Hi evb,
I'm not sure, but maybe this will help (maybe someone else on here
knows better than I do):
http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.html
I've never tried memory acquisition using firewire, but it sounds like
it might be worth a try.
All the best,
-Jamie
How does one image RAM on a Windows system with no known Windows
login/password, if autorun is turned off, and if there is no network access.
Thanks!
eric
Vol-users,
With the recent increase in acquisition tools, there are obviously more
people capturing samples of physical memory. As a result, we decided to
back port the bug fixes from the upcoming 1.3 release into the 1.1 branch.
This release will also support samples taken from SP3 systems. Let us know
if you have any issues! We will keep you posted on the status of 1.3!
Thanks,
AW
Open Memory Forensics Workshop (OMFW)
Volatile memory forensics (ie., RAM forensics) is becoming an extremely
important topic to the future of digital investigations. It has the
potential to dramatically transform the way we currently perform digital
investigations and help address many of the challenges currently facing
the digital forensics community.
We are pleased to announce the first ever workshop focused on open source
volatile memory analysis. This workshop will bring together digital
investigation researchers and practitioners to discuss the latest
advancements in volatile memory analysis. You will also learn how memory
analysis is currently being used to augment digital investigations.
Through a series of invited talks and panel discussions you will have the
opportunity to engage this exciting community.
This half-day workshop will be co-located with Digital Forensics Research
Workshop (DFRWS) 2008 in Baltimore, Maryland, USA, on August 10, 2008.
Pre-registration is required and space is limited, so register early.
Please note that it will not be possible to register at the door. Reserve
your seat by contacting: AAron Walters (awalters [at] 4tphi [dot] net). We
are also still seeking individuals with interesting insights who would
like to participate as a speaker or panelist.
Join with industry leaders to discuss the latest advancements in memory
forensics and the importance of open source initiatives. This is your
opportunity to help shape the future of memory forensics!
Invited speakers and panelists include:
* Dr. Brian Carrier (Basis Technology)
* Eoghan Casey (Stroz Friedberg, LLC)
* Dr. Michael Cohen (Australian Federal Police)
* Brian Dykstra (Jones Dykstra & Associates)
* Brendan Dolan-Gavitt (Georgia Institute of Technology)
* Matthew Geiger (CERT)
* Keith Jones (Jones Dykstra & Associates)
* Jesse Kornblum (ManTech)
* Andreas Schuster (Deutsche Telekom AG)
* AAron Walters (Volatile Systems, LLC)
* More to be announced......
Brought to you by the Volatility Team: Open Source Memory Forensics.
vol-users,
I recently posted the slides from our AAFS presentation:
Using Hashing to Improve Volatile Memory Forensic Analysis
http://volatilesystems.blogspot.com/2008/03/using-hashing-to-improve-volati…
A special thanks to Blake Matheny and Doug White for their help with this
ongoing research. We are working hard to make new resources available
to the volatile memory analyst community!
Thanks,
AW
vol-users,
In case you didn't see the volatility blog post, I wanted to let the
mailing list subscribers know that we have now created a new irc channel
on freenode for discussing volatile memory analysis:
#volatility on irc.freenode.net
If you are an irc user, this is your opportunity to hang out with the
developers of all your favorite open source memory forensics tools. Feel
free to stop by and say hello! We are here to help.
Thanks,
AW
Hi, just thought I'd share this, since it took me an hour or two of
googling to figure out. I wanted to take a VMWare disk I had for
testing and mount it so that I could get the hibernation file off to
use with Sandman.
If you're on Linux, you can just use vmware-mount.pl to mount the
vmware disk.
If you're on Windows, you can use vmware-mount for that platform:
http://www.vmware.com/pdf/VMwareDiskMount.pdf
If you just want to mount a dd image on OS X, skip to step 3.
Step 1: Get the OS X version of QEMU at http://www.kju-app.org/kju/ ,
which comes with qemu-img, which can convert between VMDK and raw
disk images.
Step 2: Convert the VMDK image to a raw disk image:
azzurra:~ moyix$ /Applications/Q.app/Contents/MacOS/qemu-img convert -
f vmdk WindowsXpProfessional-000001.vmdk ~/xpsp2_img.raw
Step 3: Use the fdisk to determine where the partition you want to
mount starts. In this case I want the NTFS (called HPFS by fdisk)
partition, which fdisk says starts at sector 63.
azzurra:~ moyix$ fdisk ~/xpsp2_img.raw
Disk: /Users/moyix/xpsp2_img.raw geometry: 0/4/63 [0 sectors]
Signature: 0xAA55
Starting Ending
#: id cyl hd sec - cyl hd sec [ start - size]
----------------------------------------------------------
*1: 07 0 1 1 - 1023 254 63 [ 63 - 41913522] HPFS/QNX/AUX
2: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
3: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
4: 00 0 0 0 - 0 0 0 [ 0 - 0] unused
Step 4: Use hdid to attach the image as a block device. It outputs the
device it attaches it to.
azzurra:~ moyix$ hdid -section 63 -nomount -imagekey diskimage-
class=CRawDiskImage ~/xpsp2_img.raw
/dev/disk1
Step 5: Mount the resulting block device with the appropriate
filesystem mounter.
azzurra:~ moyix$ sudo mount_ntfs /dev/disk1 /mnt/ntfs_fs/
Step 6: When you're done, unmount the FS and detach the block device:
azzurra:~ moyix$ sudo umount /mnt/ntfs_fs/
azzurra:~ moyix$ hdiutil detach /dev/disk1
Hope this helps someone,
Brendan
vol-users,
Some of you may have noticed that Matthieu Suiche just released a tool for
converting hiberfil.sys to a physical memory dump.
http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/
We have added support for Sandman generated images of physical memory in
the upcoming Volatility 1.3 release. If you would like to play with it
before then, I have attached a patch for Volatility-1.1.1. If you get a
chance, give it a try. Please let us know, if you have any problems with
the Volatility modules!
cd Volatility-1.1.1
patch -p1 <Volatility-1.1.1.hiber.patch
Thanks,
AW
vol-users,
Once again, Brendan Dolan-Gavitt has another great blog entry. I highly
recommend you adding his blog to your feeds. In this entry, he discusses
extracting registry data from volatile memory. Granted, I'm also a little
biased since it was implemented within Volatility. Brendan is a major
contributor to the Volatility community! Powered by the people.
http://moyix.blogspot.com/2008/02/cell-index-translation.html
Thanks,
AW
Vol-users,
We are getting ready for the next release of Volatility. If you have any
bugs you would like to see fixed, modules you would like to see added,
code you would like to contribute, or general suggestions, please let us
know! There are a number of new and exciting changes in the pipeline.
A special thanks to all those who have already provided feedback either
through email or on IRC.
Thanks,
AW
