Tuesday, November 04, 2008

Encase, Physical Memory and E01s

Short disclaimer: This post is primarily for the sake of posterity and keeping track of some of the stuff I had laying around to get where I am in the research I'm doing right now. I've done a lot more testing with physical memory acquisition using winen, mdd, win32dd, and Encase both locally on live systems and on remote systems using F-Response in an effort to see the compatibility of the different outputs with Encase memory analysis Enscripts, Volatility Framework and Memoryze.

I don't remember which version of Encase added physical and process memory support but it was the 6.11 release that included winen.exe, a standalone utility to create an image/dump of physical memory. The resulting file was, of course, in the EWF/E01 format. The interesting thing is that when the E01's containing memory are opened in Encase, it knows that they represent memory so the icon in Encase changes from usual hard drive icon to a memory chip. Here's a screenshot.
How does Encase know? I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing.
It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10. Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM.
ewfinfo 20080609 (libewf 20080609, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: RAM
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
Note: Latter beta versions since 20080609 lost the LIBEWF_MEDIA_TYPE_RAM so they show up like this:
ewfinfo 20081013 (libewf 20081013, libuna 20081011, zlib 1.2.3, libcrypto 0.9.7)

Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0

Media information
Media type: unknown (0x10)
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
Winen is great for incident response and gathering memory from live systems, but you can also access physical memory and individual processes on the same machine you're running Encase on, it's as easy as clicking the related boxes on the "Add Device" dialog in Encase.

Documentation on EWF (E01) File Format

No comments: