5. memory dump

Embed Size (px)

Citation preview

  • 1. Informtica Forense e Reengenharia Mestrado em Engenharia de Segurana Informtica Escola Superior de Tecnologia e Gesto Instituto Politcnico de BejaFrancisco LusSumrio Memory DumpInformtica Forense e Reengenharia1

2. Tool http://www.moonsols.com/ressources/ DumpItInformtica Forense e ReengenhariaToolImagem .raw da memria: Nomenclatura: hostname, data e UTC timeInformtica Forense e Reengenharia2 3. ToolInformtica Forense e ReengenhariaTool http://accessdata.com/support/adownloadsFTK Imager (Opo Capture memory)Informtica Forense e Reengenharia3 4. Tool http://hysteria.sk/~niekt0/foriana/fmem_current.tgz tar -zxvf fmem_current.tgz cd /usr/local/fmem_1.6-0 make make install dd if=/dev/fmem of=~/Desktop/memory.ddInformtica Forense e ReengenhariaTool fmemInformtica Forense e Reengenharia4 5. Tool https://www.volatilesystems.com/default/volatility http://code.google.com/p/volatility/Volatility volatility.exe imageinfo -f MEM_IMAGE.raw D-nos: Profiles PAE (physical address extension) status hex offsets for DTB (Directory Table Base) KDBG (short for _KDDEBUGGER_DATA64) KPCR (Kernel Processor Control Region) Time stamps Processor countsInformtica Forense e ReengenhariaTool Help volatility.exe hSuporta 32bit Windows XP Service Pack 2 and 3 32bit Windows 2003 Server Service Pack 0, 1, 2 32bit Windows Vista Service Pack 0, 1, 2 32bit Windows 2008 Server Service Pack 1, 2 (no h SP0) 32bit Windows 7 Service Pack 0, 1Informtica Forense e Reengenharia5 6. ToolInformtica Forense e ReengenhariaToolConnections (XP) volatility.exe --profile=WinXPSP3x86 connscan -f MEM_IMAGE.raw volatility.exe --profile=WinXPSP3x86 connections -f MEM_IMAGE.rawConnections (Vista, 2008 e 7) volatility.exe --profile=Win7SP1x86 netscan -f MEM_IMAGE.rawInformtica Forense e Reengenharia6 7. ToolInformtica Forense e ReengenhariaTool Lista de Processos volatility.exe --profile=Win7SP1x86 pslist -P -f MEM_IMAGE.raw PID e PPID (Parent Process ID)Informtica Forense e Reengenharia7 8. ToolInformtica Forense e ReengenhariaTool Lista de Ficheiros volatility.exe --profile=Win7SP1x86 filescan -f MEM_IMAGE.rawInformtica Forense e Reengenharia8 9. ToolInformtica Forense e ReengenhariaTool volatility.exe --profile=Win7SP1x86 -f FLPC-20120529-212118.raw -p 1656 procexedump -D output/Informtica Forense e Reengenharia9 10. Tool Sysinternals http://technet.microsoft.com/en-US/sysinternalsInformtica Forense e ReengenhariaInformtica Forense e Reengenharia10 11. Informtica Forense e ReengenhariaPesquisa Win strings NOME (ASCII e UNICODE por default) Linux ASCII strings t d NOME > nome.txt UNICODE strings t d e l NOME > nome.txt Informtica Forense e Reengenharia11 12. Obrigado [email protected] Forense e Reengenharia12