LINUX & CYGWIN - Memory Dump Across Network via NETCAT / SSH - foremost - volatility

First use the Memory Dump Across network with wmr piped to netcat or wmr piped ssh to get the memory dump. Then analyze the memory dump with foremost or volatility. Foremost for files.

MEMORY DUMP ACROSS NETWORK
##########################

On Windows: Install Cygwin, and copy WMR (windows memory reader 1.0) memory diagnostic into cygwin\bin folder, also install cygwins netcat and ssh (openssh). I recommend installing apt-cyg and running "

http://www.cygwin.com/install.html (note install takes forever even if you dont select alot of packages, its wierd, I only select the following packages: wget,tar,qawk,bzip2,subversion,vim [some of those will not appear in the list thats okay, they are part of the base system so just skip em], then i install apt-cyg, https://code.google.com/p/apt-cyg/ which allows me to install anything from the cygwin repository using typical "apt-cyg install [program name]", wmr is not part of the package system, so you need to download it below)

http://cybermarshal.com/index.php/cyber-marshal-utilities/windows-memory-reader - extract the file wmr.exe into your cygwins bin directory

On Linux: Have an SSH Server and netcat installed (netcat only from the WITH NETCAT section)

WITH NETCAT
###########


ON LINUX
--------

Setup a listening server

WITH PV:
# nc -l -vvv -p 8888 | pv -s `echo "8 * 1024 * 1024 * 1024" | bc` > CEO-8gb-RAM.dd

NO PV:
# nc -l -p 8888 > CEO_8gb-RAM.dd

WHERE: -p 8888 is the tcp port that must be forwarded from router to the Linux machine, where 8 * 1024 * 1024 * 1024 is the RAM in bytes, change the 8 to how many gigs of ram you have, CEO-8gb-RAM.dd is the name of the saved file. In 

this case it saves file to the current working directory can check with 'pwd' command.

ON WINDOWS
----------

Open cygwin:
# wmr - | nc 10.11.12.21 8888

SIMPLEST FORM:
LINUX:# nc -l -p 8888 >  FileToSave.dd
WINDOWS:# wmr - | nc 10.11.12.21 8888


WITH SSH
########

ON WINDOWS
----------

WITH PV - progress bar:
First get the size of your ram in bytes, open cmd or cygwin and type "wmic memorychip get capacity" to get the sizes in bytes of all the memory chips...

# wmic memorychip get capacity
Capacity
4294967296
8589934592

SIZEOFMEM=`echo "4294967296 + 8589934592" | bc`
# wmr - | pv -s $SIZEOFMEM | ssh -p 40004 -C root@savelocation.com "cat - > /forensics/T430-8gb-RAM.dd"

Or manually figure out what 4294967296 + 8589934592 is.. in this case its 12884901888 bytes
# wmr - | pv -s 12884901888 | ssh -p 40004 -C root@savelocation.com "cat - > /forensics/T430-8gb-RAM.dd"

WITHOUT PV:
# wmr - | ssh -p 40004 -C root@savelocation.com "cat - > /kostia/forensics/T430-8gb-RAM.dd"

ALSO CAN DO WITH FASTEST ENCRYPTION:
# wmr - | pv -s 12884901888 | ssh -p 40004 -c arcfour,blowfish-cbc -C root@savelocation.com "cat - > /forensics/T430-8gb-RAM.dd"

# wmr - | pv -s $SIZEOFMEM  | ssh -p 40004 -c arcfour,blowfish-cbc -C root@savelocation.com "cat - > /forensics/T430-8gb-RAM1.dd"

NOTE: in this case port 40004 tcp on savelocation.com forwards to my Linux box port 22 which is the ssh server

SIMPLEST FORM:
WINDOWS: # wmr - | ssh root@savelocation.com "cat - > /tmp/FileToSave.dd"


ONCE YOU HAVE IMAGE
###################

You can use programs like volatility and foremost to extract information

To Extract Info From Memory Dump Use:

----------
Volatility
----------


Download the latest tar.gz
And extact it, and run the script like this

# python vol.py [commands]

Example uses:

# python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo


--------------------------
Foremost - file extraction
--------------------------

# apt-get install foremost
# cd /whereimageisat
# foremost -t all -T -i CEO-8gb-RAM.dd

-T makes a folder with output date, -t all tries to get all data
Or can do -t jpg, -i points at file

BONUS SCRIPT:
############

Make sure all your dumps have a dot anything extension i prefer .dd or .iso

Let say  you save all of your memory dump images in one directory called /forensics. And you would like to foremost all the files there at once, given all the files in /forensics are memory dumps, or dds of filesystems...

cd /forensics

for i in *; do echo "WORKING ON: $i"; FN=`echo $i | cut -d'.' -f1`; echo "  making dir $FN"; mkdir $FN; cd $FN; echo "  foremosting begun @ `date`"; (foremost -t all -i ../$i > /dev/null 2>&1); cd ..; done;

If I wanted to get just files that began with boom xp and vista
Like I had a boom123.iso boom123-xp.iso vista-michigan.iso xp-minesota.dd, the following would work:

cd /forensics

for i in boom* xp* vista*; do echo "WORKING ON: $i"; FN=`echo $i | cut -d'.' -f1`; echo "  making dir $FN"; mkdir $FN; cd $FN; echo "  foremosting begun @ `date`"; (foremost -t all -i ../$i > /dev/null 2>&1); cd ..; done;

--sample output:--
WORKING ON: boomer-win2003-2006-03-17.img
  making dir boomer-win2003-2006-03-17
  foremosting begun @ Fri May 31 00:42:50 PDT 2013
WORKING ON: boomer-win2k-2006-02-27-0824.img
  making dir boomer-win2k-2006-02-27-0824
  foremosting begun @ Fri May 31 00:43:25 PDT 2013
WORKING ON: xp-laptop-2005-06-25.img
  making dir xp-laptop-2005-06-25
  foremosting begun @ Fri May 31 00:44:03 PDT 2013
WORKING ON: xp-laptop-2005-07-04-1430.img
  making dir xp-laptop-2005-07-04-1430
  foremosting begun @ Fri May 31 00:44:31 PDT 2013
WORKING ON: vista-beta2.img
  making dir vista-beta2
  foremosting begun @ Fri May 31 00:45:00 PDT 2013

BONUS SCRIPT REVAMPED
#####################

Make sure all your dumps have a dot anything extension i prefer .dd or .iso

Put the following script in the /forensics folder

# touch memdumpscript
# chmod +x memdumpscipt
# vi memdumpscript
#!/bin/bash
INPUT1=$1
echo Goals: $INPUT1
for i in $INPUT1; do echo "WORKING ON: $i"; FN=`echo $i | cut -d'.' -f1`; echo "  making dir $FN"; mkdir $FN; cd $FN; echo "  foremosting begun @ `date`"; (foremost -t all -i ../$i > /dev/null 2>&1); echo "  exit status of foremost: $?"; echo "  finished @ `date`";  cd ..; done;

Now if you have the following:

/forensics/memdumpscript
/forensics/computer1dump.dd
/forensics/computer2dump.dd
/forensics/compram16gb.dd
/forensics/sallypc.dd

You can cover all of the foremosts like this

./memdumpscript "comp* sally*"

The end result will be:

/forensics/computer1dump/output/ <- foremost dump in there
/forensics/computer2dump/output/ <- foremost dump in there
/forensics/compram16gb/output/ <- foremost dump in there
/forensics/sallypc/output/ <- foremost dump in there

It uses bash completion :-)
Comments