Saturday, June 14, 2008

Memory Collection and Analysis

As a follow-on to my previous post regarding OMFW, there have been some developments in the area of memory dumping and parsing (ie, collection and analysis) that have occurred over the past couple of months.

Lance Mueller posted on the new standalone memory dumping tool that is part of EnCase 6.11. Interesting tool as it apparently dumps the contents of physical memory from Windows (Windows 2000 through Vista) to an EnCase .E0x file format, for inclusion in a case. According to the documentation, there's functionality to extract that memory dump from the .E0x file format to something usable by HBGary's Responder product. Note: Initial testing indicates that FTK Imager will successfully convert the resulting .E0x files to a dd-style format for use with other tools.

Jesse Kornblum referred mdd to me. This one looks promising...captures memory from Windows versions through Vista and 2008. Jesse posted some clarifications about this tool on his blog. As it stands, this appears to be the first free tool to dump RAM from Windows 2000 through 2008, inclusive, in a dd-style format. Note: Updated version 1.1 was released on 17 June.

So available tools for collecting the contents of physical memory are becoming more available. From an analysis standpoint, I really think that you want to keep your eyes on the guys over at Volatility Systems, though.

Addendum: win32dd is available from Matthieu Suiche. I just found out about this so I haven't had an opportunity to try it...but I am looking forward to adding it to the list of tools to test!

Andreas blogs on the new tools...great stuff, very comprehensive view of where this all stands at the moment.

12 comments:

Anonymous said...

I'm unable to get mdd to work on XP SP3. I see others have had that problem too. Hope they're able to fix that.
KP

H. Carvey said...

Ken,

A couple of questions...

1. What does "unable to...work" refer to? Did you get an error msg? If so, what was it?

2. When you say, others have had that problem, what do you mean? Where (link??) are you seeing others complain about it not working?

3. Have you contacted the author(s)?

Thanks,

h

Anonymous said...

Hi Harlan,

1. When trying to run the memdd.exe file, I get this: The system cannot execute the specified program. I saw the other download for the source, but wasn't certain how to use it.

2. The problem I have isn't the same, but I saw a in the bug tracker on the project site an entry that it didn't work in SP3. http://tinyurl.com/5vvue5

3. No, not yet. I'm wanting to make sure this isn't user error before writing in.

BTW, am really enjoying WFA. I stayed up way too late last night reading it.
KP

Anonymous said...

I just successfully used win32dd by Matthieu Suiche. Very slick and easy to use. Some very interesting stuff I found in ram on my laptop. I have to leave for work right now, but I plan to spend more time on it later.
KP

Anonymous said...

Just a note, Mantech released version 1.1 of mdd today and it seems to have cleared up the issues I was having.

H. Carvey said...

Ken,

Glad to hear it!

I had seen the update this morning and added the following to the blog post:

Updated version 1.1 was released on 17 June.

I have yet to have the opportunity to test the output.

Anonymous said...

Hi all!
I'm trying to use these tools in a Windows x64 OS with no success at all. I get this errors:

-mdd.exe:
-> StartService failed (1275)
-> ERROR: Failed to stop driver, ControlService, 1062
-> ERROR: Failed to open PhysicalMemory section!

-win32dd.exe:
-Error: StartService(), Cannot start the driver. 00000002
Cannot open \\.\win32dd.

I supose its because the tools need to be compiled specifically for wix x64 OS. Anyone know some tool like these but x64 compatible?

H. Carvey said...

TaU...

Okay, great info. However, for win32dd, I would recommend downloading DebugView from SysInternals and sending the contents of the capture to the author.

In both cases, I would try to provide as much information as I could to the authors of those specific tools.

Anonymous said...

Ok, thanks.

Btw, great blog ^_^!

Anonymous said...

Hi all!
I'm trying to create mdd.exe from mdd version 1.1's zip file. I got one exe, but not working correctly

-my new mdd.exe:
output
-> ERROR: Unable to extract driver!
-> ERROR: Failed to open PhysicalMemory section!

H. Carvey said...

anonymous...

First, as Matthieu stated, "...some part of the source code (e.g. driver source code) are missing."

Second, you really should go to the author of the tool with comments like this, or any questions you may have. I wouldn't assume that the author is waiting for comments to appear on this blog.

Thanks.

Anonymous said...

win32dd wont work on Vista X64 since is not X64 drivers and 64bit drivers need to be signed to be loaded

have a nice day :)