Re: Digital forensics of the physical memory

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/17/05

  • Next message: George M. Garner Jr.: "RE: Digital forensics of the physical memory"
    Date: Fri, 17 Jun 2005 09:35:16 -0700 (PDT)
    To: Ben Hawkes <ben.hawkes@paradise.net.nz>, Mariusz.Burdach@seccure.net
    
    

    Ben,
     
    > The only other thing I would like to mention is the
    > difficulty in
    > gathering a trustworthy image of physical memory. In
    > fact I would go so
    > far as saying that this is an impossibility so long
    > as the imaging
    > process relies on the host operating system. You
    > touch on this briefly
    > in Chapter 2, "Problems with memory acquisition
    > procedure", but fail to
    > note that the approaches you suggest (using dd or
    > the proof of concept
    > tools in idetect) can be circumvented by fairly
    > rudimentary kernel
    > space anti-forensics themselves.

    You've hit the nail squarely on the head here, I
    believe.

    I contacted the author directly with regards to some
    issues I saw, and though he thanked me for my
    comments, he really didn't (and has yet to do so)
    addressed those issues.

    One of the issues in particular is that he starts off
    by mentioning the FU rootkit and the SQL Slammer worm,
    both of which are specific to Windows...and then
    presents examples using only a Linux system. He
    states in the paper that similar work can be done on
    Windows systems, but never provided any information to
    that effect.

    Based on entries I made to my blog the other day, I
    ended up having a conversation w/ someone from MS
    about this very issue. The issue of using dd.exe to
    image Physical Memory goes beyond the fact that there
    don't seem to be any maps describing how physical
    memory is used by Windows systems, and that memory
    used by processes consists of both RAM and the
    pagefile. Additional issues include, as you pointed
    out, that while the imaging process is occurring, the
    kernel memory (and even user-mode memory) is
    changing...so what you end up with is a smear, for
    want of a better term.

    Even tools like pmdump.exe and LiveKD
    (SysInternals.com) are not sufficient for collecting
    user-mode memory, b/c they do not lock or suspend
    memory.

    The upshot is that in order to really capture a
    snapshot of a Windows system, you need to cause a
    crashdump. Properly configured, you can get a lot of
    valuable information from this crashdump, as it will
    contain the contents of kernel-mode memory. In
    addition, the MS debuggers "understand" this
    output...whereas the output of dd.exe is NOT
    compatible with the debuggers.

    > This is not to take away from the rest of the
    > document which, overall,
    > is quite informative and probably applicable to the
    > vast majority of
    > Linux intrusions seen today, but I think this is an
    > important point to make nonetheless.

    I fully agree...my intention is NOT to take away from
    the author's efforts, but instead use them as a
    starting point for additional work.

    H. Carvey
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------


  • Next message: George M. Garner Jr.: "RE: Digital forensics of the physical memory"

    Relevant Pages

    • Re: Memory shy iMac
      ... Or at least, thats what it says, mine cant. ... memory in, nothing, wouldn't start. ... So I have a slight upgrade to 3GB, but I have one 2GB memory stick free ... On Windows systems this happens too and is a product of a 32-bit OS in ...
      (uk.comp.sys.mac)
    • Re: clear all does not free the allocated memory in linux
      ... "Reza Dadar" wrote in message... ... Mostly for the windows systems. ... But this does not solve anything, since I can tell by the Linux System Monitor that memory is still taken by Matlab, even if I cleared all variables with a "clear all". ...
      (comp.soft-sys.matlab)
    • Re: "Automatic DNS" with Windows ME -- is it possible?
      ... IP software, OS/2, AIX 5.1L on an RS/6000, Windows systems, at least ... and memory for it is relatively expensive ... if it was cheaper than buying the memory in the ... those choices are cheaper than buying a retail boxed copy. ...
      (alt.sys.pc-clone.dell)
    • clear all does not free the allocated memory in linux
      ... Mostly for the windows systems. ... But this does not solve anything, since I can tell by the Linux System Monitor that memory is still taken by Matlab, even if I cleared all variables with a "clear all". ... Is there any command that really clears all the cache? ...
      (comp.soft-sys.matlab)
    • relic Have you learned how to post yet?
      ... As you have a selective memory, here is the source code for you. ... applications with a 4 GB virtual address space. ... that run on computers with more than 2 GB of physical memory. ... Address Windowing Extensions (AWE) enables applications to address more = ...
      (alt.os.windows-xp)