Wednesday, November 05, 2008

iPod Touch

I've had my new iPod for a week now and am loving it. Email is great and now I'm testing out a blogging app that seems to work well so far. My favorite app so far is ByLine that syncs my Google Reader RSS feeds so I can read them offline making it easy to stay on top of them. Ok, test over. More cool memory forensic stuff to come.

Tuesday, November 04, 2008

Encase, Physical Memory and E01s

Short disclaimer: This post is primarily for the sake of posterity and keeping track of some of the stuff I had laying around to get where I am in the research I'm doing right now. I've done a lot more testing with physical memory acquisition using winen, mdd, win32dd, and Encase both locally on live systems and on remote systems using F-Response in an effort to see the compatibility of the different outputs with Encase memory analysis Enscripts, Volatility Framework and Memoryze.

I don't remember which version of Encase added physical and process memory support but it was the 6.11 release that included winen.exe, a standalone utility to create an image/dump of physical memory. The resulting file was, of course, in the EWF/E01 format. The interesting thing is that when the E01's containing memory are opened in Encase, it knows that they represent memory so the icon in Encase changes from usual hard drive icon to a memory chip. Here's a screenshot.
How does Encase know? I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing.
It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10. Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM.
ewfinfo 20080609 (libewf 20080609, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: RAM
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
Note: Latter beta versions since 20080609 lost the LIBEWF_MEDIA_TYPE_RAM so they show up like this:
ewfinfo 20081013 (libewf 20081013, libuna 20081011, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: unknown (0x10)
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
Winen is great for incident response and gathering memory from live systems, but you can also access physical memory and individual processes on the same machine you're running Encase on, it's as easy as clicking the related boxes on the "Add Device" dialog in Encase.

Documentation on EWF (E01) File Format

Monday, November 03, 2008

Cold Boot Memory Attack on TV Show "My Own Worst Enemy"

I'm checking out the new series "My Own Worst Enemy" with Christian Slater. In episode two around the 40 minute mark, they are being briefed on how they are going to infiltrate the enemy's headquarters. Someone mentions that the computers will be encrypted and a geeky dude says no problem, this can right here will freeze the memory so you can extract the encryption keys. Amazing!

When they get in, one of the guys is seen opening the side of a computer, briefly spraying the can into the machine, pulling out a RAM chip with tweezers and putting it into some sort of small circuit board that is then analyzed by a small subnotebook.

Pretty cool stuff. I'm very impressed, at lease after seeing all the technological crap the show "24" has butchered.