Difference between pages "Caselaw" and "Rekall"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Further Information)
 
(External Links)
 
Line 1: Line 1:
The legal information below is not legal advice. You should consult a lawyer if you want professional assurance that this information, and your interpretation of it, is appropriate to your situation.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Michael Cohen]] |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Memory analysis}}, {{Memory imaging}} |
 +
  license = {{GPL}} |
 +
  website = [https://code.google.com/p/rekall/ code.google.com/p/rekall/] |
 +
}}
  
The following are highlights of important cases to digital forensics and electronic discovery.
+
Rekall is the stand-alone continuation of the [[Volatility]] Technology Preview (TP) version, aka the scudette branch.
  
==Court Decisions==
+
One of Rekalls goals is to provide better integration with [[GRR]] by improved modularity of the framework and having memory acquisition capability.[http://docs.rekall.googlecode.com/git/overview.html#_history]
  
'''United States v. Warshak, 631 F.3d 266 (6th Cir. Dec. 14, 2010)'''<br />
+
== Memory acquisition drivers ==
The Sixth Circuit Court of Appeals ruled that the government must have a search warrant before it can seize and search emails held by email service providers. "Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection..." [https://www.eff.org/files/warshak_opinion_121410.pdf]
+
  
'''Binary Semantics Ltd. v. Minitab, Inc., Case No. 07‐1750 (M.D. Pa. May 5, 2008)'''<br />
+
The drivers can be found under:
In 2008, a district court agreed that a forensic image of an entire FTP server was "overly‐broad and intrusive,” allowing the defendants only authorization for “a forensic copy of the relevant folders on [the] FTP server."
+
<pre>
 +
rekall/tools/linux
 +
rekall/tools/osx
 +
rekall/tools/windows
 +
</pre>
  
'''Harkabi v. Sandisk Corp., 2010 U.S. Dist. LEXIS 87843 (S.D.N.Y. Aug. 23, 2010)'''<br />
+
=== Linux ===
Electronic discovery requires litigants to scour disparate data storage mediums and formats for potentially relevant documents. That undertaking involves dueling considerations: thoroughness and cost.
+
  
'''United States v. Scott‐Emuakpor, 2000 U.S. Dist. LEXIS 3118 (W.D. Mich. 2000)'''<br />
+
To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:
The court was satisfied with a third‐party collecting the forensic data as long as it was accompanied by "the testimony of a witness who was present and observed the procedure by which the documents were obtained from Defendant's computers."
+
<pre>
 +
cd rekall/tools/linux/
 +
make
 +
</pre>
  
'''Griffin v. State, 2010 Md. App. LEXIS 87 (Md. Ct. Spec. App. May 27, 2010)'''<br />
+
The acquisition driver is named pmem.ko.
Social media profiles on MySpace or Facebook could be authenticated circumstantially by their content and context in the same manner as other forms of electronic communications.
+
  
'''State v. Rivas, 2007 Ohio App. LEXIS 3299 (Ohio Ct. App. Jul. 13, 2007)'''<br />
+
To load the driver:
The court overturned the conviction of the defendant due to the fact that an ''[http://en.wikipedia.org/wiki/In_camera in camera]'' review of the police department's computer was not performed, which would have verified that accuracy of the transcripts that were recorded from a chat room and subsequently used against the defendant.
+
<pre>
 +
sudo insmod pmem.ko
 +
</pre>
  
'''Fenje v. Feld, 2003 U.S. Dist. LEXIS 24387 (N.D. Ill., Dec. 8, 2003)'''<br />
+
To check if the driver is running:
The authentication of email messages presented in support of a summary judgement motion was at the core of this wrongful termination case. The court found that email messages may be authenticated as being from the suspected author based on the following factors:
+
<pre>
* The email address from which it was sent
+
sudo lsmod
* An affidavit of the recipient
+
</pre>
* Comparison of the content of the email with other evidence
+
* Other communication from the suspected author acknowledging the email message in question
+
  
'''U.S. v. Cameron, 2010 WL 3238326 (U.S. District Court for the District of Maine 2010)''' (on-going)<br />
+
The driver create a device file named:
Yahoo! detected child pornography and reported it to the NCMEC, and Cameron expected the Government to produce as witnesses the Yahoo! technician who collected the evidence. The judge noted that at trial the "Government need not call each of the technicians who did the search so long as it" presented a witness who can "explain and be cross-examined concerning the manner in which the records are made and kept." Further, the Judge ordered that the Government is not obligated to turn over evidence that it does not possess (e.g. "the original or a copy of the Yahoo! photo server and server files" or "the physical location of the original server files")
+
<pre>
 +
/dev/pmem
 +
</pre>
  
'''Krumwiede v. Brighton Associates, LLC, 2006 WL 1308629 (N.D. Ill. May 8, 2006)'''
+
To unload the driver:
Default judgment granted for deleting, altering and accessing electronic data despite litigation hold. Plaintiff deleted file with a combination of "deliberate movement of file data, admitted deletion activities, multiple use of defrag, use of ZIP file to conceal or transport [the defendants'] data, [and use of] multiple USB devices [to] intend to destroy evidence." Summary judgment against plaintiff for interfering with the discovery process.
+
<pre>
 +
sudo rmmod pmem
 +
</pre>
  
== Further Information ==
+
To read acquire the memory just read from the device file. e.g.
* [http://www.setecinvestigations.com/resources/casesummaries.php http://www.setecinvestigations.com/resources/casesummaries.php]
+
<pre>
* [http://www.iediscovery.com/resources/lawlibrary http://www.iediscovery.com/resources/lawlibrary]
+
dd if=/dev/pmem of=image.raw
* [https://extranet1.klgates.com/ediscovery/Search.aspx https://extranet1.klgates.com/ediscovery/Search.aspx]
+
</pre>
  
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-1-4/ How to Evaluate a Digital Forensic Report – Part 1: A Brief History of Digital Forensics], by Daniel B. Garrie, January 31, 2014
+
For more information see:
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-2-4/ How to Evaluate a Digital Forensic Report – Part 2: Daubert], by Daniel B. Garrie, February 4, 2014
+
<pre>
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-3-4/ How to Evaluate a Digital Forensic Report – Part 3: Experts], by Daniel B. Garrie, February 10, 2014
+
rekall/tools/linux/README
* [http://www.lawandforensics.com/evaluate-digital-forensic-report-part-4-4/ How to Evaluate a Digital Forensic Report – Part 4 & Conclusion], by Daniel B. Garrie, February 14, 2014
+
</pre>
  
[[Category:Law]]
+
=== Mac OS X ===
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/osx/OSXPMem/README
 +
</pre>
 +
 
 +
=== Windows ===
 +
Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.
 +
 
 +
Both the i386 and amd64 binary version of the driver can be found in the directory:
 +
<pre>
 +
rekall/tools/windows/winpmem/binaries
 +
</pre>
 +
 
 +
E.g.
 +
<pre>
 +
rekall/tools/winpmem/binaries/amd64/winpmem.sys
 +
</pre>
 +
 
 +
A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:
 +
<pre>
 +
rekall/tools/winpmem/executables/Release/
 +
</pre>
 +
 
 +
To load the driver:
 +
<pre>
 +
winpmem.exe -l
 +
</pre>
 +
 
 +
The device filename is (This can not be changed without recompiling):
 +
<pre>
 +
\\.\pmem
 +
</pre>
 +
 
 +
Note that running dd directly on this device file can crash the machine.
 +
Use the winpmem.exe tool instead because it handles protected memory regions.
 +
 
 +
To read and acquire the physical memory and write it to image.raw:
 +
<pre>
 +
winpmem.exe image.raw
 +
</pre>
 +
 
 +
To unload the driver:
 +
<pre>
 +
winpmem.exe -u
 +
</pre>
 +
 
 +
For more information see:
 +
<pre>
 +
rekall/tools/windows/README
 +
</pre>
 +
 
 +
== See Also ==
 +
* [[Volatility]]
 +
 
 +
== External Links ==
 +
* [https://code.google.com/p/rekall/ Project site]
 +
* [http://docs.rekall.googlecode.com/git/index.html Project documentation]
 +
* [http://rekall-forensic.blogspot.com/ Rekall Memory Forensics blog]

Revision as of 02:03, 22 February 2014

Rekall
Maintainer: Michael Cohen
OS: Cross-platform
Genre: Memory Analysis,Memory Imaging
License: GPL
Website: code.google.com/p/rekall/

Rekall is the stand-alone continuation of the Volatility Technology Preview (TP) version, aka the scudette branch.

One of Rekalls goals is to provide better integration with GRR by improved modularity of the framework and having memory acquisition capability.[1]

Contents

Memory acquisition drivers

The drivers can be found under:

rekall/tools/linux
rekall/tools/osx
rekall/tools/windows

Linux

To build the kernel module for the current kernel version, make sure you have a working build environment and the kernel headers installed. Change into this directory and run make:

cd rekall/tools/linux/
make

The acquisition driver is named pmem.ko.

To load the driver:

sudo insmod pmem.ko

To check if the driver is running:

sudo lsmod

The driver create a device file named:

/dev/pmem

To unload the driver:

sudo rmmod pmem

To read acquire the memory just read from the device file. e.g.

dd if=/dev/pmem of=image.raw

For more information see:

rekall/tools/linux/README

Mac OS X

For more information see:

rekall/tools/osx/OSXPMem/README

Windows

Since recent versions of Windows require a signed driver rekall comes with both pre-built (signed binary) and source versions of the driver.

Both the i386 and amd64 binary version of the driver can be found in the directory:

rekall/tools/windows/winpmem/binaries

E.g.

rekall/tools/winpmem/binaries/amd64/winpmem.sys

A standalone tool for imaging memory that uses an embedded copy of the pmem driver can be found as winpmem.exe in:

rekall/tools/winpmem/executables/Release/

To load the driver:

winpmem.exe -l

The device filename is (This can not be changed without recompiling):

\\.\pmem

Note that running dd directly on this device file can crash the machine. Use the winpmem.exe tool instead because it handles protected memory regions.

To read and acquire the physical memory and write it to image.raw:

winpmem.exe image.raw

To unload the driver:

winpmem.exe -u 

For more information see:

rekall/tools/windows/README

See Also

External Links