-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sorry AAron, Yahoo spam filter was a bit aggressive ! I got here in
the end :-)
What tools do peeps prefer for memory acquisition now that we have some
choices ?
Regards,
Jon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIe38XbSv1saVS9ucRAvm/AJ0R+nu5ud781uohH5bTrTKafJwZXACdGRJq
alg5C8CXQqUmvwKm/bgLWEg=
=qY5a
-----END PGP SIGNATURE-----
http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma…
I recently had a little extra time to dig through the Linux kernel and
thought some people may be interested. This was an excerpt from a
collaboration with the PyFlag team! I want to thank both Michael Cohen
and David Collett for letting me play along despite being on opposite
sides of the world!!
That's right Volatility now supports both Windows and Linux!
If you have questions/comments/suggestions, let me know!
Thanks,
AW
:
:: In at least one
::case they clearly were unreliable.
:
Rossetoecioccolato,
Do you really know of such a case, ... or not really?
eric
www.risk-averse.com
I know that Jon Evans at Gwent Police in the UK has demonstrated this
method. I'll be amazed if Jon doesn't subscribe to this list and so may be
able to give some more info.
More info can be found here:
http://forums.remote-exploit.org/archive/index.php/t-13922.html
The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw tool
is available on Helix. http://www.e-fense.com/helix/downloads.php
If I recall one "slight" issue with this method is the tendency to BSOD. To
quote Keith Lockhart at Access Data "This is a Bad thing!"
Jim
On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
<vol-users-request(a)volatilityfoundation.org> wrote:
>
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. RE: Memory imaging (Jamie Levy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 7 Jul 2008 14:57:33 -0400
> From: "Jamie Levy" <jamie.levy(a)gmail.com>
> Subject: RE: [Vol-users] Memory imaging
> To: vol-users(a)volatilityfoundation.org
> Message-ID:
> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi evb,
>
> I'm not sure, but maybe this will help (maybe someone else on here
> knows better than I do):
>
> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
>
> I've never tried memory acquisition using firewire, but it sounds like
> it might be worth a try.
>
> All the best,
>
> -Jamie
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 10, Issue 4
> ****************************************
If this is a managed system, then if you have a software deployment tool like SMS, Tivoli, or Unicenter can you just send down a job that runs something like Mantech's new MDD.exe tool and write the RAM dump out to a \\servername\sharename\filename?
Otherwise, if you have admin access to the machine, can you psexec the MDD.exe tool on the machine and write the RAM dump out to a \\servername\sharename share (mdd -o \\servername\sharename\filename.dd)?
Doing either of the above would definitely alter the target machine more than the Firewire method, but might be good enough depending on your situation.
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of AAron
Walters
Sent: Tuesday, July 08, 2008 4:29 PM
To: Jim Gordon
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Memory Imaging Using Firewire
evb,
There a number of potential techniques that are being used to deal with
locked machines. Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation.
Some of the techniques are hardware dependent, have the potential to
BSOD the machine, or are potentially destructive, so you may only get
one attempt. In some instances, it may be useful to get outside help.
As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option. Details about this technique can be found on the
follow
site: http://storm.net.nz/projects/16. They even mention using a
CardBus firwire card. Others have successfully used techniques similar
to those presented in the Cold Boot paper
(http://citp.princeton.edu/memory/) or similarly, msramdmp:
(http://mcgrewsecurity.com/projects/msramdmp/)
Depending on how the laptop is configured, the hibernation file is
another alternative. There are also other hardware solutions but they
are very expensive.
Regards,
AW
On Tue, 8 Jul 2008, Jim Gordon wrote:
>
> I know that Jon Evans at Gwent Police in the UK has demonstrated this
> method. I'll be amazed if Jon doesn't subscribe to this list and so
> may be able to give some more info.
>
> More info can be found here:
>
> http://forums.remote-exploit.org/archive/index.php/t-13922.html
>
> The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw
> tool is available on Helix.
> http://www.e-fense.com/helix/downloads.php
>
> If I recall one "slight" issue with this method is the tendency to
> BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!"
>
> Jim
>
>
>
>
> On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
> <vol-users-request(a)volatilityfoundation.org> wrote:
>
>>
>> Send Vol-users mailing list submissions to
>> vol-users(a)volatilityfoundation.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> or, via email, send a message with subject or body 'help' to
>> vol-users-request(a)volatilityfoundation.org
>>
>> You can reach the person managing the list at
>> vol-users-owner(a)volatilityfoundation.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Vol-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. RE: Memory imaging (Jamie Levy)
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Mon, 7 Jul 2008 14:57:33 -0400
>> From: "Jamie Levy" <jamie.levy(a)gmail.com>
>> Subject: RE: [Vol-users] Memory imaging
>> To: vol-users(a)volatilityfoundation.org
>> Message-ID:
>> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hi evb,
>>
>> I'm not sure, but maybe this will help (maybe someone else on here
>> knows better than I do):
>>
>> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
>> l
>>
>> I've never tried memory acquisition using firewire, but it sounds
>> like it might be worth a try.
>>
>> All the best,
>>
>> -Jamie
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>> End of Vol-users Digest, Vol 10, Issue 4
>> ****************************************
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi evb,
I'm not sure, but maybe this will help (maybe someone else on here
knows better than I do):
http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
I've never tried memory acquisition using firewire, but it sounds like
it might be worth a try.
All the best,
-Jamie
How does one image RAM on a Windows system with no known Windows
login/password, if autorun is turned off, and if there is no network access.
Thanks!
eric
