Difference between pages "Tools:Memory Imaging" and "TrueCrypt"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Linux/Unix)
 
m
 
Line 1: Line 1:
The [[physical memory]] of computers can be imaged and analyzed using a variety of tools. Because the procedure for accessing physical memory varies between [[operating systems]], these tools are listed by operating system. Once memory has been imaged, it is subjected to [[memory analysis]] to ascertain the state of the system, extract artifacts, and so on.
+
{{Infobox_Software |
 +
  name = Truecrypt |
 +
  maintainer = TrueCrypt Foundation |
 +
  os = {{Linux}}, {{Windows}}, OS X |
 +
  genre = {{Encryption}} |
 +
  license = TrueCrypt Collective License |
 +
  website = [http://www.truecrypt.org/ truecrypt.org] |
 +
}}
  
One of the most vexing problems for memory imaging is verifying that the image has been created correctly. That is, verifying that it reflects the actual contents of memory at the time of its creation. Because the contents of memory are constantly changing on a running system, the process can be repeated but the results will never--to a high degree of probability--be the same.  Thus, repeating the acquisition and comparing the results is not a feasible means of validating correct image creation.  [[Memory analysis]] can reveal whether the image's contents are consistent with the known layout and structure of a given operating system, as well as answering other questions, but it cannot answer the question as to whether the image accurately reflects the system from which it was taken at the time it was taken.
+
'''TrueCrypt''' is an open source program to create and mount virtual encrypted disks in [[Windows|Windows Vista/XP/2000]] and [[Linux]] and [[Mac OS X|OS X]] as well as [[Whole Disk Encryption]] on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms ([[AES|AES-256]], [[Serpent]] and [[Twofish]]).  As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).
  
== Memory Imaging Techniques ==
+
== Forensic Acquisition ==
  
; Crash Dumps
+
If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.
: When configured to create a full memory dump, [[Windows]] operating systems will automatically save an image of physical memory when a bugcheck (aka blue screen or kernel panic) occurs. [[Andreas Schuster]] has a [http://computer.forensikblog.de/en/2005/10/acquisition_2_crashdump.html blog post] describing this technique.
+
; LiveKd Dumps
+
: The [[Sysinternals]] tool [http://www.microsoft.com/technet/sysinternals/SystemInformation/LiveKd.mspx LiveKd] can be used to create an image of physical memory on a live machine in crash dump format. Once livekd is started, use the command ".dump -f [output file]"
+
; Hibernation Files
+
: [[Windows]] 98, 2000, XP, 2003, and Vista support a feature called [[hibernation]] that saves the machine's state to the disk when the computer is powered off. When the machine is turned on again, the state is restored and the user can return to the exact point where they left off. The machine's state, including a compressed image of [[physical memory]], is written to the disk on the system drive, usually C:, as [[hiberfil.sys]]. This file can be parsed and decompressed to obtain the memory image. Once [[hiberfil.sys]] has been obtained, [http://sandman.msuiche.net/ Sandman] can be used to convert it to a dd image.
+
: [[Mac OS X]] very kindly creates a file called '''/var/vm/sleepimage''' on any laptop that is suspended. This file is NOT erased when the machine starts up. It is unencrypted even if the user turns on [[File Vault]] and enables Secure Virtual Memory. [http://pc-eye.blogspot.com/2008/08/live-memory-dump-on-mac-laptops.html].
+
; Firewire
+
: It is possible for [[Firewire]] or IEEE1394 devices to directly access the memory of a computer. Using this capability has been suggested as a method for acquiring memory images for forensic analysis. Unfortunately, the method is not safe enough to be widely used yet. There are some published papers and tools, listed below, but they are not yet forensically sound. These tools do not work with all Firewire controllers and on other can cause system crashes. The technology holds promise for future development, in general should be avoided for now.
+
: At [[CanSec West 05]], [[Michael Becher]], [[Maximillian Dornseif]], and [[Christian N. Klein]] discussed an [[exploit]] which uses [[DMA]] to read arbitrary memory locations of a [[firewire]]-enabled system. The [http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf paper] lists more details. The exploit is run on an [http://ipodlinux.org/Main_Page iPod running Linux]. This can be used to grab screen contents.
+
: This technique has been turned into a tool that you can download from:  http://www.storm.net.nz/projects/16
+
: Goldfish is a tool that is being developed to get RAM from a Mac. Contact cybercrime.com.
+
  
