Live Memory Acquisition for Windows Operating Systems, Naja Davis
Transcript of Live Memory Acquisition for Windows Operating Systems, Naja Davis
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
1/24
Live Memory Acquisition
for Windows Operating
Systems:
CoverPageandAbstract
ToolsandTechniquesforAnalysis
Theliveacquisitionofvolatilememory(RAM)isanarea
indigitalforensicsthathasnotgarneredmuchattention
untilmostrecently. Theimportanceofthecontentsof
physicalmemoryhasalwaystakenabackseattowhatis
consideredmoreimportantthecontentsofphysical
media. However,agreatdealofinformationcanbe
acquiredfromRAManalysiswhichisunavailableduring
mosttypical
forensic
acquisition
and
analysis.
This
paperwilltakealookatthedifferenttoolsavailableto
theforensicexaminerformemoryacquisitionandhow
toanalyzetheresultingdata.
NajaDavis
EasternMichiganUniversity
IA328
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
2/24
2
TableofContents
CoverPageandAbstract............................................................................................................................... 1
I. Introduction ............................................................................................................................... ............... 3
II. Scope........................................................................................................................................................3
III. Toolsforlivememoryacquisition...........................................................................................................4
Hardwarebasedsolutions ........................................................................................................................ 4
Tribble ............................................................................................................................... ................. 4
Firewire ................................................................................................................................................. 4
Softwarebasedsolutions ......................................................................................................................... 5
Limitationsofsoftwarebasedacquisition............................................................................................ 5
DD(data
dumper)..............................................................................................................................5
Nigilant32 ............................................................................................................................... ............... 6
ProDiscoverIR ............................................................................................................................... ........ 6
KntDD ............................................................................................................................... ..................... 6
MicrosoftCrashDump .......................................................................................................................... 7
IV. MemoryAnalysis............................................................................................................................... ..... 7
Basics: Whatdoesaninvestigatorneedtoknow? ..................................................................................7
Tools..........................................................................................................................................................8
V. Acquisition .............................................................................................................................................10
SuggestedProceduresforLiveAcquisition:............................................................................................11
VI.TestCase,StepbyStep .........................................................................................................................11
VII.Conclusion.............................................................................................................................................21
AppendixA..................................................................................................................................................22
References ..................................................................................................................................................23
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
3/24
3
I. Introduction
Untilrecently,theacquisitionofvolatilememory(RAM)hasbeenpracticedmainlyby
thoseinvolvedinliveincidentresponseandlargelyignoredbythoseinthefield. Memory
acquisitionfrom
alive
system
requires
specialized
hardware
or
software
not
all
forensic
utilitiescanaccessthe\\.\PhysicalMemoryobjectinWindows. Theanalysisoftheresulting
imagefilealsorequiresspecializedscriptsandknowledgetobeabletointerpretthedata.
Thesetwofactorsmakememoryacquisitionandanalysismoredifficultthantraditionalforensic
harddriveexaminations;itrequiresagreateramountofcarethanthecommonmethodof
pullingthepowerandpreservingthecrimescene.
However,withtheadventofMicrosoftVistaandBitLockerMicrosoftsanswertofull
diskencryptionandtheincreasingsophisticationofmalware,rootkits,andotherviruses,live
memoryanalysis
has
become
even
more
important
to
the
field
of
computer
forensics.
Importantdatasuchaspasswords,IPaddresses,whatprocesseswererunning,andotherdata
thatmightnotbestoredontheharddrivecanberetrievedfromamemorydumporimage.
Malwareandrootkitsoftenleavetracesinresidentmemorythatcannotbefoundbyanalyzing
aharddriveimage.
TheDigitalForensicResearchWorkshop(DFRWS)[1],issuedamemoryanalysis
challengeinthesummerof2005,toencourageresearchandtooldevelopmentinlivememory
acquisition. Thischallengeproducedtwowinners,ChrisBetzandtheteamofGeorgeM.
Garner,Jr.andRobertJanMora,whodevelopedtoolstocompletethechallenge. Memparser
[2],Chris
Betzs
winning
entry,
reconstructs
processes
lists
and
extracts
information
from
processmemory. GarnerandMoradevelopedkntlist,whichenablesanexaminertodumpthe
physicalmemoryfromWindowsandextractinformationfromtheresultingfile. Thesetwo
workshavespurredinterestinthefieldoflivememoryacquisitionandtheissuessurrounding
it.
II. Scope
Alltools
and
procedures
in
this
document
apply
only
to
the
Windows
family
of
operating
systems,includingWindows2000,XP,Vista,andServer2003.
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
4/24
4
III. Toolsforlivememoryacquisition
Hardware-basedsolutions
Tribble
TheTribble[3]wasintroducedinFebruary2004intheDigitalInvestigationJournalbyBrianCarrierandJoeGrand,ofGrandIdeaStudio,Inc. TheTribbleisahardwareexpansion
cardwhichcanbeusedtoretrievethecontentsofphysicalmemory. ItisaPCIexpansioncard
designedtobeinstalledonaserverbeforetheevent,withaswitchthatisenabledwhenthe
investigatorwantstocapturedata.
Thismethodofacquisitionhasitsstrengthsandlimitations. Asahardwaredevice,the
Tribblecan
access
physical
memory
without
introducing
any
software
onto
the
target
system,
minimizingtheimpactonthedatabeingretrieved. However,itmustbeinstalledpriortothe
incident,makingitsomewhatinconvenientforontheflyacquisition. Itisalsostillaproofof
conceptdeviceandnotwidelyavailable.
Firewire
Thesecondhardwaresolutionavailableforlivememoryacquisitionisthroughtheuse
ofaFirewire
device.
Firewire
devices
use
direct
memory
access
(DMA),
without
having
to
go
throughtheCPU. Thememorymappingisperformedinhardwarewithoutgoingthroughthe
hostoperatingsystem,whichallowsnotonlyforhighspeedtransfersbutalsobypassesthe
problemwithsomeversionsofWindowsthatdonotallowmemorytobeaccessedfromUser
mode.
AdamBoileau[4]developedsoftwareusingPythontoextractphysicalmemoryfroma
systemonLinux. ThistoolcanbeusedonWindowssystemsaswell,bytrickingWindowsinto
givingtheuserDMAbymasqueradingasaniPod. Thismethodismoreconvenientthanthe
aforementionedTribble
device,
as
most
systems
today
have
Firewire
ports
available
(usually
builtrightintothemotherboard). Thecurrentproblemwiththismethodisanissuewiththe
UpperMemoryArea(UMA)whichcausessomesystemstosuffercrashesduringtheacquisition
process[5].
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
5/24
5
Software-basedsolutions
Limitationsofsoftware-basedacquisition
WiththereleaseofServicePack2forWindowsXPthe\\.\PhysicalMemoryobjectisno
longeraccessiblefromusermode. ThisisalsotrueforWindowsVistaandWindowsServer
2003(ServicePack1) itcanonlybeaccessedviakernelmodedrivers. Assuch,someutilities
whichmayhaveworkedinthepastwillnolongerworkonversionsofWindows. Theymaystill
applytoearlierorunpatchedversions,however.
Oneissuethattheforensicinvestigatorneedstoremainmindfulofduringlivememory
acquisitionwithsoftwarebasedtoolsisthepotentialchangetodataduringtheacquisition
process. DuetothevolatilenatureofRAM,introducinganynewsoftwareontothesystemmay
changethe
data
which
currently
resides
in
memory.
The
memory
introduced
to
the
system
will
displacethedatathatpreviouslyoccupiedthatspace. Theimageacquiredmayalsopresenta
smearedpictureofthedata,sincethesystemisliveandpagesarechangingastheacquisition
progresses.Thisiscertainlynotidealforforensicallysoundacquisitionandsubsequentanalysis
andmustbegivendueconsideration,particularlywhenevidentiaryrulesandstandardsapply.
DD(datadumper)
DD,betterknownasthedatadumpertoolfromUNIX,isprobablyfamiliartomost
forensicinvestigatorsasatoolforcreatingforensicimagesofharddrivesandisincludedin
manyopensourceforensicutilitiessuchasHelix(http://www.efense.com/helix/). TheDD
formatisalsosupportedbymostmajorforensicapplications. ForensicAcquisitionUtilities
(FAU)[6]usesamodifiedversionofthedatadumpertoolwhichiscapableofaccessingthe
\\.\PhysicalMemoryobjectinWindows. UnfortunatelyFAUwillonlyworkonversionsearlier
thanWindowsXPServicePack2,WindowsVista,orServer2003ServicePack1,asitaccesses
thePhysicalMemoryfromusermode. (Note: ThemostrecentversionofFAUdoesnotinclude
aversionofDDthatworksformemoryacquisitionpreviousversionsarestillviablehowever).
Also,notallversionsofDDwillallowaccesstothe\\.\PhysicalMemoryobject.
http://www.e-fense.com/helix/http://www.e-fense.com/helix/http://www.e-fense.com/helix/http://www.e-fense.com/helix/ -
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
6/24
6
Nigilant32
Nigilant32[7]isatooldevelopedbyAgileRiskManagementthatallowsaninvestigator
topreviewaharddisk,imagememory,andtakeasnapshotofcurrentrunningprocessesand
openports
on
the
target
system.
Nigilant32
has
asmall
footprint,
using
less
than
1MB
in
memorywhenloaded,supportingAgilesclaimofminimalimpactduringacquisition. The
programiscurrentlyinbeta,however,itisfreetodownloadanduseoffoftheirwebsite.
ProDiscoverIR
TechnologyPathwaysforensicacquisitiontool,ProDiscover[8],isanincidentresponse
toolthatallowsinvestigationofalivesystemanywhereonthenetwork. Theinvestigationcan
includeimagingofphysicalmediaormemory,however,useofthistoolrequiresaserverapplet
tobeinstalledonthetargetsystempriortoacquisitionviaremovablestoragemediasuchasa
USBdriveorCD. Thisrequirementmakesthisparticulartoolnotasdesirableachoiceforfield
acquisitionandperhapsbettersuitedtoacorporatenetworkenvironment. (Note: Thistoolis
restrictedbythekernelmodedriverrequirementforaccessing\\.\PhysicalMemoryincertain
versionsofWindows).
KntDD
KntDDisamemoryacquisitiontooldevelopedbyGeorgeGarner(alsoresponsiblefor
theForensicAcquisitionToolkit)asapartofKntTools[9]. GarnerdevelopedKntToolsin
responsetotherestrictionofaccessing\\.\PhysicalMemoryfromUsermodeandsupports
Windows2000throughVista. Imagescanbeacquiredtoalocalremovabledriveoracrossthe
network. ItalsoallowstheinvestigatortoconvertarawimagetoMicrosoftcrashdump
format,sothedatacanbeanalyzedusingtheMicrosoftDebuggingTools. Thistoolisonly
availabletolawenforcementorsecurityprofessionals.
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
7/24
7
MicrosoftCrashDump
AnalyzingcrashdumpsisanotherwaytoobtaininformationonthecontentsofRAM.
Unlikeothersoftwaremethodsofmemoryacquisition,theimageobtainedbyacrashdumpis
anunaltered
copy
of
the
contents
of
asystems
memory
at
the
time
the
crash
occurred.
There
isnointroductionofsoftwaretothesystemthatwillalterthecontentsofmemory. The
drawbacktothismethodisthatcrashdumpsonlyoccurwhenthereisaproblemwiththe
system. Thereisamethodtoinduceacrashdump;however,itrequiresanentryintheregistry
alongwitharebootbeforeitisuseable[10],renderingitineffectiveforfieldacquisition.
Despitethisshortcoming,itisstillimportantforaninvestigatortofamiliarwithcrash
dumpsastheycanprovidevaluableinformationaboutasystem. NotallversionsofWindows
generatefullcrashdumpsandmaygeneratesmallersizeddumps. Thesefilescanbeanalyzed
withtheWindowsDebuggingTools[11]andcangivetheinvestigatorameanstopracticeand
becomefamiliarwithmemoryanalysis.
IV. MemoryAnalysis
Basics: Whatdoesaninvestigatorneedtoknow?
TheEProcessstructureiswhatrepresentsaprocessonaWindowssystem. Itincludes
informationonthedifferentattributesoftheprocessalongwithpointerstootherattributes
anddatastructureswhicharerelatedtoit. However,EProcessblockstructurevariesbetween
operatingsystems,includingbetweendifferentversionsofWindows. Typically,theoffsetsvary
fromversiontoversion. ItisimportanttomakenoteoftheversionofWindowsthatthe
memoryimageordumpistakenfrom,asthiswillaffectwhattoolsyoumaybeabletouseto
extractinformation. Thiscanbedonemanually,however,itrequiresabitmoreindepth
knowledgeofWindowsmemorymanagementthanthispapercovers. HarlanCarveyhas
written
a
Perl
script
[12],
osid.pl,
which
will
identify
the
operating
system
of
an
image.
TheEProcessblockcontainstheprocessenvironmentblock(PEB)whichisveryvaluable
toaforensicinvestigatorinthatitincludespointerstotheloaderdata,suchasmodulesused
bytheprocess. Thisisparticularlyusefulinmalwareorrootkitanalysis,butcanalsohelp
presentaclearerpictureastowhatexactlywasgoingoninthesystematthetimeinquestion.
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
8/24
8
ThePEBalsoshowsuswheretheimageoftheexecutablelies,theDLLpaths,andthecommand
lineusedtolaunchtheprocess.
Oneissuethatinvestigatorsneedtobeawareofwhenexamininganimageofmemory,
isthatmostlikelyitisnotacompletepicture. Windowsmemorymanagementusesvirtual
addressingwhich
assigns
pointers
to
the
true
location
of
the
physical
data.
According
to
Jesse
KornbluminhisUsingeverypartofthebuffaloinWindowsmemoryanalysis[13],most
memoryanalysistoolsuseanaveformoftranslationwherepageswithinvalidpointersare
ignored. Memorypageswhichhavebeenswappedoutduetopagingwillnotshowupina
memorydump,althoughtheyareonthesysteminthepagefile. Allthetoolstestedinthis
paperdonot(asfarasthisauthorisaware),includethepagefile. Therearetoolsin
developmenttoaddressthisissue,althoughnonearepubliclyavailable(yet).
Tools
Duetothediligenceofthecomputerforensicscommunity,therearequiteafewtools
availabletotheinvestigatorwithwhichtoanalyzememorydumps. Sometechnicalknowledge
orfamiliaritywithcommandlineinteractionisrecommendedasmanyoftheavailabletoolsare
scriptswhichmustbeexecutedfromacommandprompt. Thereareonlyafewtoolswhich
haveaGUIinterface.
Thefollowingisalistoftoolswhichcanbeusedtoextractprocessandother
informationfrommemorydumps(linkstodownloadlocationswillbeincludedinAppendixAof
thisdocument):
Tool OperatingSystem
Whatitdoes Requirements
Lsproc.pl Windows
2k
Locatesprocesses Perl(http://www.perl.org)
Lspd.pl Windows
2k
Listsdetailsof
processes
Perl(http://www.perl.org)
Osid.pl Any IdentifiesOSof Perl(http://www.perl.org)
http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/ -
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
9/24
9
Windows memoryimage.
PoolFinder(part
ofPoolTools)
Windows
2k,XP
Findsallocationsof
OSkernelin
memorydumpand
pagefile.
Perl(http://www.perl.org)
PoolGrep(partof
PoolTools)
Windows
2k,XP
Findsstringsinpool
allocations
Perl(http://www.perl.org)
PoolDump(part
ofPoolTools)
Windows
2k,XP
Hexdumpofall
allocationsfora
selectedclass.
Perl(http://www.perl.org)
PTFinder Windows
2k,XP
Includesallscripts
inPoolTools
as
well
asosid.pl,buthasa
GUI. Produces
graphicaloutputof
processesand
threads.
Perl(http://www.perl.org)
Graphviz(http://www.graphviz.org/)
and
ZGRViewer
(http://zvtm.sourceforge.net/zgrviewer.ht
ml)toviewthegeneratedgraphicfile.
FTimes
Windows
NT,XP,2KComprehensive
toolkitwithvarious
memoryanalysis
functions.
Ifrunning
in
aWindows
environment,
you
willneedVisualStudioinordertocompile
andrunthecode. Requiresadvanceduser
knowledge.
Volatility Windows
NT,XP,2K
Comprehensive
toolkitwithvarious
memoryanalysis
functions.
NeedsPythontorun. Thiscanbe
accomplishedintheWindowsenvironment
byinstallingCygwin
(http://www.cygwin.com/)
Theabovetoolsmainlydealwithprocessinformation,whichiswherethebulkof
memoryforensicanalysishasbeenfocused. Otherdatacanbeextractedfromamemoryimage
aswell,suchasusernames,passwords,andemailaddresses. Agoodstringsearchutility,such
http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.graphviz.org/http://zvtm.sourceforge.net/zgrviewer.htmlhttp://zvtm.sourceforge.net/zgrviewer.htmlhttp://www.cygwin.com/http://www.cygwin.com/http://zvtm.sourceforge.net/zgrviewer.htmlhttp://zvtm.sourceforge.net/zgrviewer.htmlhttp://www.graphviz.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/http://www.perl.org/ -
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
10/24
asfind.exeorstrings.exeisessential. ForensicToolssuchasAccessDatasForensicToolkit[14]
canbeusedtodatacarvetoretrievedocuments,graphicfiles,orwebpages. Oneimportant
noteaboutdatacarvedfrommemoryimagesistokeepinmindthatthedatawasretrieved
undervolatileconditions. Assuch,filesretrievedfrommemorymaybedegradedduetothe
data
not
being
static.
This
is
illustrated
by
the
following
picture,
carved
from
a
test
memory
image:
V.Acquisition
Duetothevolatilenatureofliveforensics,aninvestigatorneedstodevelopastandard
setofprocedures. Thisisimportantnotonlytoinsurethattheinvestigatorknowsexactlywhat
10
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
11/24
11
todowhenarrivingonthescene,butalsosotherearenounexpectedconsequencessincethe
systemislive unintentionallychangingdataonthetargetsystemcouldinvalidatetheacquired
evidenceandalsocauseittobeinadmissibleinacourtoflaw. Beforeattemptingalive
acquisition,aninvestigatorshouldtesttheirtoolset(s)extensively,undervaryingconditions
(VMware
[15]
is
excellent
for
this).
SuggestedProceduresforLiveAcquisition:
1. Documentallsteps. Thisisnotonlyimportantforevidentiaryreasons,butalsofortheinvestigatorsownreference.
2. Isthesystemlocked? Ifso,thatwillchangetheacquisitionprocess. Ifyoucannotobtain
apassword
for
access,
then
live
acquisition
may
not
be
possible.
Currently,
no
softwareutilitiescanimage\\.\PhysicalMemorywithoutfullaccess.
3. Donotcloseanywindowsorcloseanydocuments/programsleavethemrunning. Byclosingawindoworprogramyoumaybeterminatingaprocess,whichwillaffectwhatis
occurringonthesystematthattime.
4. Limittheacquisitionprocesstoasfewstepsaspossible,whenitcomestointeractingwiththetargetsystemfewersteps=lessimpactonthesystem.
5. Usetoolsthathaveassmallafootprintaspossible. Nigilant32(thisauthorsrecommendedchoice)useslessthan1MBofmemory;Helixuses17MB.
VI.TestCase,Step-by-Step
Testsystem:
VMWare,Windows
XP
Professional
Service
Pack
2
IntelDualCoreProcessor2.6MHz
512MBRAM
Toolusedforimageacquisition: Nigilant32
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
12/24
Desktopbeforeliveacquisition:
AOLInstantMessengercanbeseenrunning.
1. ForthisacquisitionIchosetouseaUSBthumbdriveforstoringtheimage.Investigatorsshouldremembertowipemediathoroughlybeforeeachacquisition,so
remnantsofdatafrompreviousimagesarenotafactorinanalysis.
AfterinsertingyourCDwiththeNigilantsoftwareonit,browsetoMyComputerand
explorethedrive(ifitdoesntalreadyopenduetoAutoRun). RuntheNigilant32
executableandgotoToolsSnapshotComputer. Thisoptionwillenumeratethe
currentlyrunningprocesses,users,andopenportsandallowtheinvestigatortosave
thisdatatoaplaintextfile. Savethetextfiletoyourthumbdrive,namingit
appropriately. Youcanalsoenumerateprocessesviaotherscriptsafterimage
acquisition,ifyouwishtovalidatethisoutput.
12
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
13/24
Note: YoucanputtheNigilantexecutableonthethumbdriveandrunitfromthere,
however,bemindfulifyourdatawillbeusedasevidence. Itmaybebesttoburnittoa
CDwithyourothermemoryacquisitiontools,sothereisnoquestionastotheintegrity
ofyourimage.
2. Aftersavingthetextfile,browsetoToolsImagePhysicalMemory. ApromptwillappearclickonStart
13
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
14/24
Youwillbepromptedtochoosealocationandnameforyourimage.
14
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
15/24
Acquiringphysicalmemorytakesabitoftime,aswithnormaldataacquisition.Aprogress
indicatorwillappeartoletyouknowhowfaralongyouare:
3. Aftertheimageiscomplete,closetheNigilantsoftware. Unfortunately,Nigilantdoesnothaveanabilitytohashtheimagefileafteracquisitiontheinvestigatorwillhaveto
dothisbeforebeginninganalysis.
4. Beforebeginninganalysis,theinvestigatorshouldmakeanothercopyofthememoryimage
to
work
on
never
work
on
the
original
media!
Since
this
isnt
like
ahard
drive
acquisition,thereisnooriginalphysicalmediatheimagewejustmadeistheoriginal.
Forevidentiarypurposes,itisagoodpracticetohashtheoriginalmedia(thethumb
drive)andthememoryimageandmakeaworkingcopyofthememoryimagebefore
proceedingwithanalysis.
15
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
16/24
5. Asdiscussedearlier,memoryanalysisdiffersfromharddriveanalysisinthatevenslightchangesinoperatingsystemversion(Windows2kvs.WindowsXP)willdeterminewhich
toolswillbethemosteffective. Nigilant32hasdonealotoftheworkforusalready,by
providinguswithasnapshotoftheOSversion,runningprocesses,users,andopen
network
ports:
16
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
17/24
Aninvestigatorcouldverifyoutputbyrunninganotheranalysistoolandenumeratingthe
processes. IwilldemonstratethisherebyusingPTFinder:
PTFinderisaGUIinterfaceforAndreasSchustersPoolTools. Onceyouvechosenyour
dumpfileandoptions,itwillgenerateatextfileandagraphicfileoftherunningprocesses.
Weareonlyinterestedinthetextfileatthistime. AfterclickingExecuteyouwillbe
promptedtorunabatchfileclickYes.
17
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
18/24
ADOSpromptwillopenup:
Whentheanalysisiscomplete,PTFinderwillcloseonitsown.
18
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
19/24
Theresultingtextfilelookslikethis:
TheoutputfromPTFinderisnotascleanaswhatyouwillseefromNigilant,butprovides
morethanenoughinformationtocomparerunningprocesses. Note: PTFinderwillnot
providenetworkinformationorusers,onlyprocessinformation.
19
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
20/24
6. Nowthatwehaveprocessinformation,wecanproceedwithanalyzingtheimagefilewithothertools. Inthiscase,wewilluseForensicToolkit:
Afteranalyzingtheimagetheinvestigatorcanexaminecarveddataandperformstringsearches
aswithanormalimagefile.
20
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
21/24
21
VII.Conclusion
Whiletherearemanytoolsavailableforlivememoryacquisitionandanalysis,itisstilla
relativelynewendeavorintheareaofdigitalforensics;manyofthetoolsandtechniques
developedthus
far
are
still
in
the
growing
phase
and
require
refinement.
Todays
computer
forensicinvestigator,inordertobesuccessful,willneedtobewellinformedandbeintimately
familiarwiththeinternalworkingsofWindowsmemorymanagementinordertoacquirea
completepictureofmemoryfromanevidentiarystandpoint. Thankfullytherehavebeenmany
forensicinvestigators,suchasHarveyCarlan,AndreasSchuster,andMariuszBurdachwhohave
startedalongthepathandcreatedafoundationforotherstobuildupon. Asthetoolsbecome
betterandtheproceduresmoresound,examinerswillhaveanewweaponintheirarsenalto
utilizeduringforensicinvestigations.
-
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
22/24
22
AppendixA
Lsproc.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
Lspd.pl
http://sourceforge.net/project/showfiles.php?group_id=164158
Osid.plhttp://sourceforge.net/project/showfiles.php?group_id=164158
PoolTools(PoolFinder,PoolGrep,PoolDump)
http://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.html
PTFinderhttp://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.html
FTimes http://ftimes.sourceforge.net/FTimes/
Volatility
https://www.volatilesystems.com/VolatileWeb/volatility.gsp
http://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158http://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.htmlhttp://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.htmlhttp://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.htmlhttp://ftimes.sourceforge.net/FTimes/http://ftimes.sourceforge.net/FTimes/https://www.volatilesystems.com/VolatileWeb/volatility.gsphttps://www.volatilesystems.com/VolatileWeb/volatility.gsphttp://ftimes.sourceforge.net/FTimes/http://computer.forensikblog.de/en/2006/03/ptfinder_0_2_00.htmlhttp://computer.forensikblog.de/en/2007/11/pooltools_1_3_0.htmlhttp://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158http://sourceforge.net/project/showfiles.php?group_id=164158 -
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
23/24
23
References
1. DigitalForensicsResearchWorkshop,DFRWS,http://www.dfrws.org/. [AccessedMarch15,2008]
2. C.Betz,Memparser,http://sourceforge.net/projects/memparser. [AccessedMarch15,2008]
3. B.D.CarrierandJ.Grand,AHardwareBasedMemoryAcquisitionProcedureforDigitalInvestigationsJournalofDigitalInvestigations,March2004.
4. A.Boileau,FirewireandDMA,March2008,http://www.storm.net.nz/projects/16.[AccessedMarch16,2008].
5. A.Vidstrom,MemorydumpingoverFirewireUMAIssues,http://www.ntsecurity.nu/onmymind/2006/20060902.html.[AccessedMarch16,
2008].
6. G.Garner,ForensicAcquisitionUtilities,November2007,http://gmgsystemsinc.com/fau/. [AccessedMarch20,2008].
7. AgileRiskManagement,Nigilant32, http://www.agilerm.net/publications_4.html.[Accessed
March
20,
2008].
8. TechnologyPathways,ProdiscoverIR,http://www.techpathways.com/ProDiscoverIR.htm.[AccessedMarch20,2008].
9. GMGSystems,Inc,KntToolswithKntList,http://www.gmgsystemsinc.com/knttools/.[AccessedMarch20,2008].
10.Microsoft,Inc.,Windowsfeatureletsyougeneratememorydumpfilebyusingthekeyboard,
December
2007,
http://support.microsoft.com/kb/244139.
[Accessed
March21,2008].
http://www.dfrws.org/http://sourceforge.net/projects/memparserhttp://www.storm.net.nz/projects/16http://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://gmgsystemsinc.com/fau/http://www.agilerm.net/publications_4.htmlhttp://www.techpathways.com/ProDiscoverIR.htmhttp://www.gmgsystemsinc.com/knttools/http://support.microsoft.com/kb/244139http://support.microsoft.com/kb/244139http://www.gmgsystemsinc.com/knttools/http://www.techpathways.com/ProDiscoverIR.htmhttp://www.agilerm.net/publications_4.htmlhttp://gmgsystemsinc.com/fau/http://www.ntsecurity.nu/onmymind/2006/2006-09-02.htmlhttp://www.storm.net.nz/projects/16http://sourceforge.net/projects/memparserhttp://www.dfrws.org/ -
8/9/2019 Live Memory Acquisition for Windows Operating Systems, Naja Davis
24/24
24
11.Microsoft,Inc.,DebuggingToolsforWindowsOverview,http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx. [AccessedMarch
21,2008].
12.J.
Kornblum,
Using
every
part
of
the
buffalo
in
Windows
memory
analysis,
Digital
Investigation,vol.4,issue1,pp2429. March2007.
13.H.Carvey,WindowsForensicAnalysis,Burlington,MA: SyngressPublishing,2007.14.AccessData,ForensicToolkit2.0,http://www.accessdata.com/Products/ftk2test.aspx.
[AccessedMarch22,2008]
15.VMWare,VMWareServer,http://www.vmware.com/products/server/. [AccessedApril8,2008]
http://www.microsoft.com/whdc/DevTools/Debugging/default.mspxhttp://www.accessdata.com/Products/ftk2test.aspxhttp://www.vmware.com/products/server/http://www.vmware.com/products/server/http://www.accessdata.com/Products/ftk2test.aspxhttp://www.microsoft.com/whdc/DevTools/Debugging/default.mspx