5:15 p.m.
David,
Thanks for the response. The only problem is that in evb's situation the
machine in question "was not a part of the domain and had not been subject
to auditing" and has "no network access". But in some situations that may
be a viable option depending on the types of systems involved.
My normal caveats also apply with untested kernel drivers used for
acquisition. Make sure you thoroughly test the mechanisms you plan to use
because you don't want that driver to fail on a critical server.
Thanks,
AW
On Tue, 8 Jul 2008, david(a)sharpebusinesssolutions.com wrote:
If this is a managed system, then if you have a software deployment tool
like SMS, Tivoli, or Unicenter can you just send down a job that runs
something like Mantech's new MDD.exe tool and write the RAM dump out to
a \\servername\sharename\filename?
Otherwise, if you have admin access to the machine, can you psexec the
MDD.exe tool on the machine and write the RAM dump out to a
\\servername\sharename share (mdd -o
\\servername\sharename\filename.dd)?
Doing either of the above would definitely alter the target machine more
than the Firewire method, but might be good enough depending on your
situation.
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of AAron
Walters
Sent: Tuesday, July 08, 2008 4:29 PM
To: Jim Gordon
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Memory Imaging Using Firewire
evb,
There a number of potential techniques that are being used to deal with
locked machines. Though I must give my usual caveats that I would make
sure you know what you are doing and actually have experience with the
acquisition method before trying it as part of a real investigation.
Some of the techniques are hardware dependent, have the potential to
BSOD the machine, or are potentially destructive, so you may only get
one attempt. In some instances, it may be useful to get outside help.
As Jim and Jamie mentioned, performing acquisition via firewire is a
potential option. Details about this technique can be found on the
follow
site: http://storm.net.nz/projects/16. They even mention using a
CardBus firwire card. Others have successfully used techniques similar
to those presented in the Cold Boot paper
(http://citp.princeton.edu/memory/) or similarly, msramdmp:
(http://mcgrewsecurity.com/projects/msramdmp/)
Depending on how the laptop is configured, the hibernation file is
another alternative. There are also other hardware solutions but they
are very expensive.
Regards,
AW
On Tue, 8 Jul 2008, Jim Gordon wrote:
I know that Jon Evans at Gwent Police in the UK has demonstrated this
method. I'll be amazed if Jon doesn't subscribe to this list and so
may be able to give some more info.
More info can be found here:
http://forums.remote-exploit.org/archive/index.php/t-13922.html
The method utilises Adam Boileau's Winlockpwn tool. Adam's Pythonraw
tool is available on Helix.
http://www.e-fense.com/helix/downloads.php
If I recall one "slight" issue with this method is the tendency to
BSOD. To quote Keith Lockhart at Access Data "This is a Bad thing!"
Jim
On 8/7/08 18:00, "vol-users-request(a)volatilityfoundation.org"
<vol-users-request(a)volatilityfoundation.org> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Vol-users digest..."
Today's Topics:
1. RE: Memory imaging (Jamie Levy)
---------------------------------------------------------------------
-
Message: 1
Date: Mon, 7 Jul 2008 14:57:33 -0400
From: "Jamie Levy" <jamie.levy(a)gmail.com>
Subject: RE: [Vol-users] Memory imaging
To: vol-users(a)volatilityfoundation.org
Message-ID:
<cac8c8a90807071157w7b6e388ej660382ede0116884(a)mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi evb,
I'm not sure, but maybe this will help (maybe someone else on here
knows better than I do):
http://computer.forensikblog.de/en/2008/02/acquisition_5_firewire.htm
l
I've never tried memory acquisition using firewire, but it sounds
like it might be worth a try.
All the best,
-Jamie
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 10, Issue 4
****************************************
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users