Rob Fuler, aka Mubix, of Room362.com joins us to expand on last week’s discussion about the Cold Boot attacks. We cover retrieving memory from live systems, analysis with tools like volatility, and file recovery with foremost. Mubix calls it forensics for the gray hat.

Download HD Download MP4 Download XviD Download WMV

Rob Fuller, aka Mubix of Room362.com joins us to expand on last weeks discussion about the cold boot attack.

This time we’re imaging memory from live systems. Windows boxes specifically. I point out my favorite open source app win32dd, which allows retrieval of physical memory in a couple of methods. Mubix is a fan of ManTech’s MDD. Both of these tools are capable of capturing memory on Windows 2003 SP1 (Vista+) and later machines. More tools can be found at the Forensics Wiki.

Once we’ve captured our memory it’s time to run it through a few tools to extract the good bits. Last week we touched on AESKeyFinder and RSAKeyFinder as well as Strings. This week we’re using the epic memory artifact extraction utility Volatility.

This gem allows us to see deep into what a Windows box was doing at time of memory capture, including running processes, open network connections, DLLs loaded for each process, registry handles, and more. The tool can even extract executables from memory. It’s a nifty little cross platform tool that’s worth a spin. If you’re looking to get your feet wet you might want to try it against some example data, courtesy of the NIST.

Best of all, Volatility if a framework that supports third party scripts. One such target=”_blank”>plugin makes it pretty simple to extract the Windows SAM from a memory sample.

We also cover using foremsot, an excellent tool for recovering data from memory based on headers, footers and data structures. I can say from experience that using the

-t ALL

option on a dump of Mubix’s memory that A TON of files are recovered, all nice and neat in their own folders based on extension. Thanks for the mem dump Mubix ;). If you don’t have a capture of Mubix’s memory you can find samples to play with Foremost at the Digital Forensics Tool Testing Images site.

We’ll be back in studio next week with Matt. Of course be sure to send your feedback to feedback@hak5.org, post in the forums or respond in the comments.

And don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

27 Comments

  • Pizza 5 years ago

    @19:20 its a ghetto bird :P

  • I dd’d the image to my pen drive (dd if=scraper.bin of=/dev/sdi), and there’s no longer a readable partition. The ram dump seems to chug along just fine, though. How do I get the image off my thumb drive without a readable partition?

  • @Hans, in the memory imaging package there is a tool called usbdump. Run “./usbdump /dev/sdi > memdump.img” to copy the image from your USB drive to a local file. You can find it as part of this package:
    http://citp.princeton.edu/memory-content/src/bios_memimage-1.2.tar.gz

  • hi
    it keep getting
    volatility: error: Unable to locate valid DTB in image.
    from my memory dump

  • @Darren, thanks. I’ll give that a shot. I was starting to get frustrated, like I did something wrong.

  • AltarCrystal 5 years ago

    Great info. I did some experimenting out of curiosity. TweetDeck has your twitter password in the oh-so user friendly format of username:password, which I just used strings and grep to find.

    Great show guys, keep up the great work.

  • whedgit 5 years ago

    Must say, I’ve had my fingers crossed for more forensics to come up and I can’t wait to watch the new ep.

    Keep up the great work!!

  • Ok, so I made a copy of the memory with win32dd, then I used aes to extract the keys. Then what? How do I use the keys ( not plain text passwords ) to open an encrypted file/drive of truecrypt ?

  • I would love to hear about the firewire ipod hack :)
    Great show.

  • Arthur G Pym 5 years ago

    First of all,I like you bunch of nerds, thank ya!
    Can´t the memory be manually cleared though a little gem at the shutdownprocess?

    best regards…

  • Lovin’ the forensics stuff…keep it up! I do forensics in my job and love trying out new stuff. Check out the malfind plugin for Volatility. Very cool stuff.
    Keep up the good work!
    Ken

  • Great show! Do you use a steadycam?

    Johnny Chung Lee, Human Interface Interaction Researcher at Carnegie Mellon University, has some great instrucitons on how to build your own $14 steadycam.

    If you don’t already have a solution in place, maybe it’d make a good, quick topic for the show.

  • Geomancer 5 years ago

    Can anyone make out what the guy in the very last blooper says to Darren?

  • JumperX 5 years ago

    @ Darren

    What is the name of the bag for your laptop that you were carring in this eppisode?

  • Great show. I’m one of the people who subscribes through my Tivo. It’s a sweet way to watch podcasts on my big screen TV. Just a little fyi, the links on your lower thirds had the left side cut off. That can be resolved by keeping them in TV safe area when you’re editing. I’m a video editor for a TV station (and THE I.T. Dept/Sys Admin) and I also post our news broadcasts (converted from mpeg to flash with Sorenson)to our TV station’s website so I’ve seen the difference between what shows in a flash player (everything) and what you see on TV. It’s not a big deal, I came here to find the links to formost and the other tools you mentioned. I’d love to see more shows on forensics.

    Since I’m here, it’s a good time to tell you I’m a long time viewer. I think I found you when you were still in your first season about the 4th episode in. I’m an old Sch00l3r. Which means I’m 40 and started with an Apple ][+ in ’82 and a 300 baud modem. I consider myself pretty knowledgeable about “computer/network security” and really like your show because you teach this 0ld Dawg some new tricks. If you see Dr-Gonzo on your irc server, that’s me. Anyways, thanks for all the shows and info! And keep up the great work! Thanks for teaching me to Trust My Technolust ;)

  • steveo17 5 years ago

    gr8 shows dudes i loved all d info in it, this show is 100% more qualified to teach computer skills than any ecdl courses im involved with, although the show was gr8 i missed d multiple segments from matt and snubs and the multitude of topics consequently making the show shorter however i got a crash course in ram and its contents while watching it so tyvm guys

  • Carl Campbell 5 years ago

    I’ve been watching for a while now but have to stop and say your show is the best thing that ever happened to my tv experience

  • Hey do you use Flash CS4 to make your videos?

    -Eric

  • Derek 5 years ago

    What up with Darren and snubs dressing alike?

  • pakhet 5 years ago

    Snubbs dresses Darren. It a whole ger-animals deal. The tiger paw shirt matching the tiger paw pants. I miss having geranimals they made mornings so much easier. Sigh.

  • Jefferson 5 years ago

    Hi, why can’t some memory be dumped?

    -> Dumping 1014.11 MB of physical memory to file ‘C:\dumpram.img’.
    -> WARNING: Failed to map at offset 00000000 00002000! 487
    -> WARNING: Failed to map at offset 00000000 00003000! 487
    -> WARNING: Failed to map at offset 00000000 00004000! 487
    -> WARNING: Failed to map at offset 00000000 00005000! 487
    -> WARNING: Failed to map at offset 00000000 00006000! 487
    -> WARNING: Failed to map at offset 00000000 00007000! 487
    -> WARNING: Failed to map at offset 00000000 00008000! 487
    -> WARNING: Failed to map at offset 00000000 00009000! 487
    -> WARNING: Failed to map at offset 00000000 09100000! 487

    259603 map operations succeeded (1.00)
    9 map operations failed

  • Kurt Oestreich 4 years ago

    One of the interesting breadcrumbs that you left was for the forensics wiki at:

    http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

    Excellent site. I followed the links there to the system internals tool livekd at:

    http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx

    Which led me to grab the kernel debugger (now free!!! I have Ida, but this is so cool!!! I knew my masm was worthwhile) at:

    http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

    Which gives the debugger. And this led me to… Free kernel symbols!!! at:

    http://www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx#f

    Whew. The tools Darren and the other bloke, Mubix referenced required administrator login. The tools from Microsoft/Sysinternals don’t, and can be made portable, for the most part, except perhaps for the symbols, but I think I could make that work too.

    In any case, you two uber dudes left me a really cool trail of breadcrumbs to follow and get some massive memory hacking/debugger tools for my computer. I never bought the msoft tools because they were 1. expensive and 2. bloated. But just having the kernel debugger, combined with masm and tasm (Borland orphan) tools, makes for some real butt kicking fun!

    Yahoo!

    -Kurt

  • naghu 3 years ago

    Good morning dude,
    I used win32dd to extract image of my pc’s RAM. When i use the image file(.dmp file) in volatility framework am getting an error volatility: error: Unable to lacate valid DTB n image.Whats the prob dude..?