If this is a managed system, then if you have a software deployment tool like SMS, Tivoli, or Unicenter can you just send down a job that runs something like Mantech's new MDD.exe tool and write the RAM dump out to a \\servername\sharename\filename?
Otherwise, if you have admin access to the machine, can you psexec the MDD.exe tool on the machine and write the RAM dump out to a \\servername\sharename share (mdd -o \\servername\sharename\filename.dd)?
Doing either of the above would definitely alter the target machine more than the Firewire method, but might be good enough depending on your situation.
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of AAron
Walters
Sent: Tuesday, July 08, 2008 4:29 PM
To: Jim Gordon
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Memory Imaging Using Firewire
evb,
There a number of potential techniques that are being used to deal with
locked machines. Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation.
Some of the techniques are hardware dependent, have the potential to
BSOD the machine, or are potentially destructive, so you may only get
one attempt. In some instances, it may be useful to get outside help.
As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option. Details about this technique can be found on the
follow
site: http://storm.net.nz/projects/16. They even mention using a
CardBus firwire card. Others have successfully used techniques similar
to those presented in the Cold Boot paper
(http://citp.princeton.edu/memory/) or similarly, msramdmp:
(http://mcgrewsecurity.com/projects/msramdmp/)
Depending on how the laptop is configured, the hibernation file is
another alternative. There are also other hardware solutions but they
are very expensive.
Regards,
AW
On Tue, 8 Jul 2008, Jim Gordon wrote:
>
> I know that Jon Evans at Gwent Police in the UK has demonstrated this
> method. I'll be amazed if Jon doesn't subscribe to this list and so
> may be able to give some more info.
>
> More info can be found here:
>
> http://forums.remote-exploit.org/archive/index.php/t-13922.html
>
> The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw
> tool is available on Helix.
> http://www.e-fense.com/helix/downloads.php
>
> If I recall one "slight" issue with this method is the tendency to
> BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!"
>
> Jim
>
>
>
>
> On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
> <vol-users-request(a)volatilityfoundation.org> wrote:
>
>>
>> Send Vol-users mailing list submissions to
>> vol-users(a)volatilityfoundation.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> or, via email, send a message with subject or body 'help' to
>> vol-users-request(a)volatilityfoundation.org
>>
>> You can reach the person managing the list at
>> vol-users-owner(a)volatilityfoundation.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Vol-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. RE: Memory imaging (Jamie Levy)
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Mon, 7 Jul 2008 14:57:33 -0400
>> From: "Jamie Levy" <jamie.levy(a)gmail.com>
>> Subject: RE: [Vol-users] Memory imaging
>> To: vol-users(a)volatilityfoundation.org
>> Message-ID:
>> <cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hi evb,
>>
>> I'm not sure, but maybe this will help (maybe someone else on here
>> knows better than I do):
>>
>> http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
>> l
>>
>> I've never tried memory acquisition using firewire, but it sounds
>> like it might be worth a try.
>>
>> All the best,
>>
>> -Jamie
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>> End of Vol-users Digest, Vol 10, Issue 4
>> ****************************************
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi evb,
I'm not sure, but maybe this will help (maybe someone else on here
knows better than I do):
http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
I've never tried memory acquisition using firewire, but it sounds like
it might be worth a try.
All the best,
-Jamie
How does one image RAM on a Windows system with no known Windows
login/password, if autorun is turned off, and if there is no network access.
Thanks!
eric
Vol-users,
With the recent increase in acquisition tools, there are obviously more
people capturing samples of physical memory. As a result, we decided to
back port the bug fixes from the upcoming 1.3 release into the 1.1 branch.
This release will also support samples taken from SP3 systems. Let us know
if you have any issues! We will keep you posted on the status of 1.3!
Thanks,
AW
Open Memory Forensics Workshop (OMFW)
Volatile memory forensics (ie., RAM forensics) is becoming an extremely
important topic to the future of digital investigations. It has the
potential to dramatically transform the way we currently perform digital
investigations and help address many of the challenges currently facing
the digital forensics community.
We are pleased to announce the first ever workshop focused on open source
volatile memory analysis. This workshop will bring together digital
investigation researchers and practitioners to discuss the latest
advancements in volatile memory analysis. You will also learn how memory
analysis is currently being used to augment digital investigations.
Through a series of invited talks and panel discussions you will have the
opportunity to engage this exciting community.
This half-day workshop will be co-located with Digital Forensics Research
Workshop (DFRWS) 2008 in Baltimore, Maryland, USA, on August 10, 2008.
Pre-registration is required and space is limited, so register early.
Please note that it will not be possible to register at the door. Reserve
your seat by contacting: AAron Walters (awalters [at] 4tphi [dot] net). We
are also still seeking individuals with interesting insights who would
like to participate as a speaker or panelist.
Join with industry leaders to discuss the latest advancements in memory
forensics and the importance of open source initiatives. This is your
opportunity to help shape the future of memory forensics!
Invited speakers and panelists include:
* Dr. Brian Carrier (Basis Technology)
* Eoghan Casey (Stroz Friedberg, LLC)
* Dr. Michael Cohen (Australian Federal Police)
* Brian Dykstra (Jones Dykstra & Associates)
* Brendan Dolan-Gavitt (Georgia Institute of Technology)
* Matthew Geiger (CERT)
* Keith Jones (Jones Dykstra & Associates)
* Jesse Kornblum (ManTech)
* Andreas Schuster (Deutsche Telekom AG)
* AAron Walters (Volatile Systems, LLC)
* More to be announced......
Brought to you by the Volatility Team: Open Source Memory Forensics.
vol-users,
I recently posted the slides from our AAFS presentation:
Using Hashing to Improve Volatile Memory Forensic Analysis
http://volatilesystems.blogspot.com/2008/03/using-hashing-to-improve-volati…
A special thanks to Blake Matheny and Doug White for their help with this
ongoing research. We are working hard to make new resources available
to the volatile memory analyst community!
Thanks,
AW
vol-users,
In case you didn't see the volatility blog post, I wanted to let the
mailing list subscribers know that we have now created a new irc channel
on freenode for discussing volatile memory analysis:
#volatility on irc.freenode.net
If you are an irc user, this is your opportunity to hang out with the
developers of all your favorite open source memory forensics tools. Feel
free to stop by and say hello! We are here to help.
Thanks,
AW
Hi, just thought I'd share this, since it took me an hour or two of
googling to figure out. I wanted to take a VMWare disk I had for
testing and mount it so that I could get the hibernation file off to
use with Sandman.
If you're on Linux, you can just use vmware-mount.pl to mount the
vmware disk.
If you're on Windows, you can use vmware-mount for that platform:
http://www.vmware.com/pdf/VMwareDiskMount.pdf
If you just want to mount a dd image on OS X, skip to step 3.
Step 1: Get the OS X version of QEMU at http://www.kju-app.org/kju/ ,
which comes with qemu-img, which can convert between VMDK and raw
disk images.
Step 2: Convert the VMDK image to a raw disk image:
azzurra:~ moyix$ /Applications/Q.app/Contents/MacOS/qemu-img convert -
f vmdk WindowsXpProfessional-000001.vmdk ~/xpsp2_img.raw
Step 3: Use the fdisk to determine where the partition you want to
mount starts. In this case I want the NTFS (called HPFS by fdisk)
partition, which fdisk says starts at sector 63.
azzurra:~ moyix$ fdisk ~/xpsp2_img.raw
Disk: /Users/moyix/xpsp2_img.raw geometry: 0/4/63 [0 sectors]
Signature: 0xAA55
Starting Ending
#: id cyl hd sec - cyl hd sec [ start - size]
----------------------------------------------------------
*1: 07 0 1 1 - 1023 254 63 [ 63 - 41913522] HPFS/QNX/AUX
2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
Step 4: Use hdid to attach the image as a block device. It outputs the
device it attaches it to.
azzurra:~ moyix$ hdid -section 63 -nomount -imagekey diskimage-
class=CRawDiskImage ~/xpsp2_img.raw
/dev/disk1
Step 5: Mount the resulting block device with the appropriate
filesystem mounter.
azzurra:~ moyix$ sudo mount_ntfs /dev/disk1 /mnt/ntfs_fs/
Step 6: When you're done, unmount the FS and detach the block device:
azzurra:~ moyix$ sudo umount /mnt/ntfs_fs/
azzurra:~ moyix$ hdiutil detach /dev/disk1
Hope this helps someone,
Brendan
vol-users,
Some of you may have noticed that Matthieu Suiche just released a tool for
converting hiberfil.sys to a physical memory dump.
http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/
We have added support for Sandman generated images of physical memory in
the upcoming Volatility 1.3 release. If you would like to play with it
before then, I have attached a patch for Volatility-1.1.1. If you get a
chance, give it a try. Please let us know, if you have any problems with
the Volatility modules!
cd Volatility-1.1.1
patch -p1 <Volatility-1.1.1.hiber.patch
Thanks,
AW
vol-users,
Once again, Brendan Dolan-Gavitt has another great blog entry. I highly
recommend you adding his blog to your feeds. In this entry, he discusses
extracting registry data from volatile memory. Granted, I'm also a little
biased since it was implemented within Volatility. Brendan is a major
contributor to the Volatility community! Powered by the people.
http://moyix.blogspot.com/2008/02/cell-index-translation.html
Thanks,
AW
