Difference between pages "List of Volatility Plugins" and "Solid State Drive (SSD) Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Data Recovery)
 
m (Bibliography)
 
Line 1: Line 1:
The [[Volatility Framework]] was designed to be expanded by plugins. Here is a list of the published plugins for the framework. Note that these plugins are not hosted on the wiki, but all on external sites.
+
Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:
 +
# Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
 +
# Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
 +
# Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)
  
== Command Shell ==
+
To overcome these problems, SSD manufacturers have created a system for ''wear leveling''---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a ''flash translation layer'' that maps ''logical sectors'' (or LBAs) to ''physical pages.''  Most FTLs are contained within the SSD device and are not accessible to end users.
* [http://moyix.blogspot.com/2008/08/indroducing-volshell.html volshell] - Creates a python shell can be used with the framework.
+
  
== Malware Detection ==
+
==Bibliography==
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] - Automates the process of finding and extracting (usually malicious) code injected into another process
+
<bibtex>
 +
@inproceedings{wei2011,
 +
  author = {Michael Wei and Laura M. Grupp and Frederick M. Spada and Steven Swanson},
 +
  title = {Reliably Erasing Data from Flash-Based Solid State Drives},
 +
  booktitle={FAST 2011},
 +
  year = 2011,
 +
  keywords = {erasing flash security ssd},
 +
  added-at = {2011-02-22T09:22:03.000+0100},
 +
  url={http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf},
 +
  biburl = {http://www.bibsonomy.org/bibtex/27c408ad559fc19f829717f485707a909/schmidt2}
 +
}
 +
</bibtex>
 +
<bibtex>
 +
@article{bell2011,
 +
author="Graeme B. Bell and Richard Boddington",
 +
title="Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?",
 +
journal="Journal of Digital Forensics, Security and Law",
 +
volume=5,
 +
issue=3,
 +
year=2011,
 +
url={http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf}
 +
}
 +
</bibtex>
 +
<bibtex>
 +
@inproceedings{Billard:2010:MSU:1774088.1774426,
 +
author = {Billard, David and Hauri, Rolf},
 +
title = {Making sense of unstructured flash-memory dumps},
 +
booktitle = {Proceedings of the 2010 ACM Symposium on Applied Computing},
 +
series = {SAC '10},
 +
year = {2010},
 +
isbn = {978-1-60558-639-7},
 +
location = {Sierre, Switzerland},
 +
pages = {1579--1583},
 +
numpages = {5},
 +
url = {http://doi.acm.org/10.1145/1774088.1774426},
 +
doi = {http://doi.acm.org/10.1145/1774088.1774426},
 +
acmid = {1774426},
 +
publisher = {ACM},
 +
address = {New York, NY, USA},
 +
keywords = {cell phone, computer forensics, file carving, flash-memory dumps, forensics},
 +
}
 +
</bibtex>
  
== Data Recovery ==
+
==Presentations==
 
+
* [http://www.snia.org/events/storage-developer2009/presentations/thursday/NealChristiansen_ATA_TrimDeleteNotification_Windows7.pdf ATA Trim / Delete Notification Support in Windows 7], Neal Christiansen, Storage Developer 2009
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan] (By [http://jessekornblum.livejournal.com/246616.html Jesse Kornblum]) - Finds [[TrueCrypt]] passphrases
+
* [http://www.slideshare.net/digitalassembly/challenges-of-ssd-forensic-analysis Challenges of SSD Forensic Analysis], Digital Assembly.
* [http://moyix.blogspot.com/2008/10/plugin-post-moddump.html moddump] (By [[http://moyix.blogspot.com/2008/10/plugin-post-moddump.html Moyix]) - Dump out a kernel module (aka driver)
+
* [http://www.youtube.com/watch?v=WcO7xn0wJ2I ]Solid State Drives: Ruining Forensics, by Scott Moulton, DEFCON 16 (2008)
* [http://moyix.blogspot.com/2009/01/memory-registry-tools.html Registry tools] (By [http://moyix.blogspot.com/2009/03/regripper-and-volatility-prototype.html Moyix]) - A suite of plugins for accessing data from the registry, including password hashes, LSA secrets, and arbitrary registry keys.
+
* Scott Moulton, Shmoocon 20008,  SSD drives vs. Hard Drives.
* [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html getsids] (By [http://moyix.blogspot.com/2008/08/linking-processes-to-users.html Moyix]) - Get information about what user (SID) started a process.
+
** [http://www.youtube.com/watch?v=l4hbdZFWGog SSD Flash Hard Drives - Shmoocon 2008 - Part 1]
* [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html ssdt] (By [http://moyix.blogspot.com/2008/08/auditing-system-call-table.html Moyix]) - List entries in the system call table. Can be used to detect certain rootkits that hook system calls by replacing entries in this table.
+
** [http://www.youtube.com/watch?v=mglEnIPnzjo SSD Flash Hard Drives - Shmoocon 2008 - Part 2]
* [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html threadqueues] (By [http://moyix.blogspot.com/2008/09/window-messages-as-forensic-resource.html Moyix]) - Enumerates window messages pending for each thread on the system. Window messages are the mechanism used to send things like button presses, mouse clicks, and other events to GUI programs.
+
** [http://www.youtube.com/watch?v=3psy_d-pyNg SSD Flash Hard Drives - Shmoocon 2008 - Part 3]
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_objtypescan-current.zip objtypescan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_file_objects.html Andreas Schuster]) - Lists open files by enumerating the _FILE_OBJECT structure. (Note: If running the SVN version of Volatility, just install the plugin file from this archive)
+
** [http://www.youtube.com/watch?v=pKeZvhDd5c4 SSD Flash Hard Drives - Shmoocon 2008 - Part 4]
* [http://computer.forensikblog.de/files/volatility_plugins/keyboardbuffer.py keyboardbuffer] (By [http://computer.forensikblog.de/en/2009/04/read_password_from_keyboard_buffer.html#more Andreas Schuster]) - Extracts keyboard buffer used by the BIOS, which may contain BIOS or disk encryption passwords.
+
** [http://www.youtube.com/watch?v=9XMBdDypSO4 SSD Flash Hard Drives - Shmoocon 2008 - Part 5]
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_mutantscan-current.zip mutantscan] (By [http://computer.forensikblog.de/en/2009/04/searching_for_mutants.html#more Andreas Schuster]) - Extracts mutexs from the Windows kernel
+
** [http://www.youtube.com/watch?v=LY36SWbfQg0 SSD Flash Hard Drives - Shmoocon 2008 - Part 6]
* [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more symlinkobjscan] (By [http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html#more Andreas Schuster]) - Extracts symbolic link objects from the Windows kernel
+
* [http://risky.biz/RB185 Risky Business #185], Peter Gutmann talks SSD forensics, March 4, 2011 (Radio Show)
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_driverscan-current.zip driverscan] (By [http://computer.forensikblog.de/en/2009/04/scanning_for_drivers.html#more Andreas Schuster]) - Scan for kernel _DRIVER_OBJECTs.
+
* [http://computer.forensikblog.de/files/volatility_plugins/volatility_fileobjscan-current.zip fileobjscan] (By [http://computer.forensikblog.de/en/2009/04/linking_file_objects_to_processes.html#more Andreas Schuster]) - File object -> process linkage, including hidden files.
+
* [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html malfind] (By [http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html Michael Hale Ligh]) - Find and extract hidden and/or injected code.
+
*
+
 
