Monday, January 11, 2010

Forensic Memory Capture roundup

Due to the recent rounds of troubleshooting, the posts lately haven’t been the meaty material I’ve been setting aside.

I’ve got a massive “new & improved” round-up linkfest bursting at the seams.

Then there is some WinPE 3.0 & DISM notes.

Some stuff acquired by dear friend TinyApps.Org Blog regarding Read-Only Honoring of USB media.

I’m still sitting on a USMT-GUI post that I’ve got to add to a fire-sale post.

Then there is that forensics “Heavy Edition” Linkfest that will I hope won’t take an HRT to get out the door.

In the meantime, for reference purposes, here is a short list of some freeware tools and utilities I have on the old USB stick that can all do memory captures of Windows systems (or are useful from a memory analysis perspective). Probably nothing much new here to find by the pros, it’s more of my own roundup in case I loose my USB utility drive….

Listed in no particular order.

  • WinDD – crafted and updated with love and passion by Matthieu Suiche. From the main page:

    "Windd is a free Windows utility, by Matthieu Suiche, which aims at being used as a swiss-knife to acquire the physical memory by investigators, incident responses engineers, malware analysts, system administrators and kernel developpers. Please notice ALL (32-bits + 64-bits, driver + executable) windd binaries are digitally signed to confirm they are from a trusted source.”
  • Volatility | Memory Forensics – From the page:

    ”The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.”

    For the current news and info on Volatility and many other memory and forensics related topics, please see this quite active blog on Tumbler: Volatility
  • Nigilant32 – Developed by Agile Risk Management LLC. Nigiliant32 runs as a single exe file.

    For specific information see the PDF guide Nigilant32 For First Responders: Active Memory Imaging, “Using Nigilant32 we can image the active physical memory (RAM) of the suspect workstation or server to secure portable media.”
  • MANDIANT Memoryze – From the geniuses at Mandiant.  From their product description page linked.

    MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.  From the product page linked:
  • MANDIANT Memoryze can:

    • image the full range of system memory (not reliant on API calls).
    • image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
    • image a specified driver or all drivers loaded in memory to disk.
    • enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
      • report all open handles in a process (for example, all files, registry keys, etc.).
      • list the virtual address space of a given process including:
        • displaying all loaded DLLs.
        • displaying all allocated portions of the heap and execution stack.
      • list all network sockets that the process has open, including any hidden by rootkits.
      • output all strings in memory on a per process basis.
    • identify all drivers loaded in memory, including those hidden by rootkits.
    • report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
    • identify all loaded kernel modules by walking a linked list.
    • identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

    MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools. 

  • MANDIANT First Response – Also from Mandiant.  Also free.  While not exactly a memory capture tool, it does capture many “volatile” elements of a running system on incident response.  Portable and certainly not worth hesitating to keep handy.  Take some time reading to understand how to deploy and use.  Well worth the effort.  From the product description page linked:

    ”MANDIANT First Response is Incident Response management software intended for information security staff, investigators and forensic professionals who respond to computer security incidents. MANDIANT recognizes the importance of investigating any potential computer security incident, and we created MANDIANT First Response to foster diligent, effective and efficient response to these incidents.
  • “MANDIANT First Response provides the ability to remotely collect the volatile data, file lists, registry information, event logs, running processes, running services, file time/date stamps and many other data sources to allow an organization to perform precision strike responses when an incident may have occurred. MANDIANT First Response promotes getting the right information into the hands of the right people quickly and intelligently.

