【内存取证】基础知识（volatility内存取证）

内存取证是对传统磁盘取证的补充攻击者通过隐藏或删除攻击痕迹的手段使得传统的对硬盘的取证获得的信息变得越来越困难。同时磁盘中的数据加密技术也越来越普及比如 EFS、Bitlocker 和 TrueCrypt 加密等等此时就涉及到了内存取证内存取证是指从计算机物理内存和页面交换文件中查找、提取、分析易失性证据是对传统基于硬盘中数据取证的重要补充也是对抗网络攻击或网络犯罪的有力武器。内存取证有着速度快镜像占用空间小等优势。

内存取证的优势

符合传统物证技术的要求
内存取证能够评估计算在线证据的可信性
内存取证最大限度地减少对目标系统的影响

注意

内存镜像和磁盘分区镜像是不一样的。计算机内主要的存储部件是内存和磁盘磁盘中存储着各种数据而存储的程序是必须加载到内存中才能运行即程序在内存中运行。

磁盘分区镜像文件后缀有*.dd、*.E01、*. qcow2等。
内存镜像文件后缀有*.raw、*.mem、*.dd等。

二、运行内存镜像的获取

2.1 Windows内存镜像获取

当拿到嫌疑人电脑后有以下常见的获取物理内存的方法

1内存获取软件获取

2直接内存访问DMA方式获取.

在Windows电脑处于可进入系统桌面下可以使用内存获取软件获取内存镜像常见的内存获取软件有Dumplt、Magnet RAM Capture、AccessData FTK Image等。

2.1.1 Magnet RAM Capture获取内存镜像

运行软件后可选择分段大小之后选内存镜像保存路径点击“start”后软件自动获取物理内存镜像。

2.1.2 AccessData FTK Imager软件获取内存镜像

点击工具栏获取内存图标或选择“File”->“Capture Memory”。点击“Browse”选择内存镜像保存路径可自行修改内存镜像文件名称默认名称为“memdump.mem”。点击“Capture Memory”开始制作镜像制作完成后可在相应路径中找到制作的内存镜像文件。

2.1.3 DumpIt软件获取内存镜像

双击软件即可运行输入“y”即开始制作当前机器的内存镜像。内存镜像默认保存在“DumpIt软件所在的目录”镜像名格式默认为“主机名+当前时间”。

2.1.4 额外知识补充

断电情况下Windows还使用页交换文件Pagefile.sys来协助内存的工作当内存不满足系统所需的情况下会释放部分内存数据到Pagefile.sys文件中因此当设备断电后若无法拿到内存镜像可以通过分析Pagefile.sys文件获取有价值的内存数据。
休眠情况下当Windows系统处于休眠状态下系统会在磁盘中生成一个休眠文件Hiberfil.sys用于存放内存中的数据当计算机重新加电时又将休眠文件中的数据重新写到物理内存中这个文件也会包含很多价值的内存数据。

powercfg -a查询是否支持休眠
powercfg -h off,即可关闭休眠功能
powercfg -h on就能开启休眠功能。

2.2 Linux\Mac OS 下内存获取方法

LiMEGitHub - 504ensicsLabs/LiME: LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition. - GitHub - 504ensicsLabs/LiME: LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.https://github.com/504ensicslabs/lime (获取镜像)

lmg-masterGitHub - halpomeranz/lmg: Script for automating Linux memory capture and analysis 配合LiME获取镜像简化操作

将lmg-master内文件放入LiME的src文件夹运行sudo ./lmg 搞定。

三、内存信息取证与分析

3.1 volatility安装

Volatility Framework 是一个完全开放的内存分析工具集基于GNU GPL2 许可以python 语言进行编写。由于Volatility 是一款开源免费的工具无需花任何钱即可进行内存数据的高级分析此外代码开源的特点遇到一些无法解决的问题时还可以对源代码进行修改或扩展功能。Volatility官网https://www.volatilityfoundation.org/

3.1.1 Windows

直接官网安装Volatility 2.6 Release

解压后如下:

命令行打开进入到该目录运行volatility.exe命令格式请往下看

3.1.2 Linux

GitHub下载项目包GitHub - volatilityfoundation/volatility: An advanced memory forensics framework

解压项目包unzip volatility-master.zip

安装crypto依赖包pip install pycrypto

安装失败参考python2安装pycrypto_python2 pycrypto_xxL7-的博客-CSDN博客

安装distorm3依赖包pip install distorm3