Friday, February 15, 2008

New Docs at SWGDE

The Scientific Working Group on Digital Evidence (SWGDE) has released some new documents, the most notable of which are the Vista Technical Notes, and the document on "Live Capture".

The document on Live Capture was very interesting! At only 5 pages in length (the first page is formal disclaimer stuff...), there isn't a whole lot of detail, and the timeliness of the document may be questionable, but the point is that the document does reference the benefits of performing "live capture"...a term which encompasses three different activities. The document spends only a small paragraph discussing RAM dumps, and in that paragraph refers to "DD" as a software tool that can be used for collecting the contents of memory...on Windows systems, this is no longer the case (unless you have an old copy of the version of dd.exe sitting around). Further, this article in the Forensic Magazine mentions the use of dcfldd (version 1.3.4 was reportedly used when writing the article) to dump RAM from a Windows system...however, the command line listed in the article no longer seems to work (although for some odd reason, on a Windows XP SP2 system, replacing "\\.\PhysicalMemory" with "/dev/mem" seems to get something). Oddly enough, the document doesn't mention ProDiscover (which had the ability to collect RAM and volatile data before EnCase), nor does it mention Nigilant32.

The section of the document that addresses live acquisition is also extremely short and bereft of any real content...I'd love to know what "careful planning" they are referring to, just as I'm sure others reading the document who've never done a live acquisition must be wondering.

But hey...don't get me wrong...I think it's a great thing that the document is out. The more these techniques and methodologies are discussed and presented, the more likely they are to be used and then become part of standard procedures.

3 comments:

Anonymous said...

Just got the SWEDGE document on live acquisition. To say that it's superficial would be generous. Concerning Vista RAM, am I still correct in understanding that George Garner's tool is the only one documented to work? Of course, one still can harvest a good deal of worthwhile information by tackling Vista live, but leaving RAM aside.

H. Carvey said...

To the best of my knowledge, Garner's tool is still the only one that will allow you to dump RAM from any Win2K3 SP1 and above system. I had heard rumors a while ago that something was going to be added to Helix 2.0, which was due out at the end of the '07...but nothing definitive.

Anonymous said...

Check out Responder (www.hbgary.com) - those guys are carving all service packs of win2k and XP and recovering all open files/regkeys/sockets/drivers - a ton of internal structures. And, I heard they just signed an exclusive deal w/ Guidance.