msramdmp Now Available as a Bootable ISO

 forensics  Add comments
Apr 032008
 

A lot of older computers have issues with booting from USB.  I have computers that I can’t boot from USB, and so do some people that have wanted to experiment with msramdmp. I have had a few people ask about booting msramdmp from a CD (and an email from one person who did it themselves!), so I’ve decided to make an ISO available of it.

Be warned however: There are some problems with doing things this way.  You still must write the data somewhere! If your BIOS doesn’t allow you to boot from a USB drive, there’s a good chance that it won’t map them in a way that msramdmp can see or write to (although some BIOS might).  You may wind up having to put msramdmp partitions on an internally connected drive, which would make this less of a desirable tool for pentests, but still allow you to experiment with imaging RAM.  Experiment with this, your drives, and your BIOS to figure out exactly how you need to have everything set up.

You can download a bootable ISO of msramdmp here:

Note that this hasn’t been tested very heavily (I threw it together just now).  If you run into problems with it, feel free to get in touch with me and I’ll try to help you out.
 Posted by wesley at 1:29 pm

  24 Responses to “msramdmp Now Available as a Bootable ISO”

  1. computer-forensik.org says:
    April 4, 2008 at 7:01 am

    msramdmp als Boot ISO…

    msramdmp ist nun auch auf einem Boot ISO Image verfügbar.  Zur Erinnerung: msramdmp ist ein kleines Programm, das den Arbeitsspeicherinhalt nach einem Kaltstart auf einen USB Stick o.ä.  sichert.
    Download des ISO Images
    ……

  2. kamal ahluwalia says:
    September 28, 2008 at 1:00 am

    msramdmp cd is not detectin any usb
    i tried to dump ram image on a fat16 partitioned usb usin iso version
    plzzz help

    Reply
  3. admin says:
    September 28, 2008 at 10:13 am

    Hi Kamal!

    msramdmp will not dump to a fat16 partition, nor any other kind of filesystem. To keep things small and simple, it dumps directly, bit for bit, to partitions marked with a special type. It does this with no filesystem metadata.

    The main msramdmp page has the steps you can follow to create a usb drive msramdmp will dump to:

    http://www.mcgrewsecurity.com/tools/msramdmp/

    Reply
  4. kamal ahluwalia says:
    October 1, 2008 at 4:52 pm

    hi
    can u plzz upload syslinux.tar file, its not in URL.
    root@ubuntu:/home/speedo/Desktop/syslinux-3.61/unix# ls
    Makefile syslinux syslinux.c syslinux-nomtools

    it showed only these files.can u plz help me!!!

    Reply
  5. kamal ahluwalia says:
    October 1, 2008 at 11:37 pm

    thanx for ur post!!!!
    i have mounted the ram image but how can i open this dumped image.In usb theer is no text file!!!!

    Reply
  6. admin says:
    October 2, 2008 at 6:15 pm

    You can get a newer version of SysLinux here: http://www.kernel.org/pub/linux/utils/boot/syslinux/ , and msramdmp will probably work. If it doesn’t, version 3.61 is still available in the “Old” directory at that site.

    As for “opening” the dumped image… there really aren’t a lot of tools around for analyzing RAM images. For starters, you could just run “strings” on it to find the printable strings. You can also try data carving tools like foremost and magicrescue. Beyond that, you could write your own tools for finding exactly what you want, if you know the kinds of data structures you’re looking for :)

    Reply
  7. complience says:
    October 22, 2008 at 3:20 am

    When I try to run this on my windows machine I get the following error

    “No unused mrsamdmp partitions found”
    Boot:

    Then if you enter a drive letter it says

    “Could not find Kernal Image”

    what am i doing incorrect?

    Reply
  8. admin says:
    October 22, 2008 at 7:05 am

    Hi complience!

    Even with this CD version of msramdmp, you still need to follow the instructions for the bootable USB version, in order to have some place to write the image of RAM:

    http://www.mcgrewsecurity.com/tools/msramdmp/

    Once you have a partition on a drive your BIOS can see, marked with the correct partition type, msramdmp should dump to it. msramdmp doesn’t know anything about drive letters–I imagine that was a syslinux bootloader prompt you were typing at.

    Reply
  9. complience says:
    October 23, 2008 at 3:47 am

    thanks – i was being thick.

    unfortunately i don’t have access to my ubuntu box at the moment and im stuck on a windows machine.

    Ive tried Formating my USB using a GParted Live CD, created four Partitions eg: One small Boot Fat16, and Three Large Fat32 partitions.

    But it doesnt seem to give you the option to set a Paritions Label type. Which I understand I need to set to a value of 40. – So im stuck anyone know of a way I can do this on a windows box?

    Reply
  10. complience says:
    October 23, 2008 at 4:54 am

    found a great tool called plppart32, lets you set the type on partitions from the cmd line of windows.

    So done that – setup my USB, still getting the error

    “No unused mrsamdmp partitions found”

    Probably not setup the USB partitions in correct venix80286 format

    http://www.plop.at/de/windowstools.html

    Reply
  11. Complience says:
    November 6, 2008 at 5:46 am

    I got my USB partitions setup correctly using CFdisk in Ubuntu.

    I dumped the content of my memory to the stick.

    I was surpised by the amount of Data,

    I only have 2gig of RAM on this laptop, but the amount of data outputted to the usb is 7.5GIG?

    can someone explain this?

    Reply
  12. admin says:
    November 6, 2008 at 7:35 am

    Hi Complience! I’m happy you’re getting it to work.

    Since msramdmp does not write any filesystem or size metadata, if your target partition is larger than the size of RAM, then it’s difficult to tell where your image of RAM stops in it :) . msramdmp does a little bit of shady math with the results from a BIOS interrupt call to calculate how much memory there is to image, but I can’t guarantee that it works in every situation. I can say that it shouldn”t write more than 4 gigs of data to the disk, so, unless you have prior knowledge of the target laptop’s RAM, a 4 gig msramdmp partition is a good choice.

    This is why I recommend wiping the partition with zero’s before imaging, so you won’t get any previous filesystem/image data getting in the way of your analysis :)

    Reply
  13. Complience says:
    November 6, 2008 at 8:05 am

    I tried it with a 2 gig USB and it said it ran out of space.

    I am wiping the partitions with Zeros before imaging.

    99% of the data is unreadable

    I am also noticing a large amount of error messaages:

    “PXE-E20: BIOS extended memory copy error.”

    Please note – its the CD booting method im using, any ideas whats going on?

    Reply
  14. admin says:
    November 6, 2008 at 8:44 am

    Imaging 2 gigs of RAM to a 2 gig USB drive might fail due to the fact that drive sizes are often somewhat smaller than the manufacturer’s advertise (depends on whether they count 1,000 bytes per kilobyte, or 1024). Even if it was exactly 2 gigs in size, you’d miss the very last bit of RAM since the beginning of your drive is taken up by a partition table and such.

    The error message sounds pretty bad. That’s not something that msramdmp is outputting, and from googling around, it looks like your BIOS doesn’t like that msramdmp is trying to do. Unfortunately, without access to the hardware, there’s not much of a way for me to figure out why, and no guarantee that I could fix it if I did.

    Reply
  15. Complience says:
    November 6, 2008 at 9:45 am

    I’ve attached the begining of the data file output.

    I’m hoping you can tell me if its working as designed.

    sorry its 30mb .rar compressed up.

    If thats too big ill cut it down some more.

    http://dc98.2shared.com/download/4228658/5a3ac175/disk1.rar?tsid=20081106-103918-15c96454

    Reply
  16. Complience says:
    November 7, 2008 at 9:05 am

    too big?

    Reply
  17. admin says:
    November 7, 2008 at 11:24 pm

    I haven’t had a chance to take a look at it, but you might want to run the “strings” command over it to see if there are any ascii strings captured from memory. That would be a good indication that it is working, however it’s no guarantee, since you appear to be getting some errors, as you stated earlier.

    Reply
  18. Complience says:
    November 10, 2008 at 7:07 am

    Ive been looking at it in a text editor.

    Just running a search for the encryption password key.

    going to give the self USB booting method a go, see if its any more lucky.

    Reply
  19. admin says:
    November 11, 2008 at 2:49 pm

    Looking at a binary dump of RAM in a text editor probably isn’t going to work out well for you.

    Reply
  20. Complience says:
    November 12, 2008 at 7:40 am

    Whys that?

    How should I go about examinating the contents of the file thats produced?

    I sucessfully dumped the Memory utilizing the USB booting method.

    looking at it in my Text Editor
    I still get these errors near the start
    PXE-E20: BIOS extended memory copy error.

    in and amongst what looks like random data.

    Heres a small sample of what its like:

    ÿýÿÿ¿æå¾ÿ?¿ÿÿOéÿ¼ÿÿÿowÿÿý}ÿÚž·ÿü÷ÿÿÿsûÿöÿÿÿÿûßÿÿÿßûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿûþýÿÿÿÿû÷ÿÿÿ÷ÿÿÿ÷ÿÿÿÿÿþÿÿÿÿïÿÿ¾ßçÿÿ¿ÿŠöíÿýûÿד»ÿÿÿÿÿýœoÿûþÿÿ¸üÿßÿÿÿû´ÞÿÿOÿÿ½ÛÖÿõößÿßEÚÿß÷ÿÿÿ{ú¿ï[ÿïÿÿÿmïÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿïÿÿ=»ÿÿÿÿÿÿÿûÿÿÿÿÿÿÿïÿÿýÿÿÿÿÿÿÿÿÿõÿ}ÿÿÿÿÿÿõÿÿÿö?ûÿÿÿ÷ýÿ?}ÿÿ­þÿûÿÿÿï~ÿ÷ÿûÿŸÉûÿØmÿÿ}?ÿç÷ÿÿÿ¼¹ÿÿ»ÿÿÿÿþÿÿÿÿÿþÿÿÿÿÿÿÿÿûÿÿöÿÿßÿÿÿ¿çÿÿîÿÿïûïÿ×ÿµÿÿÿÿÿÿÿÿÿÿÿÿÿÿûÿçÿíÿû­¿ÿÿï¯ÿÇÿÿöÿýýråÿþïçÿë¼>ÿÿÿûÿÿÍÖÿûÿý¾sþÿïÿ÷ÿßç¯ÿú÷¿ÿýþöÿûŸÿ¿ÿ¿ÿûoóÿÿÿÿÿïÿÿÿÿÿÿÿÿÿÿÿÿnÿÿÿÿýÿÿÿ[ûÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿßÿÿÿÿÿßïÿÿßÕëÿÞçÿÿõ¿ÿë¿ÿ¿|Ûÿ½ÿÿÿÿí~ÿÿ?þþÿ¾–ÿÿ÷ÿÿ\ßóþÿÿ¿~ÿÿïÿÿ¿–~ÿþù÷Ýßÿÿÿÿ÷ÿßýÿÿÿÿÿÿÿÿþÿÿÿþû¯÷ÿÿÿÿïÿ÷¿ÿ¿ïÿõÿë¿wÿïû>ûßïÿÿúÿÿÿÿÿ÷¿ÿÿ÷À¶ÿÿêÿý¿?ïÿÿÿÿ˜7ÿÿ¼ÿÿ÷‚¿ÿŸõíûÿ_Ëÿþ¯ïïýz_ÿùÿÿÿïaéÿÿOÿÿé¹ñÿþÏ

    Reply
  21. admin says:
    November 12, 2008 at 2:40 pm

    I’d recommend using a hex editor, and/or some forensic carving tools such as foremost and magic rescue. The “strings” command can also help you find printable strings within the binary data.

    Reply
  22. complience says:
    November 12, 2008 at 3:35 pm

    but the data im getting isnt Hexadecimal.

    Its a combination of ASCII plain text and the random data you see above.

    Reply
  23. admin says:
    November 12, 2008 at 3:55 pm

    By viewing it in a text editor, you’re only seeing that text editor’s translation of the data into printable characters. Obviously, the majority of the data you’re looking at isn’t meant to be viewed as ASCII text, so it makes more sense to look at it in a program that shows you the hexadecimal value of each byte. With a good hex editor, you’ll be able to search for text within the data in ASCII or Unicode, as well as examine the data surrounding the text. This can help you develop an idea of how to find that same text (such as a password) in another RAM dump.

    Hexadecimal isn’t a type of data, it’s a representation of it. Also, you don’t know if the data you’re looking at is random, without testing its entropy in some way. In RAM, you’ll find lots of data, such as images and machine-executable code that may look random to you, but actually has some purpose.

    Reply
  24. Ferry Suryakusuma says:
    April 18, 2010 at 3:59 am

    Thank you for this utility !

    Reply

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

   
© 2012 McGrew Security Suffusion theme by Sayontan Sinha