You are currently browsing the 4nzx @ stonesifer.org weblog archives for the day 30. March 2011.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Nov | May » | |||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
- 26. March 2012: Log Parser
- 18. March 2012: Creating a Home Email Server
- 27. December 2011: Working with WinFE
- 27. December 2011: Editing Existing WinFE
- 20. December 2011: Creating WinFE Boot Disc
- 6. December 2011: Bitlocker Decryption with Known Key without Admin Privileges
- 1. July 2011: Dual Boot Windows 7 (encrypted) with Ubuntu 11.04 (encrypted)
- 3. May 2011: EnCase7 Quick Look
- 30. March 2011: Volatile Memory and Logs
- 11. November 2010: Is your anti-virus completely cleaning?
Archive for 30. March 2011
Volatile Memory and Logs
30. March 2011 by Ric.
I wanted to post my experience with creating a volatile log and memory collector. I’ve created this batch script for collecting Windows operating system logs and memory if desired. There are many of us (forensic examiners) that are not taking memory as evidence or volatile logs that after the hard drive is powered down those logs are lost.
Right to it…I’ve rolled the script into an executable. The idea behind the script is to have it located on a thumb drive or any external media that is compliant with Windows. The executable can be extracted with your favorite compression program to take a look at the guts.
The script simply uses existing programs that were designed with collecting volatile data in mind. Hopefully I’m still within the using agreements but if not I’m sure someone will let me know.
When the program starts it lets you know how much RAM there is on the system. Ensure your running with administrator level privileges. If you want to collect the RAM it will use windd32.exe or windd64.exe. These version are the community versions.
If you select yes to imaging RAM it will be placed on the root of the system you ran the executable from.
If you select no it will continue and ask whether you wish to collect volatile data from the system.
Should you select no which could be the case because you only wanted to collect RAM than the program will end. If you select yes the rest of the script runs automated.
The script will count down the item it is collecting. Speed depends on the system.
The list of items will indicate the information it is collecting or you can view it within the start_VS.cmd file.
Some of the information you could say was not that volatile and still remains on the hard drive which is true. I like the ability to get to the important information quickly to make an assessment without waiting on the full forensic exam.
If you find I am not collecting something of value, I can most certainly add it. Just let me know.
After completion the log contents will be compressed and remain on the drive you ran the executable from. The volatile_snapshot directory will be removed.
The compressed log file is named <computername>_<time&date>.7z.
Extract the file and begin viewing the contents using the .REPORT.html
More on going through the file and its contents later.
File: Volatile Snapshot V2
Posted in Volatile Data | No Comments »