Hi all,
Over the past few month or so I have been doing some research on memory artifacts for Safari In-Private browsing. I have come across a lot of different things but one of the biggest is the fact that Safari is still taking full screen captures and storing them in memory. Now my issue is that I have no way of linking the fragmented image files so the most I can view of any carved image is 4Kb.
I have tried a multitude of tools to see if they can rebuild the page mapping of any live process(note i have kept safari live when imaging). FTK is great at viewing the process and any dlls associated with it but that doesn't help me view the pages associated with the process?
Just a heads up, I am totally new to memory analysis and may be on the completely wrong track when it comes to what I am asking.
Thanks in advance
-Tyler
Tyler,
Just curious
What operating system are you using?
What RAM Dump tool are you using?
Thanks,
Chris Currier
For imaging I used FTK Imager off a thumb drive. I also used mdd to create an image and have been using both in my research.
As for the examination itself, I have used both linux and Windows environments(XP, 7). The best I have been able to do so far is simply carve the first 4k out of any file. I was also able to get both x-ways and FTK to display a list of all process. X-ways parses memory in a strange way and I cant really find any documentation on it.
I realize volatility is one of the best for memory analysis but i have not been able to get it to accept my imager memory dump (.mem).
I think what I am looking for is some reference in memory to the Page Frame Number Database and Page Table Entries, if this helps anyone figure out what I am asking. Thats what I have come across online but I haven't found any information as to where its located.
Even without the memory page map, I have been able to piece together some files and I know all parts of the jpg images are there because I confirmed it with a known jpg.
Note the machine being analyzed is a 32bit machine
Tyler,
The older FTK Imager Memory format was ".txt" and then I simply
changed the extension to a ".bin" file. I am not sure if that will work with the current format ".mem". I haven't tried that.
X-Ways does do a good job of data carving images from a RAM dump. So I am glad to hear that you tried that.
Regards,
Chris Currier
> doesn't help me view the pages associated with the process?
Perhaps you could do it in X-Ways Forensics, then. If you select a process and enable Process mode, you see the memory address space of that process and the pages of that process in correct logical order, just as you would see the clusters of a file in correct logical order in File mode for a disk partition. The opposite is RAM mode for a memory dump and Partition mode for a disk partition, where the data is fragmented.
> X-ways parses memory in a strange way
I personally find it not so strange, of course.
Stefan
I think that process mode is exactly what I was looking for. I will check it out when I get back to the lab on Monday. As for my comment about x-ways displaying memory strangely, what I meant is that I don't fully understand the directory system that it shows when interpreted. This will probably take me another few weeks before I can really grasp what its trying to show me with the two directories.
Thanks Stefan.
I believe Volatility is still the way to go with what you are trying to do. I have used ".mem" images numerous time with volatility so I provided the link to all the documentation on volatitlity (http//
Also if have you looked at Mandiant's "Memoryze" it has some good features as well and has a easy GUI to go with it.
Mark Morgan
Maybe the following link will help this topic, regarding Volatility
http//