Show
Under a Creative Commons license Open access AbstractCurrent memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows. Cited by (0)Eoghan Casey is an Incident Response and Digital Forensic Analyst, responding to security breaches and analyzing digital evidence in a wide range of investigations, including network intrusions with international scope. He has extensive experience using digital forensics in response to security breaches to determine the origin, nature and extent of computer intrusions, and has utilized forensic and security techniques to secure compromised networks. He teaches at the Johns Hopkins University Information Security Institute and is the author of the widely used text book Digital Evidence and Computer Crime now in its second edition, is editor of the Handbook of Computer Crime Investigation. He is also the editor-in-chief of Elsevier’s Digital Investigation journal. Richard Stevens is a Senior Systems Security Analyst for T. Rowe Price, where he is responsible for digital forensics, incident response and malware analysis. Richard holds a Bachelor of Computing (Honours) from the University of Tasmania, a Postgraduate Diploma in Information Security & Intelligence from Edith Cowan University and a Master of Science in Security Informatics from Johns Hopkins University. Richard’s research is primarily focused on how memory forensics and malware analysis can be applied within the enterprise. Copyright © 2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved. A computer's operating system and applications use the primary memory (or RAM) to perform various tasks. This volatile memory, containing a wealth of information about running applications, network connections, kernel modules, open files, and just about everything else is wiped out each time the computer restarts. Memory forensics is a way to find and extract this valuable information from memory. Volatility is an open source tool that uses plugins to process this type of information. However, there's a problem: Before you can process this information, you must dump the physical memory into a file, and Volatility does not have this ability. Therefore, this article has two parts:
I used the following test system for this tutorial, but it will work on any Linux distribution:
Install the required packagesBefore you get started, install the requisite tools. If you are using a Debian-based distro, use the equivalent
Part 1: Use LiME to acquire memory and dump it to a fileBefore you can begin to analyze memory, you need a memory dump at your disposal. In an actual forensics event, this could come from a compromised or hacked system. Such information is often collected and stored to analyze how the intrusion happened and its impact. Since you probably do not have a memory dump available, you can take a memory dump of your test VM and use that to perform memory forensics. Linux Memory Extractor (LiME) is a popular tool for acquiring memory on a Linux system. Get LiME with:
Build the LiME kernel moduleRun the
Load the LiME kernel moduleNow it's time to load the kernel module to acquire the system memory. The
You should see that the file given to the
What's in the memory dump?This dump file is just raw data, as you can see using the
Part 2: Get Volatility and use it to analyze your memory dumpNow that you have a sample memory dump to analyze, get the Volatility software with the command below. Volatility has been rewritten in Python 3, but this tutorial uses the original Volatility package, which uses Python 2. If you want to experiment with Volatility 3, download it from the appropriate Git repo and use Python 3 instead of Python 2 in the following commands:
Volatility uses two Python libraries for some functionality, so please install them using the following commands. Otherwise, you might see some import errors when you run the Volatility tool; you can ignore them unless you are running a plugin that needs these libraries; in that case, the tool will error out:
List Volatility's Linux profilesThe first Volatility command you'll want to run lists what Linux profiles are available. The main entry point to running any Volatility commands is the
Build your own Linux profileLinux distros are varied and built for various architectures. This why profiles are essential—Volatility must know the system and architecture that the memory dump was acquired from before extracting information. There are Volatility commands to find this information; however, this method is time-consuming. To speed things up, build a custom Linux profile using the following commands. Move to the
You should see a new
To create a custom profile, move back to the Volatility directory and run the command below. The first argument provides a custom .zip with a file name of your
choice. I used the operating system and kernel versions in the name. The next argument is the
Your custom profile is now ready, so verify the .zip file was created at the location given above. If you want to know if Volatility detects this custom profile, run the
Start using VolatilityNow you are all set to do some actual memory forensics. Remember, Volatility is made up of custom plugins that you can run against a memory dump to get information. The command's general format is:
Armed with this information, run the linux_banner plugin to see if you can identify the correct distro information from the memory dump:
Find Linux pluginsThat worked
well, so now you're probably curious about how to find all the names of all the Linux plugins. There is an easy trick: run the
Check which processes were running on the system when you took the memory dump using the linux_psaux plugin. Notice the last command in the list: it's the
Want to know about the system's network stats? Run the linux_netstat plugin to find the state of the network connections during the memory dump:
Next, use the linux_mount plugin to see which filesystems were mounted during the memory dump:
Curious what kernel modules were loaded? Volatility has a plugin for that too, aptly named linux_lsmod:
Want to find all the commands the user ran that were stored in the Bash history? Run the linux_bash plugin:
Want to know what files were opened by which processes? Use the linux_lsof plugin to list that information:
Access the Linux plugins scripts locationYou can get a lot more information by reading the memory dump and processing the information. If you know Python and are curious how this information was processed, go to the directory where all the plugins are stored, pick one that interests you, and see how Volatility gets this information:
One reason I like Volatility is that it provides a lot of security plugins. This information would be difficult to acquire manually:
Volatility also allows you to open a shell within the memory dump, so instead of running all the commands above, you can run shell commands instead and get the same information:
Next stepsMemory forensics is a good way to learn more about Linux internals. Try all of Volatility's plugins and study their output in detail. Then think about ways this information can help you identify an intrusion or a security issue. Dive into how the plugins work, and maybe even try to improve them. And if you didn't find a plugin for what you want to do, write one and submit it to Volatility so others can use it, too. What dd command does?dd is a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files. On Unix, device drivers for hardware (such as hard disk drives) and special device files (such as /dev/zero and /dev/random) appear in the file system just like normal files.
How do you use the dd command in forensics?The dd Command in a Forensics Context. Create MD5 checksum of the disk using the md5sum command.. Create image file of the disk using the dd command.. Create MD5 checksum of the image file using the md5sum command.. Compare the MD5 checksum of the disk image file with the MD5 checksum of the disk.. Why should a forensic analyst use a dd command?DD allows you to create a bit-by-bit copy of all of the information that may be on a drive or in a directory. This can obviously be very useful if you need to capture this information in order to perform additional analysis later.
What is a dd image?Overview. DD file is a disk image file and replica of a hard disk drive. The file having extension . dd is usually created with an imaging tool called DD. The utility provides command line interface to create disk images in a system running UNIX & LINUX OS.
|