The memdump command from Volatility can be used to extract all memory pages corresponding to a process. In the resulting dump we can search for objects based on their signatures. The dump could also be mounted as a virtual disk and searched with specialized forensic software, like EnCase, that recognizes and extracts objects easily from a database of signatures.
For some file types it’s easy to search manually and extract them because they are defined by a header and a trailer (e.g. JPEG files always start with the magic number 0xFF D8 FF followed by E0, E1, E2, E3, E8 or DB and end with 0xFF D9). For others, their header must be parsed, length and other parameters extracted and then the content can be dumped. Some file types (Adobe PDF) can contain multiple end-of-file markers, so this is something that should be taken into account.
We’ll take a look at the memory pages of the main process of Chrome browser, the parent of the other spawned tabs:
Even though analysing memory dumps can’t solve many problems by itself, it can offer quite a lot of information to work with and get a profile of the user’s activity. It’s a relatively new field and still new things are discovered, for the forensics to keep the pace with evolving anti-forensics techniques.
We’ll take a look at the memory pages of the main process of Chrome browser, the parent of the other spawned tabs:
c:\>volatility.exe -f win32dd_mem_dump250612.bin –profile=WinXPSP3x86 pslist | grep -i chrome 0x89fff388 chrome.exe 680 2732 29 1738 2012-06-25 10:58:40 0x8a1d3338 chrome.exe 1140 680 7 93 2012-06-25 10:58:50 0x8a000da0 chrome.exe 304 680 7 94 2012-06-25 10:58:51 [ . . . ]The second column represents the PID and the third one the parent PID. We’ll use it to dump the process memory. The following command will create a 500 MB dump file called PID.dmp in the specified folder:
c:\>volatility.exe -f win32dd_mem_dump250612.bin –profile=WinXPSP3x86 memdump -p 680 -D dmp/Next we proceed to extraction of different objects from here. I’ve made a python proof of concept script (extract_jpg.py) to detect JPEG images based on header magic number and the trailer. The main purpose of this would be to detect forensic evidence regarding user activity in all or just specific processes. Another thing that can be detected is the presence of some malware that periodically makes captures of the screen, compresses them and send them through the network. Spyware programs aim to capture un-sniffable authentication information also, like passwords introduced from virtual on screen keyboards with the mouse instead of using the keyboard, as used by some online banking systems.
- Analysing the output file produced by memdump command for process 680 (with strings or BinText), we see clearly that some information from the half gigabyte outputted cannot belong to Chrome’s browser. But this is not a problem when scanning for objects in it.
- Running the mentioned extract_jpg.py script on the 680.dmp file produced around 250 jpeg images.
> python extract_jpg.py 680.dmp Found possible jpeg header at 0x1562000 Found possible jpeg trailer at 0x1563931 Found possible jpeg header at 0x15ee480 Found possible jpeg trailer at 0x15ee8e9 [ . . . ]
- When viewing the images with an external editor, we detect the presence of unexplainable small (212x132 pixels) screen captures of the browser window. This may be just a false alarm (as the images are very small, almost undistinguishable, and most login fields don’t show the password), but it still raises some questions.
Even though analysing memory dumps can’t solve many problems by itself, it can offer quite a lot of information to work with and get a profile of the user’s activity. It’s a relatively new field and still new things are discovered, for the forensics to keep the pace with evolving anti-forensics techniques.
Amazing what info can you find if you look for it. I was looking for something like that man. But are you sure you that you can dump the memory from process using just volatility ?
ReplyDeleteThis is what that command did. After manually looking through that dump from that specific process 680, I saw that not all of it belongs to chrome process, but much of it is that process' memory. It's pretty advanced volatility and there are great new tutorials on it from the guys that develop it.
ReplyDeleteproblem any java class file ?
ReplyDeleteFollowed this tutorial to extract some images from a DRM'ed eBook and it worked splendidly. Really opened my eyes to the possibilities of digging around in process dumps with knowledge of file headers. Thanks!
ReplyDeleteNote to anybody trying it: Use Python 2.7~. Python 3.x seems to have completely lost its shit and changed everything so the extract images script would have to be rewritten.
Hi
ReplyDeleteI have created a windows application for extracting images from memory dump. Not only images, it can extract any kind of files from memory dump. You can get it from my site http://www.techipick.com/forensics-memdump-extractor
I had a look at your website and it says that it supports only Windows. Are you also going to release it for linux systems also?
DeleteThis is a brilliant blog! I'm very happy with the comments!.. Extract pictures from microsoft word
ReplyDeleteGod of War Benzeri Oyunlar
ReplyDeleteAsetto Benzeri Oyunlar
Dream League Soccer Benzeri Oyunlar
Days Gone Benzeri Oyunlar
TFT Benzeri Oyunlar
UED84R
salt likit
ReplyDeletesalt likit
dr mood likit
big boss likit
dl likit
dark likit
Q78A
Litvanya yurtdışı kargo
ReplyDeleteLüksemburg yurtdışı kargo
Macaristan yurtdışı kargo
Malta yurtdışı kargo
Polonya yurtdışı kargo
X5NQ
Afyon
ReplyDeleteAntalya
Erzurum
Mersin
izmir
78X
Malatya
ReplyDeleteKırıkkale
Aksaray
Bitlis
Manisa
V2R8T
görüntülüshow
ReplyDeleteücretli show
DPCLH
https://titandijital.com.tr/
ReplyDeleteısparta parça eşya taşıma
ankara parça eşya taşıma
izmir parça eşya taşıma
diyarbakır parça eşya taşıma
0ZN3E
giresun evden eve nakliyat
ReplyDeletebalıkesir evden eve nakliyat
maraş evden eve nakliyat
kastamonu evden eve nakliyat
kocaeli evden eve nakliyat
A638GC
1EB25
ReplyDeleteAmasya Lojistik
Kocaeli Parça Eşya Taşıma
Aksaray Lojistik
Ağrı Lojistik
Kırklareli Evden Eve Nakliyat
0DF36
ReplyDeleteTwitter Beğeni Hilesi
Bitcoin Nasıl Üretilir
Bitranium Coin Hangi Borsada
Parasız Görüntülü Sohbet
Coin Kazma Siteleri
Bitcoin Çıkarma Siteleri
Binance Referans Kodu
Bitcoin Kazanma
Sui Coin Hangi Borsada
تسليك مجاري بالاحساء KyfZba7U9Q
ReplyDeleteشركة تنظيف شقق بالجبيل 4VVTMpy4xs
ReplyDelete