- msramdmp

 


msramdmp: McGrew Security RAM Dumper

Creating bootable USB drives for capturing the contents of memory

Hello CanSecWest 2008 Attendees! Check out this blog post for links to more
information on this site on the topic of msramdmp.

Overview

A short while back, a paper was published by researchers at Princeton University, in which they talk about the process of recovering encryption keys out of memory after a cold boot. This was surprising to many people, as most just assume that, since RAM is volatile storage, it is erased when power is removed. This is an incorrect assumption.

When the idea of memory retaining state for a short time was first brought to my attention a little over a year ago, I ran a few experiments similar to this one, just to prove it to myself. The desktop machines I tried would hold state for anywhere between 5 and 10 seconds without power, whereas my laptop, with no battery or wall power, would maintain state for an amazing 10 minutes. I used a Linux bootable CD to get an image of memory from a Windows to data carve, and found some interesting things. The footprint for the Linux OS was huge, though, and this interfered with my ability to
capture as much memory from the previously running operating system as possible.

The Princeton researchers applied this method to the recovery of encryption keys, with great results. They also cooked up a way to image the contents of RAM with a very small footprint, only overwriting a small amount of memory in the process. Unfortunately, at the time of writing this, their tool, ram2usb, hasn’t been released. I decided that it wouldn’t be hard to go ahead and implement one myself, based off their paper and youtube video posted above, so that I (and others) can go ahead and start having fun.

So, as a small side project, I’ve written “msramdmp”, the McGrew Security RAM Dumper. Enjoy!

Download

  • msramdmp.tar.gz – The compiled com32 executable,
    ready for use with SysLinux. Also, the C source code is included, along with some things
    needed to compile and link it properly.

    This version fixes a bug where the first section of memory wasn’t being dumped correctly. Redownload if you downloaded this before 2:00PM March 5th, 2008.

  • syslinux-3.61.tar.gz – This is the exact version
    of SysLinux that I’m using here. You’ll need this to prepare a USB drive for capturing RAM, and to compile modifications to the msramdmp source.

  • msramdmp_cd.iso – This is a bootable CD version of msramdmp that I made with isolinux. Please read this blog posting for information on using this. You’ll still need a drive hooked up that msramdmp can write to through BIOS interrupts.

Usage

This isn’t the most user-friendly program out there. It’s small, low-level, and your only real recourse, if it doesn’t do exactly what you want it to do, is to hack at the code yourself. Or email me if you’re in a real bind ;) . It’s also very hard to test this for proper operation in a lot of different situations since I just don’t have the hardware. If something does go wrong and you manage to figure out why, definitely let me know the situation.

msramdump is compiled into a standalone “com32″ application that SysLinux executes. So, it’s tiny. To get this up and going on a USB drive, you’re going to have to prepare it properly. I’ll give a demo on how to do this in Linux, but the concepts should apply to wherever you want to do it.

For this demo, I’ll be showing screenshots from preparing a 1 gig flash drive in my Linux VM.

First, wipe the drive you plan on using, overwriting everything with zeros. This’ll cut down any chance that old data on the drive might be mistaken for something copied from RAM. It might take a while, depending on how large your drive is.

Next, create a partition table for the disk. I like to use “cfdisk”. You want a very small fat-16 partition in front (marked bootable), and up to three partitions of type “40″. This is the partition type that msramdmp looks for, to see where it should dump memory. When msramdmp finds one of these partitions, it will mark it as used (by changing the partition type to “41″), and then copy memory to it. The marking prevents it from overwriting a memory dump, unless you specifically go in and change the partition type back. Each msramdmp partition needs to be big enough to hold the amount of memory in your target computer (a little extra won’t hurt either).

Write the partition table out to disk and exit. Now, create a filesystem for the fat-16 partition.

Now, you’ll need to install SysLinux to the drive. After you have extracted and compiled the contents of the SysLinux tarball, move into SysLinux’s “/mbr/” directory and write the master boot record that is there to the drive.

