Memory Forensics Question

System: Windows XP SP3 32bit
Physical RAM: 3GB
Page File (virtual): 4GB

Created backup image of the current state of memory (RAM) using dd (command below)
dd.exe if=\\.\PhysicalMemory of=C:\memorydump.img

Q1: This image file that dd created (snapshot of memory at the current state), is that memory physical RAM and Page File memory or just physical RAM?  I used live CD Helix with dd.exe.

Q2: Now that I have this image file of memory, what tool can I use to analyze the contents.  Maybe something like WindDbg or WinHex?  If so, do you just open the image file into the program?
LVL 1
Knowledge01Asked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
Q1.

DD should be extracting physical memory (RAM) not paged or virtual memory.But I will suggest that you use Win32dd instead in your Windows environment to stay close to verify the tool. There are too many variants even in Linux - dd by the way is typically used for raw bit-to-bit copy too

See @ http://www.shakacon.org/talks/NFI-Shakacon-win32dd0.3.pdf

Note that the screenshot in slide 17 indicate same no with physical memory. See slide 21, the dumped file size can be larger as to determine the size of the physical address space, it may render to using this formula :—(HighestPhysicalPage+ 1) * PAGE_SIZE

Q2

The Win32dd o/p can be used for Windbg as well as for the dd o/p. The analysis can be rather manual and if you are experience in such analysis, probably it is easier to look through the memory map else I will suggest other useful tools to highlight key aspects in analysis.

For leveraging Windbg, can see paper. It talks on the structure of the dump but can be too technical though @ http://www.dfrws.org/2006/proceedings/2-Schuster.pdf

For other useful tools, can check out
a) Memoryze @ http://www.mandiant.com/products/free_software/memoryze/
b) Volatility @ https://www.volatilesystems.com/default/volatility

In short, both free tools list down (based on command options) the critical parameters to help in revealing any suspicious activities e.g. hidden processes, stealth listening ports, rootkit detection. There are scripts provided to do it directly as well for some cases such as Memoryze's rootkit detection @ http://www.mandiant.com/products/memoryze/use_memoryze/

There are no hard and fast rule to check out the dump, but I supposed it is typically for incident analysis :) Nonetheless, do also take a look at this quick scenario as an example to under memory forensic use case
@ http://blogs.sans.org/computer-forensics/2008/11/19/memory-forensic-analysis-finding-hidden-processes/

hope it helps



0
 
Knowledge01Author Commented:
breadtan went above and beyond to answer this question.  This question was answered with high forensic experience.
0
 
mikovacic_ikonCommented:
i know this is a little late, but for Q2, you could just try data carving using foremost, which is a command-line data carving tool and can be found on the free HELIX disc.

Good help resources:
http://horne.wordpress.com/2010/04/11/open-source-forensic-tools-bootable-helix-versus-bootable-penguin-sleuth/

download Helix2 here:
http://www.filecluster.com/System-Utilities/Other-Utilities/Download-Helix.html

Hope this helps.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.