
0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
0x0070 4 DWORD The number of entries in section D.
0x0074 4 DWORD Length of section D.
0x0078 8  ? Unknown
0x0080 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
0x0088 7 x 8 = 56 FILETIME Older (most recent) latest execution time (or run time) of executable (FILETIME)
0x00C0 16 ? Unknown
0x00D0 4 DWORD Execution counter (or run count)
0x00D4 4 ? Unknown
0x00D8 4 ? Unknown
0x00DC 88 ? Unknown

Section A - Metrics

This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) metrics entry records.

A metrics entry records conists of:

Field Offset Length Type Notes
0 4 DWORD Start time in ms
4 4 DWORD Duration in ms
8 4 DWORD Average duration in ms
12 4 DWORD Filename string offset
The offset is relative to the start of the filename string section (section C)
16 4 DWORD Filename string number of characters without end-of-string character
20 4 DWORD Unknown flags
24 4 DWORD Unknown
28 4 DWORD Unknown

Section B

This section contains an array with 12 byte (version 17, 23 and 26) entry records.

The actual format and usage of these entry records is currently not known.

Section C - Filename strings

This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).

At the end of the section there seems to be alignment padding that can contain remnant values.

Section D - Volumes information (block)

Section D contains one or more subsections, each subsection refers to directories on a volume.

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

In this section, all offsets are assumed to be counted from the start of the D section.

Volume information

The structure of the volume information is version dependent.

Volume information - version 17

The volume information – version 17 is 40 bytes in size and consists of:

Field Offset Length Type Notes
VI1 +0x0000 4 DWORD Offset to volume device path (Unicode, terminated by U+0000)
VI2 +0x0004 4 DWORD Length of volume device path (nr of characters, including terminating U+0000)
VI3 +0x0008 8 FILETIME Volume creation time.
VI4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
VI5 +0x0014 4 DWORD Offset to sub section E
VI6 +0x0018 4 DWORD Length of sub section E (in bytes)
VI7 +0x001C 4 DWORD Offset to sub section F
VI8 +0x0020 4 DWORD Number of strings in sub section F
VI9 +0x0024 4  ? Unknown

Volume information - version 23

The volume information entry – version 23 is 104 bytes in size and consists of:

Field Offset Length Type Notes
VI1 +0x0000 4 DWORD Offset to volume device path (Unicode, terminated by U+0000)
VI2 +0x0004 4 DWORD Length of volume device path (nr of characters, including terminating U+0000)
VI3 +0x0008 8 FILETIME Volume creation time.
VI4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
VI5 +0x0014 4 DWORD Offset to sub section E
VI6 +0x0018 4 DWORD Length of sub section E (in bytes)
VI7 +0x001C 4 DWORD Offset to sub section F
VI8 +0x0020 4 DWORD Number of strings in sub section F
VI9 +0x0024 4  ? Unknown
VI10 +0x0028 28 ? Unknown
VI11 +0x0044 4 ? Unknown
VI12 +0x0048 28 ? Unknown
VI13 +0x0064 4 ? Unknown

Volume information - version 26

The volume information entry – version 26 appears to be similar to volume information – version 23.

Sub section E - NTFS file references

This sub section can contain NTFS file references.

For more information see Windows Prefetch File (PF) format.

Sub section F - Directory strings

This sub sections contains directory strings. The number of strings is stored in the volume information.

A directory string is stored in the following structure:

Field Offset Length Type Notes
0x0000 2 DWORD Number of characters (WORDs) of the directory name. The value does not include the end-of-string character.
0x0002 USTR The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000).

See Also

External Links