    “MANDIANT First Response contains a Command Console and a First Response Agent. The First Response Agent can be deployed on your infrastructure prior to an incident and run as a service for network-based acquisition of information, or run locally if you're working with individual assets. The data collected by the First Response Agent includes the data used by responders to determine whether an incident occurred or not. The Command Console provides an intuitive graphical user interface and report generating capability to allow your analysts to rapidly review, categorize and report on findings”

  • AccessData FTK Imager Lite version 2.6.1 – portable version contains the ability to capture memory images from live systems.  Also carried handily on my USB stick for incident response and imaging work.
  • Technology Pathways Download ProDiscover Basic Edition (Version 6.1) and also on that page their portable ProDiscover Basic Edition U3 install package (Version 5 Only). The version 6.1 is really cool in that you can capture in both the ProDiscover or Linux dd formats, and not only storage media (hard-drives) but physical memory and BIOS memory as well.  Really cool and easy to use.
  • ManTech Memory DD (mdd) appear to no longer be under development according to this Volatility: MDD takes a bow..... post.  However, if you still need to get it into your toolbox, just in case, you seem to be able to pick up the last copy over at mdd - For a bit more info see this ManTech Memory DD: Capture memory on Windows Vista and 2003 Server post over at PenTestIT.
  • VMMap – Microsoft Sysinternals.  Though not specifically a memory-capture tool it can grab and display some useful information regarding memory usage on a Windows system.  From the page:

    ”VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.
  • “Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in. It also includes command-line options that enable scripting scenarios.”

  • SmInfo: Inside Store Manager of Windows 7 and Windows 2008 R2 with Windd - Matthieu Suiche’s blog – Interesting reading on memory as pertains to the Store Manager in Windows 7.
  • Reply to HBGary — and personal notes.. -- Matthieu Suiche’s blog – There was a “discussion” publically a while back between HBGary folks and Matthiew Suiche regarding the effectiveness and “totality” of his windd memory capture tool. (See the post Windd – Almost there, but not quite… at HBGary’s Shawn’s blog).  Matthieu’s reply linked above is quite an educational read, even for non-memory folks like myself.  Good stuff.
  • HBGary is a commercial outfit that (over-simplifying here) focuses on system malware/threat protection and incident response.  As such they have a lot of tools in their shed to offer folks including their memory-acquisition focused Fast Dump FDPro utility and the Responder Field edition.  As both are marketed (and priced) as high-end commercial products, I’ve not had an opportunity to download and work with either one.  However the FastDump Pro FAQ (PDF) seems quite interesting.  They also offer a FastDump Community Edition (free) which might work just find on most current Windows XP systems.  Quoting…
  • “The community edition of Fastdump supports only 32 bit acquisition up to 4 gigs of RAM and does not support Vista, Windows 2003, or Windows 2008. The community edition can be downloaded free of charge.”

  • Yes. I know. DD should be able to do memory captures as well out of the box.  On the Windows side George M. Garner, Jr’s Forensic Acquisition Utilities at one time had a version in there that could do the same running from a Windows (say WinPE?) OS.  Full System Memory Dumps....  I’m not certain that feature is still included.
  • DEFT Linux and CAINE Live CD along with similar (Helix) come with a Windows-side launcher beyond the expected Linux boot-cd side.  Some of the included Windows tools on them support memory imaging of a running Windows system.
  • Memory Analysis tagged posts on the always informative SANS Computer Forensics, Investigation, and Response bog have a number of great resources to check out. See Best Practices In Digital Evidence Collection and Windows Physical Memory: Finding the Right Tool for the Job for some additional references along with many great commercial ones if you have some greenbacks to spend.
  • Finally, last but never least, Harlan Carvey’s Windows Incident Response blog: memory category has a wide range of tools, thoughts, and tips related to memory in Windows forensics endeavors.  Allocate some time to peruse through them all, and keep your bookmark folder open and handy while you do so.  This is where the real knowledgebase on forensic and incident-response memory acquisition lies.

Please note that I make no claims of expertise in this particular field as I rarely do memory captures and as such really am not in a position (yet) in this post to compare the various pros/cons that each application carries with it from a technical, limitations, or comprehensiveness standpoint.  That will have to wait for a future vacation with the time needed to research them that I don’t currently have.

Also I haven’t even tried to mention all the non-freeware (commercial) tools out there. The afore-linked SANS forensic blog post has a good collection to follow up on, as well as X-Ways Capture ($) which also does volatile memory captures.

That said, if anyone does have any thoughts or perspectives to share on the matter…or additional tools (freeware/open source) left off to share, by all means, please drop a tip in the comment jar.


--Claus V.

No comments: