tag:blogger.com,1999:blog-9518042.post3773868177826041885..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Memory Collection and Analysis, part IIUnknownnoreply@blogger.comBlogger19125tag:blogger.com,1999:blog-9518042.post-13550628187608438322008-07-11T11:18:00.000-05:002008-07-11T11:18:00.000-05:00No suggestions...other than to say that you can't ...No suggestions...other than to say that you can't do that.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-72864895165216659662008-07-11T10:47:00.000-05:002008-07-11T10:47:00.000-05:00Yes, I'm trying to substitute the physical memory ...Yes, I'm trying to substitute the physical memory dump for pagefile.sys in Volatility.... any suggestions? Thanks for the response.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-87343186079252770682008-07-11T10:19:00.000-05:002008-07-11T10:19:00.000-05:00Tim,Are you referring to incorporating the pagefil...Tim,<BR/><BR/>Are you referring to incorporating the pagefile with a memory dump, or running it through Volatility instead of the memory dump?<BR/><BR/>If it's the latter...well, that's not what Volatility was intend for...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-90373654509935956172008-07-11T08:44:00.000-05:002008-07-11T08:44:00.000-05:00Has anyone tried using the pagefile.sys with Volat...Has anyone tried using the pagefile.sys with Volatility? If so, how? It doesn't recognize it as an acceptable file - dump. Thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-88832520881339120862008-07-04T21:19:00.000-05:002008-07-04T21:19:00.000-05:00"However, *given* a reliable image, the results sh..."However, *given* a reliable image, the results should be accurate, and not fooled by things like syscall hooking."<BR/><BR/>Specifically, how does this distinguish memory forensics from conventional methods of acquiring volatile evidence? MDD and win32dd don't use sysenter?<BR/><BR/>- Rossetoecioccolato.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-64726686839122508142008-07-04T05:33:00.000-05:002008-07-04T05:33:00.000-05:00You should be contacting the authors, not posting ...You should be contacting the authors, not posting here...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-80105226441878578902008-07-03T23:56:00.000-05:002008-07-03T23:56:00.000-05:00Is there any new updates of mdd source code availb...Is there any new updates of mdd source code availbale???????<BR/>Please replyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6139946435271181192008-07-03T23:54:00.000-05:002008-07-03T23:54:00.000-05:00Hi all!I'm trying to create mdd.exe from mdd versi...Hi all!<BR/>I'm trying to create mdd.exe from mdd version 1.1's zip file. I got one exe, but not working correctly<BR/><BR/>-my new mdd.exe:<BR/>output<BR/>-> ERROR: Unable to extract driver!<BR/>-> ERROR: Failed to open PhysicalMemory section!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-76847956804915842472008-07-03T13:25:00.000-05:002008-07-03T13:25:00.000-05:00Ah, I stand corrected re: DDefyM and what tools it...Ah, I stand corrected re: DDefyM and what tools it fools. To clarify: reliable acquisition on a system when an adversary is actively trying to subvert you (for example, through a rootkit) is hard-to-impossible.<BR/><BR/>However, *given* a reliable image, the results should be accurate, and not fooled by things like syscall hooking.Brendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-75257949262515102922008-07-03T09:00:00.000-05:002008-07-03T09:00:00.000-05:00Moyix, on DDefyM, in actual fact, it worked agains...Moyix, on DDefyM, in actual fact, it worked against all known tools at the time I wrote it (although I didn't have a copy of encase to test).<BR/>I haven't tested it against mdd or win32dd due to time constraints, but looking at the code they will get duped just the same. It installs a generic hook on ZwMapViewOfSection in the kernel so unless you bypass that the rootkit will win. It also fools a number of anti-rootkit tools that use the same kind of access for raw reads.<BR/><BR/>There are a few other methods for detection and more reliable capture, but they all suffer from pretty obvious weaknesses.<BR/><BR/>I've been thinking of resurrecting the code into something useful given the new interest, but just haven't had the time.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-59711849679494323162008-06-20T18:33:00.000-05:002008-06-20T18:33:00.000-05:00sorry goit ran "python volatility psllist -f c:\fi...sorry goit ran <BR/>"python volatility psllist -f c:\file.dmp" from cmd prompt-thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-91929069081168051432008-06-20T17:53:00.000-05:002008-06-20T17:53:00.000-05:00I don't understand how to use Volatility in Window...I don't understand how to use Volatility in Windows. I installled ActviePython and typed python setup.py install in cmd.prompt. Build folder was populated. Now what?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6768685969475345532008-06-19T14:48:00.000-05:002008-06-19T14:48:00.000-05:00That answers a lot of questions I had, thanks moyi...That answers a lot of questions I had, thanks moyix!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-40711884152795251252008-06-19T14:39:00.000-05:002008-06-19T14:39:00.000-05:00It's more trustworthy because it does not rely on ...It's more trustworthy because it does not rely on the native APIs, which can be hooked or otherwise made to lie. This is not to say that the acquisition process could not be corrupted by a rootkit, but at present DDefyM (http://www.root.net.nz/projects.html) is the only known tool that can do this (and AFAIK it only works on Garner's old dd.exe). One could also try to capture image using a hardware-based method, such as Firewire or a PCI-based card, which should be quite reliable (although even these could be fooled in some specific circumstances -- see Joanna Rutkowska's talk from Blackhat DC 2007 for details).<BR/><BR/>In theory it also lessens the impact on the system, as only a single tool has to be run, so the memory footprint can be minimized.<BR/><BR/>Also, you get the advantage of repeatability -- running Volatility's connections module will always show you the same output; if you're using live response tools the answer might change depending on the state of the system at that moment. A memory image gives you a frozen snapshot of the system's state to work with.<BR/><BR/>Finally, you can go back to the memory image and ask new questions as you think of them, or informed by new information. For example, your initial live response may not check for hidden processes running on the machine. With a memory image, once you realize that there might be hidden processes, you can go back and search the image for them. If only live response is used, the system may have changed significantly (turned off, rebooted, even reinstalled) by the time you go back to run your live tools again.Brendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-6576277938513961842008-06-19T14:03:00.000-05:002008-06-19T14:03:00.000-05:00I don't understand why you bother collecting all o...I don't understand why you bother collecting all of the memory when you can just run trusted CLI tools to get the same data...<BR/><BR/>Is the evidence somehow more trustworthy similar to how analyzing a file system image is more trustworthy than analyzing a live system which could be manipulated by a rootkit?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-20600745326060947212008-06-18T11:29:00.000-05:002008-06-18T11:29:00.000-05:00I just ran an image created by mdd in Volatility, ...I just ran an image created by mdd in Volatility, just trying everything out. The mdd image worked perfectly using Volatility in Windows with ActivePython (thanks Harlan for blogging about it!). I've run the pslist and dlllist functions against the mdd image and had no errors. More experimenting to do.<BR/>This is an image from an XP SP3 machine. This stuff is really cool. :)<BR/>KPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-54954517156972624112008-06-18T09:35:00.000-05:002008-06-18T09:35:00.000-05:00It might be a bit easier to use EnCase tools to do...It might be a bit easier to use EnCase tools to do the analysis if you capture with winen.exe. I don't know if you have tried my EnScript (http://eddandforensics.blogspot.com/) but it gets the running and exited processes from a memory dump (XP SP2) and cuts out the work of converting from .E01 to dd to use with volatility. PyFlag also has a nice user interface and can do analysis on .E01 memory files but it is a bit buggy.tk_lanehttps://www.blogger.com/profile/12730965156779538020noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-14938252208735259022008-06-18T06:46:00.000-05:002008-06-18T06:46:00.000-05:00The dump grabbed w/ mdd worked great with Volatili...The dump grabbed w/ mdd worked great with Volatility...in fact, there was one process that I found with Volatility and the 'dlllist' command that threw some Python exceptions...but that was from the winen/FTK RAM dump. The mdd dump ran a bit cleaner in that regard.<BR/><BR/>I'll add that to the actual post itself to be a bit more clear...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-77415632660928729592008-06-18T05:15:00.000-05:002008-06-18T05:15:00.000-05:00The name should be mdd, short for ManTech dd.How d...The name should be mdd, short for ManTech dd.<BR/><BR/>How did the image from mdd work with Volatility? What kinds of data could you extract from it?Anonymousnoreply@blogger.com