Why bother?
Why is this important?
Memory forensics has garnered a lot of interest in the past year or so. Some reasons are:
- Malware can live in memory without ever touching the disk.
- Disks are growing in size to the point where taking a raw image of a disk can take a long time, even when this is an ordinary PC disk.
- Memory forensics is a good way to detect and investigate possible rootkit infection.
So the new Incident Response (IR) mantra is becoming: “Don’t do anything, don’t touch the host, take a forensic image of the OS memory.”
The Moonsols Memory Toolkit
One good way to do this is the Moonsols Memory Toolkit.
There are two versions: The (free but constrained) Community Edition, and the Pro Edition.
Here is the link for the software: http://www.moonsols.com/component/jdownloads/view.download/3/2
Note that there are two flavours: 32-bit and 64-bit. You need the correct version for the hardware you will be running on.
Ways of using the software
Basically the utility can be executed from anywhere as long as the driver win32dd.sys is located in the same directory as the main executable win32dd.exe.
So one way would be to insert a USB flash drive or Read-only CD with these programs. Be aware that the action of inserting a USB could change the contents of the Windows Registry. (Note that considerations for taking a pristine, legally valid forensic image - and preserving chain of evidence - are beyond the scope of this article).
The programs could also be fired up remotely using Sysinternals psexec.
Run win32dd
As Administrator or equivalent, open a cmd shell and navigate to the directory with the win32dd utilities.
To see all the options:
win32dd –-help
Basically the defaults are usually fine.
Even with the community edition you can dump across the network to a Windows share. Or you could dump to some local storage (although that might have forensic implications).
Forensics considerations about integrity aside, a checksum is a good idea to ensure that the image was not corrupted somehow. For this use, MD5 will do.
In my test, “l:” was a file share on another PC. Both PCs were linked to the local Lan by (slow) Wifi. It took almost an hour to dump 3G across to the windows share (1 MB/sec throughput) onto the 2cd PC. So you might want to consider dumping locally to a USB flash key, or even to the local hard disk. In comparison, dumping to a USB flash key (same PC) took about 15 min.
Be sure that the driver win32dd.sys is in the same directory as the main executable win32dd.exe.
win32dd /r /s 2 /f l:my_pc_image
which gave the following:
If it doesn’t work
Method 1: Clean up the registry and try moving the driver
If there is a strange message about not being able to load the driver, try cleaning the Registry on the target host of all references to win32dd. Then copy the “.sys” driver to %WINDIR%\System32 and try again.Method 2: Use hiberfil.sys instead
A less intrusive approach would be to put the PC down, and then take a copy of hiberfil.sys instead (if it exists) using some liveCD distro.Moonsols has a utility hibr2bin.exe that is included with their toolkit. This can be used to convert the hibernation file to a raw image dump. Note that the Professional Edition is required for Win7 hibernation file support.
Method 3: Force a Windows Crash Dump
This is described in detail here: http://msdn.microsoft.com/en-us/library/ff545499.aspx
Note that this works only for Win Server 2K3, 2K8, and Win7 (ie not XP).
First dump files must be enabled for the OS. Then a registry key is set to activate the feature (depending on the type of keyboard). The magic sequence by default is hold right CTL and then hit SCROLL Lock twice.
From MSDN:
- With PS/2 keyboards, you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a value named CrashOnCtrlScroll, and set it equal to a REG_DWORD value of 0x01.
- With USB keyboards, you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters, create a value named CrashOnCtrlScroll, and set it equal to a REG_DWORD value of 0x01.
23 comments:
Method 4: Use ftkimager or Memoryze (free) or Helix Pro ($). I gave up on the moonsols utils (the community edition, anyway). The author suggests the same fixes as you suggest in Method 1. Never could get them to work.
I have a great fun reading your blogs. You are really a great writer. Thank you for making this beautiful and awesome blogs. Hope to read more post from you in the future. Please dont forget to visit me in my site @ www.imarksweb.org. Thank you.
Bess
There are several ways to dump RAW on windows PC. I believe the methods mentioned here are the best. Furthermore, it is very easy to follow as well.
I really appreciate this wonderful post that you have provided for us.Thanks for the nice blog. It was very useful for me. Keep sharing such ideas in the future as well.