+
== Process Enumeration ==
+
 
+
* [http://jessekornblum.com/tools/volatility/suspicious.py suspicious] (By [http://jessekornblum.livejournal.com/246616.html Jesse Kornblum]) - Identify "suspicious" processes. This version counts any command line running [[TrueCrypt]] or any command line that starts with a lower case drive letter as suspicious.
+
 
+
== Output Formatting ==
+
 
+
* [http://scudette.blogspot.com/2008/10/pstree-volatility-plugin.html pstree] - Produces a tree-style listing of processes
+
* [http://gleeda.blogspot.com/2009/03/briefly-vol2html-update.html vol2html] - Converts volatility output to HTML. Not technically a plugin, but useful nonetheless.
+

Revision as of 15:22, 22 March 2011

Solid State Drives pose a variety of interesting challenges for computer forensics. Most SSD devices are based on flash memory. Flash has two properties that complicate its use in computer storage systems:

  1. Unlike normal hard drives that can be written in a single pass, flash memory is arranged in pages that must first be erased before it can be written.
  2. Each flash page consists of multiple blocks. Typically block size is 512 bytes and page size is 2KiB, 4KiB, or larger.
  3. Each page can be erased and rewritten a limited number of times---typically 1000 to 10,000. (Hard drive sectors, in contrast, can be rewritten millions of times or more.)

To overcome these problems, SSD manufacturers have created a system for wear leveling---that is, spreading the writes to flash out among different sectors. Wear leveling is typically done with a flash translation layer that maps logical sectors (or LBAs) to physical pages. Most FTLs are contained within the SSD device and are not accessible to end users.

Bibliography

Michael Wei, Laura M. Grupp, Frederick M. Spada, Steven Swanson - Reliably Erasing Data from Flash-Based Solid State Drives
FAST 2011 ,2011
http://cseweb.ucsd.edu/users/m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf
Bibtex
Author : Michael Wei, Laura M. Grupp, Frederick M. Spada, Steven Swanson
Title : Reliably Erasing Data from Flash-Based Solid State Drives
In : FAST 2011 -
Address :
Date : 2011

Graeme B. Bell, Richard Boddington - Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?
Journal of Digital Forensics, Security and Law 5,2011
http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
Bibtex
Author : Graeme B. Bell, Richard Boddington
Title : Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?
In : Journal of Digital Forensics, Security and Law -
Address :
Date : 2011

Billard, David, Hauri, Rolf - Making sense of unstructured flash-memory dumps
Proceedings of the 2010 ACM Symposium on Applied Computing pp. 1579--1583, New York, NY, USA,2010
http://doi.acm.org/10.1145/1774088.1774426
Bibtex
Author : Billard, David, Hauri, Rolf
Title : Making sense of unstructured flash-memory dumps
In : Proceedings of the 2010 ACM Symposium on Applied Computing -
Address : New York, NY, USA
Date : 2010

Presentations