Jul 22, 2015

Howto: Memory Acquisition for Forensic

Summary from: https://alexandreborgesbrazil.files.wordpress.com/2014/06/memory-acquisition_win_linux1.pdf

Memory Acquisition on Windows
  • DumpIt from MoonSols (http://www.moonsols.com/downloads/7) using DumpIT.exe
  • Memoryze from Mandiant/FireEye (https://www.mandiant.com/library/MemoryzeSetup3.0.msi) using MemoryDD.bat
Initial analysis with Mandiant's Redline (https://www.mandiant.com/library/Redline-1.12.msi)

Memory acquisition on  Linux System
  • https://code.google.com/p/lime-forensics/downloads/list
  • https://github.com/504ensicslabs/lime
    • Compile with make
    • Install kernel module with command
      • insmod lime-3.7-trunk-amd64.ko  "path=/media/external_drive/kali_memory_dump.bin   format=lime"
    • memory dump will save as /media/external_drive/kali_memory_dump.bin


Tools: PEframe - PEframe is a open source tool to perform static analysis on (portable executable) malware.

PEframe is a open source tool to perform static analysis on Portable Executable malware

Source:: https://github.com/guelfoweb/peframe

Tools: hacking-team-windows-kernel-lpe - exploit from the Hacking Team leak, written by Eugene Ching/Qavar.

This an exploit for CVE-2015-2426 (MS-078), a Windows kernel local privilege escalation 0day from the Hacking Team archive (email here). It was developed by Eugene Ching / Qavar security. Original contents below:

Windows kernel memory corruption exploit leading to privilege escalation.
Tested on Windows 8.1 fully-patched (as of 28 Jan 2015).
Also tested to work against:
  • Google Chrome, up to v40.0.2214.93 (64-bit); and
  • Google Chrome Canary, up to v42.0.2290.6 canary (64-bit)
assuming a suitable RCE in Chrome (simulated via injecting a thread into Chrome)

Source:: https://github.com/vlad902/hacking-team-windows-kernel-lpe