Windows Kernel memo...
 
Notifications
Clear all

Windows Kernel memory dumps

7 Posts
4 Users
0 Likes
785 Views
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

I am aware that volatility and rekall only supports crash dumps that are complete memory dumps. Meaning that kernel memory dumps are not supported.

In particular I am working on extracting complete registry hives. I am able to solve this in a somewhat tedious/manual way by using windbg. So it's possible. But I was hoping there existed a smoother way of accomplishing this.

My question is;
Are there any tools out there that can analyze such kernel memory dumps?

 
Posted : 17/04/2017 3:04 am
 LC6
(@grigollo)
Posts: 25
Eminent Member
 

Have you tried using encase? It analyzes dump.

 
Posted : 17/04/2017 4:51 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is some info on the file format useful?
Here
http//computer.forensikblog.de/en/2006/03/dmp-file-structure.html

jaclaz

 
Posted : 17/04/2017 2:46 pm
(@c-r-s)
Posts: 170
Estimable Member
 

Responder Pro does that, though it probably exceeds the scope of a "tool" in this case.

 
Posted : 17/04/2017 4:48 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Responder Pro is supporting kernel memory dumps and is producing some nice reports of various stuff. But I can't make it reassemble and export registry hives. @C.S.R. do you know if it is possible with Responder Pro, and if so how?

Encase is untested (I have my doubts it will support it).

So, unless there is a tool out there that can do this, I think my best shot would be to programatically automate the (long) procedure I already have with WinDbg and that works for reassembling complete registry hives out of kernel memory dumps.

 
Posted : 18/04/2017 3:12 am
(@c-r-s)
Posts: 170
Estimable Member
 

It is not a built-in function, you'd need to script Responder, too. However, I think it is much easier than automating WinDbg.

 
Posted : 18/04/2017 10:49 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

I acknowledge that Responder Pro have some nice features, and seems like a robust tool. Regarding its scripting as compared to windbg's scriptability it feels a little bit like managed coding compared to native coding. Thanks for the input. In my case I feel like sticking to WinDbg because it can do so many great things when you master it, because of its extreme power. I like to be in control over the power of WinDbg (still learning )).

However I find it strange that there's no tool out there that can reconstruct registry hives out of kernel memory dumps. I would assume that such MEMORY.DMP's, which is the default system configuration, is not unusual to find, as systems probably bluescreen'ed at least once during the entire lifetime.

Anyways, there's a very good reading to be found at http//amnesia.gtisc.gatech.edu/~moyix/suzibandit.ltd.uk/MSc/ He also reconstructed and extracted registry hives, and gave me some good hints. See appendix 21. But it's geared towards 32-bit and older Windows versions, and is very manual in the process. Still, it let's you achieve the goal.

 
Posted : 19/04/2017 11:49 pm
Share: