2010-11-18

Taking a dump of PC memory

This article describes some ways to take a raw memory dump of a Windows PC.



Why bother?


Why is this important?

Memory forensics has garnered a lot of interest in the past year or so. Some reasons are:
  • Malware can live in memory without ever touching the disk.
  • Disks are growing in size to the point where taking a raw image of a disk can take a long time, even when this is an ordinary PC disk.
  • Memory forensics is a good way to detect and investigate possible rootkit infection.

So the new Incident Response (IR) mantra is becoming: “Don’t do anything, don’t touch the host, take a forensic image of the OS memory.”

The Moonsols Memory Toolkit


One good way to do this is the Moonsols Memory Toolkit.
There are two versions: The (free but constrained) Community Edition, and the Pro Edition.

Here is the link for the software: http://www.moonsols.com/component/jdownloads/view.download/3/2
Note that there are two flavours: 32-bit and 64-bit. You need the correct version for the hardware you will be running on.

Ways of using the software


Basically the utility can be executed from anywhere as long as the driver win32dd.sys is located in the same directory as the main executable win32dd.exe.

So one way would be to insert a USB flash drive or Read-only CD with these programs. Be aware that the action of inserting a USB could change the contents of the Windows Registry. (Note that considerations for taking a pristine, legally valid forensic image - and preserving chain of evidence - are beyond the scope of this article).
The programs could also be fired up remotely using Sysinternals psexec.

Run win32dd


As Administrator or equivalent, open a cmd shell and navigate to the directory with the win32dd utilities.
To see all the options:

win32dd –-help

Basically the defaults are usually fine.

Even with the community edition you can dump across the network to a Windows share. Or you could dump to some local storage (although that might have forensic implications).

Forensics considerations about integrity aside, a checksum is a good idea to ensure that the image was not corrupted somehow. For this use, MD5 will do.

In my test, “l:” was a file share on another PC. Both PCs were linked to the local Lan by (slow) Wifi. It took almost an hour to dump 3G across to the windows share (1 MB/sec throughput) onto the 2cd PC. So you might want to consider dumping locally to a USB flash key, or even to the local hard disk. In comparison, dumping to a USB flash key (same PC) took about 15 min.

Be sure that the driver win32dd.sys is in the same directory as the main executable win32dd.exe.

win32dd /r /s 2 /f l:my_pc_image

which gave the following:

2010-11-18 11-59-40

If it doesn’t work


Method 1: Clean up the registry and try moving the driver

If there is a strange message about not being able to load the driver, try cleaning the Registry on the target host of all references to win32dd. Then copy the “.sys” driver to %WINDIR%\System32 and try again.

Method 2: Use hiberfil.sys instead

A less intrusive approach would be to put the PC down, and then take a copy of hiberfil.sys instead (if it exists) using some liveCD distro.
Moonsols has a utility hibr2bin.exe that is included with their toolkit. This can be used to convert the hibernation file to a raw image dump. Note that the Professional Edition is required for Win7 hibernation file support.

Method 3: Force a Windows Crash Dump


This is described in detail here: http://msdn.microsoft.com/en-us/library/ff545499.aspx
Note that this works only for Win Server 2K3, 2K8, and Win7 (ie not XP).
First dump files must be enabled for the OS. Then a registry key is set to activate the feature (depending on the type of keyboard). The magic sequence by default is hold right CTL and then hit SCROLL Lock twice.

From MSDN:
  • With PS/2 keyboards, you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a value named CrashOnCtrlScroll, and set it equal to a REG_DWORD value of 0x01.

  • With USB keyboards, you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters, create a value named CrashOnCtrlScroll, and set it equal to a REG_DWORD value of 0x01.
If you do manage to produce a full memory Windows crash dump, then Moonsols has a utility dmp2bin.exe to convert it to a raw memory image.

2 comments:

Rob Dewhirst said...

Method 4: Use ftkimager or Memoryze (free) or Helix Pro ($). I gave up on the moonsols utils (the community edition, anyway). The author suggests the same fixes as you suggest in Method 1. Never could get them to work.

Cindy Dy said...

I have a great fun reading your blogs. You are really a great writer. Thank you for making this beautiful and awesome blogs. Hope to read more post from you in the future. Please dont forget to visit me in my site @ www.imarksweb.org. Thank you.


Bess