The Microsoft Windows kernel represents opened files by an _FILE_OBJECT structure. With some help from the Microsoft Debugger, the object type information about files and the Volatility memory analysis framework it is an easy task to craft a file object scanner. This scanner may reveal files even if they are hidden by a rootkit.
There are many ways to enumerate the various object types of the Microsoft Windows kernel. In this short post, I'm going to present the Microsoft debugger, Sysinternals WinObj and a Volatility plugin.
Microsoft Windows is an object oriented kernel. Files, Processes, Threads - everything is an object. And all those kernel objects share a common data structure and interface. In this post we'll have a look at how objects are created by the kernel and stored in memory.
Several people requested an update of PTFinder for the Microsoft Windows Vista platform. The changes to support kernel version 6.0.6000.16386 were not trivial. I've added a BETA version to the PTFinder Collection.
Matthieu Suiche has released version 1.1 of win32dd, his memory imaging software. From this version on, the userland part of the program terminates after the driver has completed the memory image. This eases scripting a lot.
Benjamin Stotts and ManTech just released version 1.3 of mdd, an open-source memory acquisition tool for the Microsoft Windows platform. Unfortunately there is no changelog this time. But the package now contains a driver for 64bit Windows. Seemingly the driver has not been signed, so it is likely to not run under the 64bit variants of Windows Vista and Server 2008. Mmd is available for download at Sourceforge.
I'm pleased to announce my talk about the State of the Art in Windows Memory Forensics on October 8, 2008 at the ISSE 2008 Conference in Madrid, Spain. In this 30 minute talk, I will cover the recent advances in Windows Memory Analysis like new memory imaging techniques, analysis tools like Volatility, and the integration of memory analysis into the forensic process. Please see the official website to learn more about ISSE.
2008-10-09: Due to circumstances beyond my control, I had to cancel my talk on short notice. I apologize to all attendees and the organizers. My slides are available here.
Version 1.2 of the memory imager mdd has been released. According to the change log, this version has been statically compiled. So, from this version on, you don't have to provide msvcr80.dll. The new version is available for download at Sourceforge.
Volatile Systems has released version 1.1.2 of their memory analysis software Volatility. This is mainly a bug-fix release. It supports Microsoft Windows XP SP2 and SP3.
The paper Aquiring Volatile Operating System Data Tools and Techniques by Iain Sutherland, Jon Evans, Theodore Tryfonas and Andrew Blyth assesses the capabilities and the impact of several tools, that are commonly used in live response and memory acquisition. The article appeared in the ACM SIGOPS Operating Systems Review, April 2008. Unfortunately, access is not free.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.