RAM FORENSICS TOOLS - BACKTRACK


RAM FORENSICS TOOLS IN BACKTRACK



pdfbook.py

pdfbook.py is a utility that gathers information relating to Facebook from a process dump. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > fbookstrings”. Finally, we use pdfbook.py on the fbookstrings file resulting from the strings command.
Example Usage:pdfbook.py -f fbookstrings


pdgmail

pdgmail.py is a utility similar to pdfbook.py, but instead of gathering Facebook information from process dumps, it gathers Gmail information. On a Windows system, run “pd -p [pid] > file.dump” where [pid] is the process ID of a browser, then on a Linux system run “strings -el file.dump > gmailstrings”. Finally, we use pdgmail.py on the gmailstrings file resulting from the strings command.

Example Usage:pdgmail.py -f gmailstrings


PTK

PTK is a forensics toolkit, similar to the Sleuthkit toolkit. It contains built in modules in order to analyze nearly any type of media or filetype that may be encountered in a forensics investigation. It is browser based, and first needs to have a MySQL database configured. Leave all fields as default, and use the password “toor” for the root user in MySQL. It should setup successfully, at which point you need to register for the free version. Copy the license file you received into the config directory for PTK located at /var/www/ptk/config.

Next, log in as either admin or investigator, and open a new case. Fill out the necessary information, then add an image file to begin. It can even be a RAM dump. From here, the built in tools will help you pull information from the image(s).


Volatility

Volatility is a framework writen in Python that specializes in RAM analysis. The Volatility Framework can analyze volatile memory dumps from any system type, and can provide a deep insight into the state of the system while it was running. The Volatility Framework has been tested on Windows, OS X, Linux, and even Cygwin. In the example below, we use Volatility in order to list processes that were running on the system while the RAM image ram.img was taken.

Example Usage:volatility plist -f ram.img 

0 comments: