July 2008 - Vol-users - volatilityfoundation.org

by echo6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in the end :-) What tools do peeps prefer for memory acquisition now that we have some choices ? Regards, Jon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIe38XbSv1saVS9ucRAvm/AJ0R+nu5ud781uohH5bTrTKafJwZXACdGRJq alg5C8CXQqUmvwKm/bgLWEg= =qY5a -----END PGP SIGNATURE-----

16 years, 4 months

3
3
0 0

Linux Memory Forensics

by AAron Walters

http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma… I recently had a little extra time to dig through the Linux kernel and thought some people may be interested. This was an excerpt from a collaboration with the PyFlag team! I want to thank both Michael Cohen and David Collett for letting me play along despite being on opposite sides of the world!! That's right Volatility now supports both Windows and Linux! If you have questions/comments/suggestions, let me know! Thanks, AW

16 years, 4 months

1
0
0 0

RE: [Vol-users] Memory Imaging Using Firewire

by evb

: :: In at least one ::case they clearly were unreliable. : Rossetoecioccolato, Do you really know of such a case, ... or not really? eric www.risk-averse.com

16 years, 4 months

1
0
0 0

Memory Imaging Using Firewire

by Jim Gordon

I know that Jon Evans at Gwent Police in the UK has demonstrated this method. I'll be amazed if Jon doesn't subscribe to this list and so may be able to give some more info. More info can be found here: http://forums.remote-exploit.org/archive/index.php/t-13922.html The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw tool is available on Helix. http://www.e-fense.com/helix/downloads.php If I recall one "slight" issue with this method is the tendency to BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!" Jim On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org" <vol-users-request(a)volatilityfoundation.org> wrote: > > Send Vol-users mailing list submissions to > vol-users(a)volatilityfoundation.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > or, via email, send a message with subject or body 'help' to > vol-users-request(a)volatilityfoundation.org > > You can reach the person managing the list at > vol-users-owner(a)volatilityfoundation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Vol-users digest..." > > > Today's Topics: > > 1. RE: Memory imaging (Jamie Levy) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 7 Jul 2008 14:57:33 -0400 > From: "Jamie Levy" <jamie.levy(a)gmail.com> > Subject: RE: [Vol-users] Memory imaging > To: vol-users(a)volatilityfoundation.org > Message-ID: > <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi evb, > > I'm not sure, but maybe this will help (maybe someone else on here > knows better than I do): > > http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html > > I've never tried memory acquisition using firewire, but it sounds like > it might be worth a try. > > All the best, > > -Jamie > > > ------------------------------ > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > End of Vol-users Digest, Vol 10, Issue 4 > ****************************************

16 years, 4 months

4
5
0 0

Re: FW: [Vol-users] Memory Imaging Using Firewire

by david＠sharpebusinesssolutions.com

If this is a managed system, then if you have a software deployment tool like SMS, Tivoli, or Unicenter can you just send down a job that runs something like Mantech's new MDD.exe tool and write the RAM dump out to a \\servername\sharename\filename? Otherwise, if you have admin access to the machine, can you psexec the MDD.exe tool on the machine and write the RAM dump out to a \\servername\sharename share (mdd -o \\servername\sharename\filename.dd)? Doing either of the above would definitely alter the target machine more than the Firewire method, but might be good enough depending on your situation. -----Original Message----- From: vol-users-bounces(a)volatilityfoundation.org [mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of AAron Walters Sent: Tuesday, July 08, 2008 4:29 PM To: Jim Gordon Cc: vol-users(a)volatilityfoundation.org Subject: Re: [Vol-users] Memory Imaging Using Firewire evb, There a number of potential techniques that are being used to deal with locked machines. Though I must give my usual caveats that I would make sure you know what you are doing and actually have experience with the acquisition method before trying it as part of a real investigation. Some of the techniques are hardware dependent, have the potential to BSOD the machine, or are potentially destructive, so you may only get one attempt. In some instances, it may be useful to get outside help. As Jim and Jamie mentioned, performing acquisition via firewire is a potential option. Details about this technique can be found on the follow site: http://storm.net.nz/projects/16. They even mention using a CardBus firwire card. Others have successfully used techniques similar to those presented in the Cold Boot paper (http://citp.princeton.edu/memory/) or similarly, msramdmp: (http://mcgrewsecurity.com/projects/msramdmp/) Depending on how the laptop is configured, the hibernation file is another alternative. There are also other hardware solutions but they are very expensive. Regards, AW On Tue, 8 Jul 2008, Jim Gordon wrote: > > I know that Jon Evans at Gwent Police in the UK has demonstrated this > method. I'll be amazed if Jon doesn't subscribe to this list and so > may be able to give some more info. > > More info can be found here: > > http://forums.remote-exploit.org/archive/index.php/t-13922.html > > The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw > tool is available on Helix. > http://www.e-fense.com/helix/downloads.php > > If I recall one "slight" issue with this method is the tendency to > BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!" > > Jim > > > > > On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org" > <vol-users-request(a)volatilityfoundation.org> wrote: > >> >> Send Vol-users mailing list submissions to >> vol-users(a)volatilityfoundation.org >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> or, via email, send a message with subject or body 'help' to >> vol-users-request(a)volatilityfoundation.org >> >> You can reach the person managing the list at >> vol-users-owner(a)volatilityfoundation.org >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Vol-users digest..." >> >> >> Today's Topics: >> >> 1. RE: Memory imaging (Jamie Levy) >> >> >> --------------------------------------------------------------------- >> - >> >> Message: 1 >> Date: Mon, 7 Jul 2008 14:57:33 -0400 >> From: "Jamie Levy" <jamie.levy(a)gmail.com> >> Subject: RE: [Vol-users] Memory imaging >> To: vol-users(a)volatilityfoundation.org >> Message-ID: >> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hi evb, >> >> I'm not sure, but maybe this will help (maybe someone else on here >> knows better than I do): >> >> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm >> l >> >> I've never tried memory acquisition using firewire, but it sounds >> like it might be worth a try. >> >> All the best, >> >> -Jamie >> >> >> ------------------------------ >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >> >> >> End of Vol-users Digest, Vol 10, Issue 4 >> **************************************** > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

16 years, 4 months

2
1
0 0

RE: [Vol-users] Memory imaging

by Jamie Levy

Hi evb, I'm not sure, but maybe this will help (maybe someone else on here knows better than I do): http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html I've never tried memory acquisition using firewire, but it sounds like it might be worth a try. All the best, -Jamie

16 years, 4 months

1
0
0 0

Memory imaging

by evb

How does one image RAM on a Windows system with no known Windows login/password, if autorun is turned off, and if there is no network access. Thanks! eric

16 years, 4 months

3
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users July 2008