5. memory dump

  • 199 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
199
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Informática Forense e Reengenharia Mestrado em Engenharia de Segurança Informática Escola Superior de Tecnologia e Gestão Instituto Politécnico de Beja Francisco Luís Sumário Memory Dump Informática Forense e Reengenharia 1
  • 2. Tool http://www.moonsols.com/ressources/ • DumpIt Informática Forense e Reengenharia Tool Imagem .raw da memória: Nomenclatura: hostname, data e UTC time Informática Forense e Reengenharia 2
  • 3. Tool Informática Forense e Reengenharia Tool http://accessdata.com/support/adownloads • FTK Imager (Opção Capture memory) Informática Forense e Reengenharia 3
  • 4. Tool http://hysteria.sk/~niekt0/foriana/fmem_current.tgz • tar -zxvf fmem_current.tgz • cd /usr/local/fmem_1.6-0 • make • make install dd if=/dev/fmem of=~/Desktop/memory.dd Informática Forense e Reengenharia Tool fmem Informática Forense e Reengenharia 4
  • 5. Tool https://www.volatilesystems.com/default/volatility http://code.google.com/p/volatility/ • Volatility • volatility.exe imageinfo -f MEM_IMAGE.raw Dá-nos: • • • • • • • Profiles PAE (physical address extension) status hex offsets for DTB (Directory Table Base) KDBG (short for _KDDEBUGGER_DATA64) KPCR (Kernel Processor Control Region) Time stamps Processor counts Informática Forense e Reengenharia Tool Help • volatility.exe –h Suporta • • • • • 32bit Windows XP Service Pack 2 and 3 32bit Windows 2003 Server Service Pack 0, 1, 2 32bit Windows Vista Service Pack 0, 1, 2 32bit Windows 2008 Server Service Pack 1, 2 (não há SP0) 32bit Windows 7 Service Pack 0, 1 Informática Forense e Reengenharia 5
  • 6. Tool Informática Forense e Reengenharia Tool Connections (XP) • • volatility.exe --profile=WinXPSP3x86 connscan -f MEM_IMAGE.raw volatility.exe --profile=WinXPSP3x86 connections -f MEM_IMAGE.raw Connections (Vista, 2008 e 7) • volatility.exe --profile=Win7SP1x86 netscan -f MEM_IMAGE.raw Informática Forense e Reengenharia 6
  • 7. Tool Informática Forense e Reengenharia Tool Lista de Processos • volatility.exe --profile=Win7SP1x86 pslist -P -f MEM_IMAGE.raw • PID e PPID (Parent Process ID) Informática Forense e Reengenharia 7
  • 8. Tool Informática Forense e Reengenharia Tool Lista de Ficheiros • volatility.exe --profile=Win7SP1x86 filescan -f MEM_IMAGE.raw Informática Forense e Reengenharia 8
  • 9. Tool Informática Forense e Reengenharia Tool volatility.exe --profile=Win7SP1x86 -f FLPC-20120529-212118.raw -p 1656 procexedump -D output/ Informática Forense e Reengenharia 9
  • 10. Tool Sysinternals • http://technet.microsoft.com/en-US/sysinternals Informática Forense e Reengenharia Informática Forense e Reengenharia 10
  • 11. Informática Forense e Reengenharia Pesquisa Win • strings NOME (ASCII e UNICODE por default) Linux • ASCII • strings –t d NOME > nome.txt • UNICODE • strings –t d –e l NOME > nome.txt Informática Forense e Reengenharia 11
  • 12. Obrigado francisco.m.luis@gmail.com Informática Forense e Reengenharia 12