Category: Volatile Memory Forensics
In my last post I described Evimetry's support remote memory acquisition. In this post I'll give a quick walkthough on setting up Volatility for analysis of those images. I prefer to make a python virtualenv specifically for working with volatility. In this example, I'm using MacOS with brew for my python (the python shipped with MacOS is broken in regard to pip's TLS authentication). Hence the -p argument. mkdir volmem cd volmem virtualenv -p /usr/local/bin/python volmem source volmem/bin/activate Install all the dependencies with the following (the last two aren't strictly necessary, but prevent a load of complaints from Volatility).
How to acquire Linux memory images using without a driver
For a long time now, operating systems such as Windows and MacOS have prevented user space applications from accessing the raw physical memory of the machine. Physical acquisition and virtualisation approaches aside, this has led the field to require the use of kernel drivers to export physical ram for acquisition. In the linux realm, Joe Sylve's LiME is the go-to for many. It appears not widely known that on Linux x64, acquisition of physical memory is possible without using a driver such as LiME.
Evimetry v3 Released: Remote volatile memory support
We recently released Evimetry 3, the newest release of our revolutionary approach to forensic acquisition and analysis. Whats new? The big news is that we now support remote volatile memory acquisition. This means that in addition to being able to acquire remote disks, you can now acquire the volatile memory of live Windows, MacOS, and Linux hosts. We primarily support Windows XP and above (x86 and x64) and OSX Mountain Lion and above (x64).
CFP: Digital Investigation Special Issue on Volatile Memory Analysis
The Journal of Digital Investigation is currently calling for papers for a Special Issue on Volatile Memory Analysis. The Guest Editors of this issue are Michael Cohen (Google) and Bradley Schatz (Schatz Forensic). We would welcome any novel research into aspects of Volatile Memory Analysis. Submissions are due 31 August 2016. Memory analysis is a hot research topic with wide applications on many fronts - from malware detection and analysis, to recovery of encryption keys, to user activity reconstruction.
Finding Object Roots in Vista (direct from dump file)
The last post discussed finding object roots in Vista using the self referential semantics of the Kernel Processor Control Region (KPCR). Object roots are the starting points that structural interpretation approaches use to begin to interpret kernel structures, in much the same way that one might use the MBR of a hard disk to find partitions on a drive, or the NTFS boot sector to find the MFT area in a filesystem.
Finding Object Roots in Vista (KPCR)
This is the third of a series of posts describing how the volatility memory forensics application was ported to a new Windows operating system version. Apart from the inevitable changes in kernel data structures which typically come with a new kernel version, Vista brought with it a change which broke one of volatility’s key techniques for identifying kernel objects. The change was Address Space Layout Randomisation (ALSR). Thanks to Gil Peterson for sharing this detail.
Adding Vista structure definitions to Volatility
This post follows on from the last post. In the last post I described how I extended Volatility to work with the symbols for Window XP SP3. In this one, I describe how I applied the approach to Vista SP0. Downloaded Windows Vista RTM x86 retail symbols from Microsoft. I installed them to C:devVistaSP0x86vista-x86 I then ran the tpi_vtypes.py program against the symbol file which corresponds to the general Vista kernel, ntkrnlmp.
Adding new structure definitions to Volatility
I am currently preparing for a day long tutorial on Windows Volatile Memory Forensics for Incident Response, which Michael Cohen and I are presenting at the AusCERT conference next week. A significant part of the analysis component of the tutorial will focus on the open source volatile memory analysis tool, Volatility. A current limitation Volatility’s support for Windows is that it doesn’t support analysis of anything other than Windows XP.
Guidance for visualisation of volatile memory
The following video shows an experimental interactive memory debugger and visualiser called ICU64, running against the Frodo C64 emulator. The video below shows an interactive exploration of the memory space of the emulated C64 while it runs the game “Cataball”, pointing out correspondences between the raw memory and the on-screen action. Hex editor authors and forensic tool manufacturers should take note of the zoomable memory map. [via Root Labs Rdist]
Computer Security Day – Brisbane 2007
I will be giving a short half hour talk titled "Recent developments in volatile memory forensics" at the Brisbane Computer Security Day on Friday 29th November, 2007. In this talk I will be giving an overview of where volatile memory forensics fits into the general practice of forensics, identify the benefits and limitations of the current toolset, and outline the current developments in the field. The subjects of other talks include PCI data security, google hacking, and web application security.
DFRWS 2007 Paper
My paper "BodySnatcher: towards reliable volatile memory acquisition by software" has been accepted at the 2007 Digital Forensics Research Workshop (DFRWS) conference in August this year. The abstract is below: Recently there has been a surge in interest in memory forensics: the acquisition and analysis of the contents of physical memory obtained from live hosts. The emergence of kernel level rootkits, anti-forensics, and the threat of subversion that they pose, threatens to undermine the reliability of such memory images, and digital evidence in general.