Back up a directory, then go back down into “/unix/”, where you’ll install SysLinux to the drive.

Now, you can mount the fat-16 partition, and copy “msramdmp.c32″ and “syslinux.cfg” to it, from the msramdmp archive you downloaded.

Your drive should be ready now! Be sure that the computer you’re dumping supports booting USB devices. This is a feature that’s in many newer PCs, however it can be buggy and picky about drives.

Here’s a screenshot of what msramdmp looks like when it runs on a system:

This was taken in VMWare, with a virtual hard drive as the boot device, since VMWare doesn’t support booting from USB. It’s interesting that while VMWare does not retain anything in VMs’ memory after a cold boot, it does retain data in memory if the virtual machine is rebooted.

When you’re ready to analyze the contents of memory that you’ve dumped, you can simply read the data straight out of the partitions marked with type “41″. You can image the partition to a flat file using dd, or just examine it in-place.
One way to quickly see if you’ve recovered data from a previous booting of the computer is to run “strings” on the RAM image, and look for strings that are not a part of the msramdmp or SysLinux software.

Notes

Some things you may want to keep in mind when trying to pull things out of RAM:

  • This isn’t as straightforward as pulling a drive and imaging it, and you might only have one shot at it. Make sure your capture drive is set up correctly and working before you attempt this. You really need to know your target computer. Don’t waste any time while it’s off. Make sure your target partition is large enough to hold the RAM. Does the target computer have the capability of booting from USB? If not, you’re going to have to do something else.
  • If you want to use this for serious forensic purposes, I would advise testing it in a laboratory environment. Do it on a system that you know isn’t going to have remanence, and map out exactly what the the footprint of this tool is. This is something that I have not done yet.
  • It’s very slow right now. I’ve got it reading and writing 8 kilobytes at a time. It might behave better if that is tuned, but I think that some computers, even with USB 2.0 ports, could be booting them as 1.0. Could be the way I’m buffering, could be the computer (I only own one that boots USB), could be the drive. All I know is I’m not getting nearly as much speed as the authors of the Princeton paper get with theirs.
  • Once you get the computer started back up, though, the RAM is going to maintain state until otherwise modified (unless BIOS RAM checking options are selected). You can take your time in the BIOS menu to make sure you’ve got the right settings to boot to theitten a blog post on the topic, with some thoughts about how you might want to arrange it.

References

Here are some pages that were useful in the development of msramdmp:

  53 Responses to “- msramdmp”

  1. [...] also touch on the McGrew Security RAM Dumper and [...]

  2. [...] also touch on the McGrew Security RAM Dumper and [...]

  3. Hi,
    what is the exact format of the “type 40″ partition?
    Thanks.

  4. There is no filesystem on the msramdmp partitions, so there isn’t really a format. I would recommend zero’ing out the partition with dd before running msramdmp, though, so you can be sure that any data written there was written from RAM.

    After msramdmp runs and marks the partition type as being used (“41″), then the partition contains an image of RAM, without any filesystem structure. You may simply dump the partition back out to a file on your computer using dd.

  5. Thanks very much, just wanted to clear that up.

  6. I worked this out in the lab. This is what I got :

    mbr.bin : 0×193 bytes
    syslinux: 0×4983 bytes
    msramdmp: 0xd37 bytes
    cfglinux: 0×30 bytes

    Total of 587d bytes or
    22,653 bytes (22.6 KB)

  7. Please, change your DD command to dd if=….. | dd of=
    Using a Pipe! speeds up things up to 7 times. Compile it in the thing and post the new version please :)

  8. On a second run – just read your source – the idea of DD can be used the same way… but I’m not that good in C to make it work.

  9. Thanks for the tip, Alexander.

    The problem is that, to keep from stomping on too much memory, msramdmp runs straight from the syslinux bootloader, which provides only a bare minimum of services to its plugins. There is no kernel loaded, and therefore no filesystem support, pipes, and definitely no DD.