This was actually what I was looking for, and I am glad to came here! Thanks for sharing the such information with us.Visit My Profile wheelspinner-yes-or-no-wheel.
I think this post is very informative and helpful. I have to add this to my collection. You did a great job! Very interesting story. Based on your previous post click test 10 seconds, I also wrote an in-depth article. You may be interested in reading this article Click Counter. Thanks for visiting.
I believe this will help your website become more organized because you have decided to set a part on this site for the inquiries regarding tax and as well as the helpful discussions. To be honest, this is one of the few sites that are doing this kind of strategy. Also, I think that this will do my assignment not only benefit your clients or the potential ones but you most especially because you will be able to see the questions easier.
Thanks for such a wonderful blog that looks pretty different, I would suggest you please make a proper plan for your blog and start professional blogging as a career, One day you would be smart enough to earn some money, wishing you Gamipress integration the best of luck my friend, Thanks a lot for your nice support and love.
I am extremely impressed with your writing skills as well as with Red Notice Dwayne Johnson Brown Leather Coat the layout on your blog.
The post is really superb. It’s varied accessory information that consists during a basic and necessary method. Thanks for sharing this text. The substance is genuinely get assignment help composed. This web log is frequently sharing useful actualities. Keep sharing a lot of posts.
Stunning site! Do you have any accommodating clues for trying essayists? I’m wanting to begin my own site soon yet I’m somewhat lost on everything. assignment writing site Would you prompt beginning with a free stage like or go for a paid alternative? There are such a large number of alternatives out there that I’m totally overpowered .. Any thoughts? Welcome it!
Our company was founded by a group of white and blue collar average individuals who were tired of getting the runaround on Product and Service (Labor) warranties that either didn’t come with the purchase, was misplaced or lost over time , at risk of expiring which needs an extension. This daily runaround came from everyday well-known manufacturers and retailers in our local neighborhoods. The manufacturers and retailers we are referring to always found something in the “fine print” to discredit and disqualify the warranty policy of the product or service. This leaves us, the consumer, with no alternative other than to buy a new product or pay for the service again.
This is an interesting one and I should add it to my collection. You did a great job! This must be a popular blog. Thank you for sharing this informative article. The following articles discuss Check the Spacebar Speed Test. See my latest post Spacebar Counter about this.
i am also write a blogs for my site vpn suggetions. your article is very interesting. I hope like this you share more new articles soon with us.
Our website Gearmart.pk is an online store that sells products related to Camping and Hiking in Pakistan. We are not only limited to camping and hiking but sell a wide variety of products. Check the store to buy products at reasonable prices.
because you have decided to set a part on this site for the inquiries regarding website become more organized UK's Top-Rated and Students' Most Favorite Assignment Writing services uk is Here to Offer Expert Help in Most Affordable Prices with a Guarantee to an A or A+ Grade
Assignment writing services UK
Even with the community edition, you can dump to a Windows share across the network. You could also dump to a local storage device (although that might have forensic implications).
Excellent blog it is very impressive and informative gwen circle – quilted jacket for women dawn levyg content good work dude keep it up.
This article is great. I was looking for similar facts. Thanks for conveying this to us. I would like to share this article with you about the spacebar counter helps you to count the number of times you hit the spacebar in a given time. Read and find out more!
After finishing it, I was incredibly amazed. I would like to read more articles of the same kind. Many thanks!
I am happy to see your blog. You have delivered excellent information about PC memory. Thanks for sharing your thoughts with us.Now it's time to avail Locksmith Leeds for more information.
This is my first visit to this location. Your blog has a lot of amusing content, especially the debate. I assume that I'm not the only one enjoying all the pleasure here based on the countless comments on your writings. Continue your wonderful work.
Check Major Reasons Why You Should Study Psychology Degree
You are absolutely right. If there is Malware in the system it causes so much damage to the disk without our knowledge. Now it's time to avail water bottle for more information.
I appreciate your positive and uplifting words! Just tried the Jitter Click Test, and it's insane how it boosted my CPS – now I'm geared up to conquer the leaderboards in shooting games and beyond!
Post a Comment