I don't remember which version of Encase added physical and process memory support but it was the 6.11 release that included winen.exe, a standalone utility to create an image/dump of physical memory. The resulting file was, of course, in the EWF/E01 format. The interesting thing is that when the E01's containing memory are opened in Encase, it knows that they represent memory so the icon in Encase changes from usual hard drive icon to a memory chip. Here's a screenshot.
 How does Encase know? I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing.
How does Encase know? I thought it was based on the following dialog and I'd be able to change this within Encase by right-clicking on an entry but modifying the entries like those in the following image did nothing. It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10. Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM.
It turns out that Guidance Software has made an addition to the E01 file so that there is a new media type identifier, 0x10. Taking at look at a memory image created by winen, ewfinfo from the libefw project shows the Media Type as RAM.ewfinfo 20080609 (libewf 20080609, zlib 1.2.3, libcrypto 0.9.7)Note: Latter beta versions since 20080609 lost the LIBEWF_MEDIA_TYPE_RAM so they show up like this:
Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0
Media information
Media type: RAM
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b
ewfinfo 20081013 (libewf 20081013, libuna 20081011, zlib 1.2.3, libcrypto 0.9.7)Winen is great for incident response and gathering memory from live systems, but you can also access physical memory and individual processes on the same machine you're running Encase on, it's as easy as clicking the related boxes on the "Add Device" dialog in Encase.
Acquiry information
Case number: AAAAAAAAAAAA
Description: winen-nocomp
Examiner name: BBBBBBBBBBBB
Evidence number: CCCCCCCCCCCC
Operating system used: Windows XP
Software version used: 6.11
Password: N/A
Unknown value ext: 0
Media information
Media type: unknown (0x10)
Media is physical: yes
Amount of sectors: 130940
Bytes per sector: 4096
Media size: 511 MiB (536330240 bytes)
Error granularity: 1
Compression type: no compression
GUID: 837687b1-988d-2c44-a8f4-84874692842a
MD5 hash in file: 26b6d584f7289baeecb64a79adc6f60b

Documentation on EWF (E01) File Format
 
 

No comments:
Post a Comment