    It may be possible to tweak how much is read from RAM before flushing out to USB to improve performance a bit, but being implemented as it is now, msramdmp appears to be limited in speed by the (widely varying) capabilities of each system’s BIOS to use interrupts to write to USB as if it were a normal IDE or whatever drive.

  10. Hi, very good and interesting stuff here.. I’ve tried to download the syslinux-3.61 but i received a http 404 error..can someone reupload it again?

    Thanks in advance!

    • Hi Lorenzo! It will probably work fine with other, newer, versions of syslinux as well. Once I’m back from travel I’ll try to remember to test it out with a recent version and update the link. Thanks

  11. Followed the instructions on the lab. When mramdmp is ran from a usb, How long does it take to dump about 3 gig of RAM. I have had mine running for about 5 min and still no “Done You can turn off your machine and remove your device”

    Thx

    • Depends on the machine, how the BIOS implements mapping BIOS disk calls to USB devices, and the USB device itself. It can be quite slow if that sort of writing drops to USB 1 speeds on that system.

      I suppose your options are:
      * Benchmark it on the same kind of system with a smaller amount of RAM installed
      * Hack up the msramdmp source to only grab a small portion of the RAM and extrapolate the time for the whole thing from that
      * Hack up the msramdmp source to display progress information every so often

      Best of luck!

  12. Thanks for the quick reply.
    How did you transfer the contents of RAM from the USB stick to a file?
    What program did you use to anlyze the data? In other words what program grabbed the AES key?

    Thanks Again

    • msramdmp, for the sake of being small and simple (no USB or filesystem drivers in user-space), makes INT 13h BIOS calls to write to disk.

      I haven’t recovered whole-disk encryption keys with msramdmp personally, although I believe others have. I was more interested in other volatile data left by programs running at the time the plug was pulled, such as stored passwords, text, images. I have run tools like daisydukes (for carving out passwords) and foremost (for carving out images), and just picking through manually. I want to see what the new versions of FTK can do, since it now has the capability to analyze memory dumps.

  13. Thanks. Well how do you transfer the contents of data in “partition 40″ to a file so you can analyze

    • You can dd the partition back to a file, something along the lines of

      dd if=/dev/ of=image_filename

      You may want to trim the file down to the size of the memory you actually dumped if the target partition was actually larger. Pretty much any other disk/partition imaging software could be used also, I imagine.

  14. Thanks.
    Actually, I created a 4GIG partition of type 40 to store the RAM image. I tried to make 2 seperate files to analyze of 2 gig each using dd command:
    dd if=/dev/sdb2 bs =1GB count=2GB of=ram.dmp
    this worked fine, but to get the second 2gigs
    dd if=/dev/sdb2 bs=1GB count=2gb skip=2gb of ram1.dmp did not write any data.

    Also I am still looking for a good program to anaylze the memory dump in unix

    Thanks for all the help

    • You’ve got your count= messed up. Count is simply a multiplier for how many blocks of bs= you want to get. If your block size is 1GB, then to get two gigs, your count= should be 2.

      In Unix, I would recommend using file carving tools like foremost, specialty password carving tools like daisydukes (did Inguardians publicly release it?), whatever scripts you can conjure up for yourself, or even just “strings”. Someone pointed out Volatility to me last night, and while I haven’t tested it, it looks really great:

      https://www.volatilesystems.com/default/volatility/

  15. Thanks for the info you have been really helpful. I downloaded aeskeyfind, one of the tools that the guys from princeton wrote. It searches the RAM and constructs the AES keys from RAM if it finds them. I did not read there full paper in detail though, but they do provide the source code for their application. I used the tool on the results from msramdmp and it found an aes key. However, for my test I encrypted a volume using truecrypt and truecrypt does in fact store its keys in RAM, but I am unable to verify that the AES key I found is the one truecrypt used to encrypt their volume. I am still looking into this.

