New Physical Memory Imagers

During the last weeks, three new physical memory imaging applications for the Microsoft Windows platform were released: WinEn by Guidance Software, mdd by ManTech and win32dd by Matthieu Suiche. All three applications employ a kernel driver in order to access the physical memory from Windows XP, Server 2003 and Vista.

WinEn

WinEn ships with Guidance Software's EnCase Forensic since version 6.11. The console application comes in two different versions for 32bit and 64bit versions of Microsoft Windows. Memory images are stored in the. E01 / Expert Witness format that is common to EnCase. Hence, the image contains some meta-data like a MD5 hash, a case number, and the examiner's name.

Parameters can be provided to WinEn through either a configuration file or command line options. Also, the program will prompt for required parameters.

There are three different compression levels. At level 2, WinEn yielded a compression ratio of about 50% on my test machine. Your mileage may vary, though. At level 0 the image is stored uncompressed. Beside the file header, which can be skipped easily, the file consists of several segments with checksums. This structure confuses most of the free memory analysis tools, like Volatility or PTFinder, which either expect a raw ("dd-style") format or a Microsoft crash dump (DMP).

So, usually your first step will be to convert the memory image into a raw format. This can be done through EnCase, of course. Alternatively one can use the free FTK Imager by AccessData or the ewfexport tool that comes with the free and open-source libewf. Please note that you need at least version libewf-beta-20080609 in order to read the meta-data of WinEn memory dumps.

Please see also the highly informative blog posts on WinEn by Lance Muller and Richard McQuown.

mdd

Until now, all driver-based memory imagers were commercial software. Ben Stotts of ManTech has released a program, that claims to be "the only free and open tool for capturing memory on Windows Vista and 2003 Server". The tool is available at Sourceforge.

Unfortunately, the sources of the kernel-mode driver are missing from the package. The usual license document is missing, too, though the project summary at Sourceforge states it's under GPL.

Seemingly version 1.0 of mdd was compiled with debug switches in effect. The binary's assembly refers to the debug version of VC80 CRT. Unfortunately this version of the CRT DLL may not be redistributed freely. So, most users will either be greeted by a error telling either "The system cannot execute the specified program." (XP, at the console prompt) or a dialog box suggesting to reinstall the application (XP, when launched from the Explorer). A good explanation can be found in Junfeng Zhang's blog.

For further information please see also the announcement and clarifications by Jesse Kornblum.

06/18/2008: Version 1.1 of mdd fixes the afore mentioned issues: the program does now run without the debug DLL, the driver source is available and the package also contains a copy of the GPL v3.

win32dd

The author of the third program, Matthieu Suiche, claims that his win32dd "is the only 100% open-source tool to capture memory under Win2k3 or Vista". Obviously, this is a little side blow on the missing driver sources in ManTech's mdd package.

The driver reports diagnostic information through the kernel's debug output facility where it can be received by DebugView, for example. Sample output is available here.

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12