by Chirath De Alwis
As in other storage devices, volatile memory also has several formats. According to the acquisition method that is in use, the captured file format can be vary. According to (Ligh et al, 2018) the most commonly used memory dump formats are:
- RAW memory dump.
- Windows crash dump.
- Windows hibernation files.
- Expert witness format (EWF).
- HPAK format.
RAW Memory Dump
Raw memory dump is the most commonly used memory dump format by modern analysis tools. According to (Ligh et al, 2018) these raw file formatted memory dumps do not contain headers, metadata, or magic values.
“The raw format typically includes padding for any memory ranges that were intentionally skipped (i.e., device memory) or that could not be read by the acquisition tool, which helps maintain spatial integrity (relative offsets among data)” (Ligh et al, 2018).
The figure shown below is the architecture of the RAW memory file.
Windows Crash Dump
According to Hameed’s podcast Understanding Crash Dump Files (2008) by default all windows operating systems are configured to capture information about the status of that computer in the event of computer crash. As mentioned by Ligh et al (2018) these crash dumps begin with _DMP_HEADER or _DMP_HEADER64 structure.
The above figure shows the architecture of the Windows full crash dump file. According to Microsoft, 2018 there are three different formats of memory dumps available in windows crash dump.
Complete memory dump
According to Microsoft (2018) this memory dump is the largest kernel-mode memory dump file. This memory file contains everything that was in the physical memory. As mentioned in Microsoft (2018) this memory dump does not contain physical memory that is used by the platform firmware.
Kernel memory dump
According to Hameed’s podcast Understanding Crash Dump Files (2008) this kernel-mode memory dump contains all the contents that were used by the kernel at the time of capturing the memory. Since this file contains only the content that was used by the kernel this memory dump is significantly smaller than the complete memory dump. As mentioned by Microsoft (2018) these memory dumps do not include unallocated memory, or any memory allocated to user-mode applications and therefore it can narrow down the analysis.
Small memory dump
As you can tell from the name, this is the smallest memory dump files that can be created in windows crash dump. According to Microsoft (2018) these memory files contain:
- The bug check message and parameters, as well as other blue-screen data.
- The processor context (PRCB) for the processor that crashed.
- The process information and kernel context (EPROCESS) for the process that crashed.
- The thread information and kernel context (ETHREAD) for the thread that crashed.
- The kernel-mode call stack for the thread that crashed. If this is longer than 16 KB, only the topmost 16 KB will be included.
- A list of loaded drivers.
According to Ligh et al (2018), the following are the reasons that a crash dump can be created.
- Blue Screens
But not all the above methods are suitable for forensics.
Windows Hibernation File
According to Microsoft (2018) hibernation in computing is powering down a computer while retaining its state. Upon hibernation, the computer saves the contents of its random access memory (RAM) to a hard disk or other non-volatile storage and upon resumption; the computer is exactly as it was before entering hibernation.
When hibernate is enabled on the computer, a hibernated file is create under system folder with the content of full dump of the memory.
Expert Witness Format (EWF)
According to Ligh et al (2018) this is the format that Encase Forensics uses when acquiring a memory with EnCase software. Even though this format is used by this commercial software company, due to its popularity it has become one of the standardized file formats. Since this file format used by EnCase to analyze these memory files there are only a few tools available. As Ligh et al (2018) say, investigators should be familiar with the following methods of analyzing the EWF memory dumps.
- “EWFAddressSpace” (Ligh et al, 2018)
- “Mounting with EnCase” (Ligh et al, 2018)
- “Mounting with FTK Imager” (Ligh et al, 2018)
This is the file format that is used by the HBGary software cooperation. “HPAK allows a target system’s physical memory and page file(s) to embed in the same output file” (Ligh et al, 2018). This is a proprietary format therefore these memory files can only be created with HBGary tools.
- Ligh, M.H. et al. (2018). The Art of Memory Forensics. 1st Ed. United States of America: John Wiley & Sons.
- Microsoft. (2008), 11 Jan 18, Understanding Crash Dump Files. 08 Jan 08, http://blogs.technet.com/b/askperf/archive/2008/01/08/understanding-crash-dump-files.aspx.
- Microsoft Corporation. 2018. Complete Memory Dump. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff539190%28v=vs.85%29.aspx.
- Microsoft Corporation. 2018. Small Memory Dump. [ONLINE] Available at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff556895%28v=vs.85%29.aspx.
About The Author
Chirath De Alwis is an information security professional with more than four years’ experience in Information Security domain. He holds C|EH, C|HFI and Qualys Certified Security Specialist certifications and reading for his MSc specializing in Cyber Security. Currently, Chirath is involved in vulnerability management, incident handling and digital forensics activities in Sri Lankan cyberspace. You can contact him on [email protected]