    Thanks Again

  16. Is it possible to use your program msramdmp or modify it so we can load the RAM image to another computer over the network

  17. I think you can try to even further minimize memory footprint for this great tool. You just may want to use VGA video memory segment starting at A000:0000 (real mode addressing) for disk IO buffering or just for loading code itself. Maybe you’ll even be able to modify syslinux and its MBR code to load it there. It’ll almost eliminate conventional memory from altering I think.

  18. I’m glad to be useful for you, Wesley. Keep up good work!

  19. Could you kindly post JPG image of the RAM dumps to see how it looks. Fabulous work!!

  20. Second thought: please put video of whole demonstartion. Thanks for exciting work in total lack of the original experiments by Princeton University folks.

  21. Can you tell me what does the number 2162688 stand for in:
    memtop = outreg.eax.w[0]*1024 + outreg.ebx.w[0]*65536 + 2162688;
    ?

    Also I realized you’re writing 16 sectors in one iteration (16*512=8192 and that’s the ptr). Can you tell me why 16? Does it have to work like that? Or can it be 8 or 32?

  22. Going back and looking at that code, the return value from that bios call must have been relative to something and I put that in to adjust. It’s a bit prettier and looks slightly less arbitrary in hex (0×210000), so I probably should have represented it as such (and comment exactly what it was lol).

    You can write as many sectors as you’d like per iteration. 16 is an arbitrary choice that’s always been sort of a default choice for me when doing large dd’s of disks. Depending on your drive and other factors, you may be able to play with making it something else (such as 8 or 32) and squeeze a little more performance out of it.

    Thanks for the comments!

  23. Hi,

    I’ve built both msramdmp and the usb scaper tool from Princeton and they both appear to work but my mem image does not contain anything of worth.

    When I view the image in a hex editor or via strings I can see all the syslinux and msramdmp code and then when it gets too 0×100000 I see some jargon then all zeros.

    I’ve tried this on 2 dell laptops (Latitude D620 – Inspiron 1525) and an IBM thinkpad and the results are the same each time. I’ve tried a mixture of XP, Vista and Win 7.

    From what I can see, none of these laptops have EEC Ram and I don’t believe they run a memory test on boot up either.

    I’ve rebuilt the 4gb usb disk several times and used both tools on all laptops and still no joy.

    any ideas ?

    Thks

    • Have you tried the same builds of the ram dumping tools on another system to verify that they are working correctly?

      EDIT: Also note that ECC ram may set itself to a known state on boot, so this attack may not work on it.

  24. I have tried the same ram tools on 3 laptops: 2 dell, 1 IBM and I get the same result.
    The tools both state they have completed.

    from what I can see, these laptops do not have ECC ram
    is there a definitive way to check ?

    is it possible that they will appear to be running correctly but the USB stick or the way the tool was created is wrong ?

  25. Without being there, I don’t know that I would be able to debug it any further. Perhaps use a USB drive that has an LED that flashes when it’s being written to, and see if it flashes throughout the dumping process. If you know C, you can change msramdmp to dump to the screen and visually see what’s in memory.

  26. I love your writing style.

    A trivial point: Since this is for security purposes, I would suggest looping eight times with the dd statement when clearing the flash drive. This is probably unnecessary because 1) it is a flash drive and 2) we’re not truly worried about erasing the data against a forensic investigation, it is more a style point.

    I’m interested if you’ve updated your program or if there are any other programs that you would suggest using. Or any other references you would suggest looking at.

    Thank you for your time.

    • Thanks bdm!

      I have yet to meet anyone able to recover data even after one pass across hard drives, though some argue that three-letter-agencies have this capability. This is a common point of argument among forensics folks, and luckily the Wikipedia entry on the Gutmann method has a good take on the subject in the “Criticism” section:

      http://en.wikipedia.org/wiki/Gutmann_method

      In the training we give to law enforcement at the NFTC, for example, we teach that a single pass is sufficient.