== Memory Imaging Tools ==
+
== Attacks ==
===x86 Hardware===
+
The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. [[AccessData|AccessData's]] [[Password Recovery Toolkit]] and Distributed Network Attack ([[DNA]]) can both perform such an attack, but DNA is faster.
; Tribble PCI Card (research project)
+
: http://www.digital-evidence.org/papers/tribble-preprint.pdf
+
  
; CoPilot by Komoku
+
TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).
: Komoku was acquired by Microsoft and the card was not made publicly available.
+
  
; Forensic RAM Extraction Device (FRED) by BBN
+
== Hidden volumes ==
: Not publicly available. http://www.ir.bbn.com/~vkawadia/
+
  
===[[Windows]] Software===
+
Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.
; winen.exe (Guidance Software - included with Encase 6.11 and higher)
+
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
: http://forensiczone.blogspot.com/2008/06/winenexe-ram-imaging-tool-included-in.html
+
  
; [[WinDD]]
+
When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
: http://windd.msuiche.net/
+
: http://www.msuiche.net/2008/06/14/capture-memory-under-win2k3-or-vista-with-win32dd/
+
  
; [[Mdd]] (Memory DD) ([[ManTech]])
+
Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer container to detect presence of a hidden container.
: included on [http://www.e-fense.com/helix/ Helix 2.0]
+
: http://sourceforge.net/projects/mdd
+
  
; F-Response with FTK imager, dd, Encase, WinHex, etc
+
== Hidden Operating Systems ==
: Beta 2.03 provides remote access to memory that can be acquired using practically any standard imaging tool
+
: http://www.f-response.com/index.php?option=com_content&task=view&id=79&Itemid=2
+
  
; MANDIANT Memoryze
+
Hidden operating system is a system that is installed in a hidden TrueCrypt volume.
: Can capture and analyze memory. Supports reading dumps (raw/dd format) from other tools.
+
: http://www.mandiant.com/software/memoryze.htm
+
  
; [[Kntdd]]
+
It is possible to detect network-enabled hidden operating systems by matching downloaded content (from a network dump) with data on a possible decoy system.
: http://www.gmgsystemsinc.com/knttools/
+
  
; [[dd]]
+
Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if [[Windows]] system is permanently connected to a LAN) and [[TCP timestamps]].
: On [[Microsoft Windows]] systems, [[dd]] can be used by an Administrator user to image memory using the ''\Device\Physicalmemory'' object. Userland access to this object is denied starting in Windows 2003 Service Pack 1 and Windows Vista.
+
  
; Windows Memory Forensic Toolkit (WMFT)
+
== External Links ==
: http://forensic.seccure.net/
+
: http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf
+
  
; Nigilant32
+
* [http://www.truecrypt.org/ Official website]
: http://www.agilerm.net/publications_4.html
+
* [http://www.truecrypt.org/docs/?s=version-history Version history]
 
+
;[[HBGary]]: Fastdump and Fastdump Pro
+
:http://www.hbgary.com
+
:[[Fastdump]] (free with registration) Can acquire physical memory on Windows 2000 through Windows XP 32 bit but not Windows 2003 or Vista.
+
:[[Fastdump Pro]] Can acquire physical memory on Windows 2000 through Windows 2008, all service packs.  Additionally, Fastdump Pro supports:
+
:-32 bit and 64 bit architectures
+
:-Acquisitions of greater than 4GB
+
:-Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes.
+
:-Process probing which allows for a more complete memory image of a process of interest.
+
:-Acquisition of the system page file during physical memory acquisition.  This allows for a more complete memory analysis.
+
 
+
===Linux/Unix===
+
;[[dd]]
+
: On Unix systems, the program [[dd]] can be used to capture the contents of [[physical memory]] using a device file (e.g. <tt>/dev/mem</tt> and <tt>/dev/kmem</tt>).  In recent Linux kernels, /dev/kmem is no longer available.  In even more recent kernels, /dev/mem has additional restrictions.  And in the most recent, /dev/mem is no longer available by default, either.  Throughout the 2.6 kernel series the trend has been to reduce direct access to memory via pseudo-device files.  See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.  On Red Hat systems (and derived distros such as CentOS), the crash driver can be loaded to create a pseudo-device for memory access ("modprobe crash").
+
;[http://www.pikewerks.com/sl/ Second Look]
+
: This memory analysis product has the ability to acquire memory from Linux systems, either locally or from a remote target via DMA.  It comes with pre-compiled Physical Memory Access Driver (PMAD) modules for hundreds of kernels from the most commonly used Linux distributions.
+
; Idetect (Linux)
+
: http://forensic.seccure.net/
+
;[http://hysteria.sk/~niekt0/foriana/fmem_current.tgz fmem] (Linux)
+
: fmem is kernel module, that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
+
 
+
==See Also==
+
* [[Windows Memory Analysis]]
+
* http://blogs.23.nu/RedTeam/0000/00/antville-5201/
+
* http://www.storm.net.nz/projects/16
+
* http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf
+
 
+
== External Links ==
+
* [http://www.syngress.com/book_catalog/sample_159749156X.PDF  Windows Memory Analysis (Sample Chapter)]
+
  
[[Category:Tools]]
+
[[Category:Encryption]]

Revision as of 14:32, 13 September 2008

Truecrypt
Maintainer: TrueCrypt Foundation
OS: Linux,Windows, OS X
Genre: Encryption
License: TrueCrypt Collective License
Website: truecrypt.org

TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux and OS X as well as Whole Disk Encryption on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports various encryption algorithms (AES-256, Serpent and Twofish). As of version 6.0 TrueCrypt now supports hidden Operating Systems (Windows only).

Contents

Forensic Acquisition

If you encounter a system that has a mounted TrueCrypt drive, it is imperative that you capture the contents of the encrypted drive before shutting down the system. Once the system is shutdown, the contents will be inaccessible unless you have the proper encryption key generated by a user's password. You may also need an additional datafile.

Attacks

The only option for acquiring the content of a dismounted TrueCrypt drive is to do a brute-force password guessing attack. AccessData's Password Recovery Toolkit and Distributed Network Attack (DNA) can both perform such an attack, but DNA is faster.

TrueCrypt also supports keyfiles (it uses the first 1024 kilobytes of any file, but can also use it's PRNG to generate such keys). It is important to look for anything that might be used as a keyfile (such as a 1024k file on a USB stick).

Hidden volumes

Hidden volume is a volume hidden within the free space of another TrueCrypt volume. Even when the outer volume is mounted, it is hard to prove whether there is a hidden volume or not.

When a hidden volume is mounted, the operating system and third-party applications may write to non-hidden volumes information about the data stored in the hidden volume (e.g. filenames). It is important to look for such kind of information.

Previous versions of encrypted containers may be found in the journaling filesystems. It is important to track any changes within the free space of the outer container to detect presence of a hidden container.

Hidden Operating Systems

Hidden operating system is a system that is installed in a hidden TrueCrypt volume.

It is possible to detect network-enabled hidden operating systems by matching downloaded content (from a network dump) with data on a possible decoy system.

Investigator can also detect boot times by searching network dumps for IP packets with low IDs (only if Windows system is permanently connected to a LAN) and TCP timestamps.

External Links