What's in your RAM?
Rob Fuller, aka Mubix, of Room362.com joins us to expand on last week's discussion about the Cold Boot attacks. We cover retrieving memory from live systems, analysis with tools like volatility, and file recovery with foremost. Mubix calls it forensics for the gray hat.
Rob Fuller, aka Mubix of Room362.com joins us to expand on last weeks discussion about the cold boot attack.
This time we're imaging memory from live systems. Windows boxes specifically. I point out my favorite open source app win32dd, which allows retrieval of physical memory in a couple of methods. Mubix is a fan of ManTech's MDD. Both of these tools are capable of capturing memory on Windows 2003 SP1 (Vista+) and later machines. More tools can be found at the Forensics Wiki.
Once we've captured our memory it's time to run it through a few tools to extract the good bits. Last week we touched on AESKeyFinder and RSAKeyFinder as well as Strings. This week we're using the epic memory artifact extraction utility Volatility.
This gem allows us to see deep into what a Windows box was doing at time of memory capture, including running processes, open network connections, DLLs loaded for each process, registry handles, and more. The tool can even extract executables from memory. It's a nifty little cross platform tool that's worth a spin. If you're looking to get your feet wet you might want to try it against some example data, courtesy of the NIST.
Best of all, Volatility if a framework that supports third party scripts. One such target="_blank">plugin makes it pretty simple to extract the Windows SAM from a memory sample.
We also cover using foremsot, an excellent tool for recovering data from memory based on headers, footers and data structures. I can say from experience that using the
-t ALLoption on a dump of Mubix's memory that A TON of files are recovered, all nice and neat in their own folders based on extension. Thanks for the mem dump Mubix ;). If you don't have a capture of Mubix's memory you can find samples to play with Foremost at the Digital Forensics Tool Testing Images site.