Comments on: - msramdmp http://www.mcgrewsecurity.com Sat, 13 Mar 2010 16:07:37 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Wesley McGrew http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-46668 Wesley McGrew Tue, 05 Jan 2010 21:35:41 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-46668 It would be possible to modify it, I suppose, but it'd be some work getting network code up and going. It would be possible to modify it, I suppose, but it’d be some work getting network code up and going.

]]> By: Harvey http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-46667 Harvey Tue, 05 Jan 2010 21:26:15 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-46667 Is it possible to use your program msramdmp or modify it so we can load the RAM image to another computer over the network Is it possible to use your program msramdmp or modify it so we can load the RAM image to another computer over the network

]]> By: Richard http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45946 Richard Sat, 19 Dec 2009 21:47:37 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45946 Thanks for the info you have been really helpful. I downloaded aeskeyfind, one of the tools that the guys from princeton wrote. It searches the RAM and constructs the AES keys from RAM if it finds them. I did not read there full paper in detail though, but they do provide the source code for their application. I used the tool on the results from msramdmp and it found an aes key. However, for my test I encrypted a volume using truecrypt and truecrypt does in fact store its keys in RAM, but I am unable to verify that the AES key I found is the one truecrypt used to encrypt their volume. I am still looking into this. Thanks Again Thanks for the info you have been really helpful. I downloaded aeskeyfind, one of the tools that the guys from princeton wrote. It searches the RAM and constructs the AES keys from RAM if it finds them. I did not read there full paper in detail though, but they do provide the source code for their application. I used the tool on the results from msramdmp and it found an aes key. However, for my test I encrypted a volume using truecrypt and truecrypt does in fact store its keys in RAM, but I am unable to verify that the AES key I found is the one truecrypt used to encrypt their volume. I am still looking into this.

Thanks Again

]]> By: Wesley McGrew http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45934 Wesley McGrew Sat, 19 Dec 2009 16:55:11 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45934 You've got your count= messed up. Count is simply a multiplier for how many blocks of bs= you want to get. If your block size is 1GB, then to get two gigs, your count= should be 2. In Unix, I would recommend using file carving tools like foremost, specialty password carving tools like daisydukes (did Inguardians publicly release it?), whatever scripts you can conjure up for yourself, or even just "strings". Someone pointed out Volatility to me last night, and while I haven't tested it, it looks really great: https://www.volatilesystems.com/default/volatility/ You’ve got your count= messed up. Count is simply a multiplier for how many blocks of bs= you want to get. If your block size is 1GB, then to get two gigs, your count= should be 2.

In Unix, I would recommend using file carving tools like foremost, specialty password carving tools like daisydukes (did Inguardians publicly release it?), whatever scripts you can conjure up for yourself, or even just “strings”. Someone pointed out Volatility to me last night, and while I haven’t tested it, it looks really great:

https://www.volatilesystems.com/default/volatility/

]]> By: richard http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45931 richard Sat, 19 Dec 2009 15:26:08 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45931 Thanks. Actually, I created a 4GIG partition of type 40 to store the RAM image. I tried to make 2 seperate files to analyze of 2 gig each using dd command: dd if=/dev/sdb2 bs =1GB count=2GB of=ram.dmp this worked fine, but to get the second 2gigs dd if=/dev/sdb2 bs=1GB count=2gb skip=2gb of ram1.dmp did not write any data. Also I am still looking for a good program to anaylze the memory dump in unix Thanks for all the help Thanks.
Actually, I created a 4GIG partition of type 40 to store the RAM image. I tried to make 2 seperate files to analyze of 2 gig each using dd command:
dd if=/dev/sdb2 bs =1GB count=2GB of=ram.dmp
this worked fine, but to get the second 2gigs
dd if=/dev/sdb2 bs=1GB count=2gb skip=2gb of ram1.dmp did not write any data.

Also I am still looking for a good program to anaylze the memory dump in unix

Thanks for all the help

]]> By: Wesley McGrew http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45909 Wesley McGrew Sat, 19 Dec 2009 05:36:03 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45909 You can dd the partition back to a file, something along the lines of dd if=/dev/ of=image_filename You may want to trim the file down to the size of the memory you actually dumped if the target partition was actually larger. Pretty much any other disk/partition imaging software could be used also, I imagine. You can dd the partition back to a file, something along the lines of

dd if=/dev/ of=image_filename

You may want to trim the file down to the size of the memory you actually dumped if the target partition was actually larger. Pretty much any other disk/partition imaging software could be used also, I imagine.

]]> By: Richard http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45862 Richard Fri, 18 Dec 2009 14:51:18 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45862 Thanks. Well how do you transfer the contents of data in "partition 40" to a file so you can analyze Thanks. Well how do you transfer the contents of data in “partition 40″ to a file so you can analyze

]]> By: Wesley McGrew http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45861 Wesley McGrew Fri, 18 Dec 2009 14:26:12 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45861 msramdmp, for the sake of being small and simple (no USB or filesystem drivers in user-space), makes INT 13h BIOS calls to write to disk. I haven't recovered whole-disk encryption keys with msramdmp personally, although I believe others have. I was more interested in other volatile data left by programs running at the time the plug was pulled, such as stored passwords, text, images. I have run tools like daisydukes (for carving out passwords) and foremost (for carving out images), and just picking through manually. I want to see what the new versions of FTK can do, since it now has the capability to analyze memory dumps. msramdmp, for the sake of being small and simple (no USB or filesystem drivers in user-space), makes INT 13h BIOS calls to write to disk.

I haven’t recovered whole-disk encryption keys with msramdmp personally, although I believe others have. I was more interested in other volatile data left by programs running at the time the plug was pulled, such as stored passwords, text, images. I have run tools like daisydukes (for carving out passwords) and foremost (for carving out images), and just picking through manually. I want to see what the new versions of FTK can do, since it now has the capability to analyze memory dumps.

]]> By: Richard http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45860 Richard Fri, 18 Dec 2009 14:11:03 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45860 Thanks for the quick reply. How did you transfer the contents of RAM from the USB stick to a file? What program did you use to anlyze the data? In other words what program grabbed the AES key? Thanks Again Thanks for the quick reply.
How did you transfer the contents of RAM from the USB stick to a file?
What program did you use to anlyze the data? In other words what program grabbed the AES key?

Thanks Again

]]> By: Wesley McGrew http://www.mcgrewsecurity.com/tools/msramdmp/comment-page-1/#comment-45837 Wesley McGrew Fri, 18 Dec 2009 05:20:48 +0000 http://www.mcgrewsecurity.com/?page_id=382#comment-45837 Depends on the machine, how the BIOS implements mapping BIOS disk calls to USB devices, and the USB device itself. It can be quite slow if that sort of writing drops to USB 1 speeds on that system. I suppose your options are: * Benchmark it on the same kind of system with a smaller amount of RAM installed * Hack up the msramdmp source to only grab a small portion of the RAM and extrapolate the time for the whole thing from that * Hack up the msramdmp source to display progress information every so often Best of luck! Depends on the machine, how the BIOS implements mapping BIOS disk calls to USB devices, and the USB device itself. It can be quite slow if that sort of writing drops to USB 1 speeds on that system.

I suppose your options are:
* Benchmark it on the same kind of system with a smaller amount of RAM installed
* Hack up the msramdmp source to only grab a small portion of the RAM and extrapolate the time for the whole thing from that
* Hack up the msramdmp source to display progress information every so often

Best of luck!

]]>