      Flash media is a different beast. The wear-leveling complicates individual file wiping, but a pass across the entire disk should take care of everything.

      I haven’t updated msramdmp, though I need to take some time soon to update it for more modern systems with larger amounts of RAM. There hasn’t been, to my knowledge, much more work published recently on “cold-boot” attacks like this. There have been lots of advancements in analyzing RAM dumps though. Check out the Volatility Framework.

  27. there is something that i dont understand, i’m trying to unlock a toshiba hard drive, it is password locked, came with one toshiba laptop i had that went broken, i need it and i dumped the login sequence from the ram, i have a 1.2GB file, how do i read it ? do i rename it as EXE and run it with ollydbg or is there other way i dont know about ?

    • Hi Paul,

      Unfortunately, if you don’t have the password for the drive, it’s unlikely that it is stored in memory anywhere for you to find. If it’s an ATA password, even once it’s unlocked, the keys are likely in the drive’s controller board and not in primary RAM.

  28. oh… so no way ? this is… bad.
    the only thing i got out of that laptop was this hard drive, the password was stored inside the bios and now toshiba wont give me the password, so i have a 500GB Sata2 laptop 2.5″ Hard drive paperweight :(
    if anyone knows a way please share
    thanks

  29. There’s a chance with an ATA password that there is a master password set by the manufacturer of the drive. Here’s a page with some examples (including for Toshiba drives) of master passwords that might work:

    http://ipv5.wordpress.com/2008/04/14/list-of-hard-disk-ata-master-passwords/

    Some high-end data recovery firms may have access to more master passwords than can be publicly found, as well.

  30. hi mate thanks but i had already tried that
    TOSHIBA -> 32 spaces
    For xbox hdds try “XBOXSCENE” or “TEAMASSEMBLY” too
    none worked. i tried all possible combinations, uppercase, lowercase, less or more spaces, etc, none worked.

  31. Hi, the link for syslinux-3.61.tar.gz is not working and i really be happy if anyone can gives me an alternate link to it. :) Thanks!

  32. Sir
    My pen drive get mount on sdb1. I format it by writing zeros on it using the instruction given by you. Then, i created two partitions on my 8gb pen drive. First one is of 1MB (FAT16 type) labelled as sdb1p1 and second one is of 4GB(venix 80286 type) named as sdb1p2. After that, i try to create a file system for FAT16 type using mkfs.msdos /dev/sdb1p1 but it resulted in a error showing /dev/sdb1p1: No such file or directory exist. So what to do sir?

  33. Dear Sir
    I was trying to work on cold boot attack, downloaded msramdmp.gz and syslinux version

    recommended by you. I was trying to follow steps recommende by you. I faced following problem. kindly help

    step 1) pendrive is used as /dev/sda1

    wrote 0 at every l locations using command recommended by you i.e

    dd if=/dev/zero of=/dev/sda1

    command worked fine it took some time. I am using Kingston 4GB pen drive

    step2 ) created three partition usinfg fdisk.

    /dev/sda1p1 1MB FAT16 bootable

    /dev/sda1p2 1GB Venix 80286

    after creating these partitions I used w command to write information.

    step 3) mkfs.msdos /dev/sda1p1

    message I am getting is that /dev/sda1p1 is not known

    after this I amd unable to proceed further.

    This problem is related with fdisk or something else

  34. in step2 when i used w command for writing partition table I got following message

    Warning : Reading partition table failed with error 22. Invalid argument.

    Kernel still uses the old table

    New table will be used at next reboot
    syncing disk

  35. I tried cfdisk also. Using cfdisk I didn’t get any error message, although in case of fdisk I was getting error message whenever I tried to write using w command. I am carrying out all these things over linux platform. when I use commans fdisk /dev/sda1 I am able to see
    partitions like
    sda1p1
    sda1p2

    Again when I am trying to make fat16 partion using
    mkfs.msdos /dev/sda1p1

    error message is that /dev/sda1p1 does not exist. This is
    happening in both fdisk and cfdisk.

    I am unable to proceed further, kindly help.

    Other problem is that I was going through source code of Princeton university. I found

    that scarper.bin is cancatenation of two files boot.bin amd usb.bin. Now boot.bin is mbr.

    Problem is that first 512 byte is loaded automatically by BIOS (i.e boot.bin) but after that

    code is loaded into memory using value ah=42h and calling interrupt 13( packet mode.

    for usb) After that ljmp $scraper. is called. Before jumping everything is getting executed.

    After that it does not proceed further. I believe that problem is with value assigne to

    structure packet at the end of code . Kindly help help me.

    • Well one problem might be the device names you’re using. /dev/sda1 is the first partition on the disk /dev/sda, so if it looks like you’re partitioning a partition, which isn’t likely to do what you expect.

      Give a shot at partitioning the disk. Be sure you’re doing the right one by seeing what disk is assigned to the usb drive in dmesg. It’ll be /dev/sda, /dev/sdb, etc. without the number.

  36. Finally I succeeded in creating pen drive for dump. Experiment which I carried out is as following

    i) ran a program to fill the content of memory with some string.

    ii) switched of system

    iii) Rebooted system using bootable pen drive

    iv) After dumping completed rebooted the system without pen drive. Dumped the partition

    using dd command into a file. Searched for the occurence of string. Occurence of string

    was detected.

  37. I carried an experiment with truecrypt. Truecrypt installed over windows encrypted a volume

    using AES . Rebooted system took dump and serched for aes key using Pciceton university

    s/w. Detection s/w found few occurence of aes key. As far as I know detection of key is

    done by searching in contiguous memory location for key and round keys. using key

    round keys are derived and then hamming distance with contiguous location is found

    out. In my case hamming distance is zero. I am trying to understand Truecrypt in detail

    particularly how aes key is derived from password. I have a query kindly help me

    I think that if hamming distance is zero with round key derived and values stored in

    contiguous memory location probability that it is a aes key will be extremely high,

    because it can not happen with random data. Or in other way probability that it is

    happening with random data will be very low (near to zero). I am true or not ?

    Kindly help.

  38. I am trying to run following simple program for
    checking status of hard disk

    +++++++++++++++++++++++++++++++++++++++
    .section .text
    .globl _start
    _start:
    nop
    mov $0×8, %ah
    mov $0×0, %dl
    int $0×13
    mov $1, %eax
    mov $0, %ebx
    int $0×80

    ++++++++++++++++++++

    compilation is done in following way

    +++++++++++++++++++++++++++++++++++++++++
    as -gstabs -o second.o second.s
    ld -o second second.o
    +++++++++++++++++++++++++++++++++++++++++

    error obtained is :
    Segmentation Fault

    Content of different registers are as follows

    info registers

    rax 0×800 2048
    rbx 0×0 0
    rcx 0×0 0
    rdx 0×0 0
    rsi 0×0 0
    rdi 0×0 0
    rbp 0×0 0×0
    rsp 0x7fff53ae6260 0x7fff53ae6260
    r8 0×0 0
    r9 0×0 0
    r10 0×0 0
    r11 0×300 768
    r12 0×0 0
    r13 0×0 0
    r14 0×0 0
    r15 0×0 0
    rip 0x40007d 0x40007d
    eflags 0×10202 [ IF RF ]
    cs 0×33 51
    ss 0x2b 43
    ds 0×0 0
    es 0×0 0
    fs 0×0 0
    gs 0×0 0

    Kindly help what exactly is the reason

  39. hi ,
    i just want to know if there is a command to capture Random memory ? i try with : strings /proc/kcore
    but i don’t know how to see the passwords, and whether there is a rootkit. The real problem is that, i installed a rootkit (LKM) on my computer (ubuntu 10.04), and i want to detect it in random memory.
    thank you for your help !!!!!

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2012 McGrew Security Suffusion theme by Sayontan Sinha