Wednesday, November 7, 2007

Extract MFT records from Memory dump

I have been following the development of several tools to extract evidence from memory dumps of live machines. There have been several tools developed to assist with this, including several listed on Andreas Schuster's blog.

Traditionally, examiners would run the "strings" command against collected memory dumps (if they had them) and that was it. In the past two years some tools have been developed and showcased during the DFRWS and other various conferences. Some of the tools attempt to extract the running process list from the captured memory.

I decided to start developing some tools in EnScript to extract information from memory dumps. I have 'tools' in mind that I want to develop and this is the first one. This EnScript will search any selected (blue checked) file in EnCase for MFT records, based on the MFT record header of FILE* or FILE0. Once found, the EnScript will attempt to parse out the Standard Information Attribute for the timestamps associated with the file/folder and then all Filename Attributes for the name of the file and the associated timestamps stored in the Filename Attribute. The idea behind this EnScript is that there may be MFT records in memory (typically thousands) that are of interest to you, such as malware or hacking tools, etc.

Any successfully parsed records will be written to the console and also bookmarked.

How it works:
Typically, memory dumps are collected as one large 'dump' or file that contains the contents of memory. If you add that file into EnCase (drag and drop into an open case), then select that one file and run the EnScript, all parsed records will be displayed in the console and bookmarked.

What it collects:
It currently parses any found MFT records for the Standard Information Attribute data and also the data contained in the Filename Attribute, including the filename and associated timestamps.

What is does not parse:
The EnScript currently does not parse out directory entry contents. Each directory has its own MFT record (which will be parsed), but the contents of that directory is either stored as resident data in the MFT record or as non-resident data in a INDX buffer. Currently this EnScript does not parse and display the contents of directories.

Written for EnCase v6

Download Here

4 comments:

Paul Wednesday, 14 November, 2007  

What do you recommend to capture memory? The venerable modified DD is not available for free anymore :(

Paul Bobby

Lance Mueller Wednesday, 14 November, 2007  

Well, you can still use the version that is floating around out there on the Internet. The problem is it does not work for Windows 2003 (>=sp1) or Vista because the \\.\PhysicalMemory pipe is not accessible like it was in the past.

I would recommend KnTTools by George Garner at http://www.gmgsystemsinc.com/knttools/. They are not free, but its one of the only viable solutions at this point.

Mark Wednesday, 30 June, 2010  

Hello,

I know I am a little late to the game on this, but I just ran this enpack against three memory dumps, one dd file and two vmware vmem files. The enpack output in the console was "A total of 0 search hits were processed, but only 0 valid MFT records were parsed". That is odd, but I used volatility to pull out other file information. Any thoughts or suggestions?

Thanks.

Lance Mueller Wednesday, 30 June, 2010  

Mark,

Can you contact me directly? Lance(at)forensickb.com

Lance

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles