WinPmem icon indicating copy to clipboard operation
WinPmem copied to clipboard
verified publisher icon Velocidex

Are there Mac and Linux releases?

Open nmcbride opened this issue 4 years ago • 8 comments

Hello,

I was wondering if there were releases for Mac and Linux as well as Windows?

Thanks very much.

nmcbride avatar Mar 01 '21 16:03 nmcbride

Currently this project is windows only. I have no plans to support other operating systems (but would love contributions). Supporting other operating systems would require a totally different code base and so it makes sense these should be in a different project (hence the name WinPmem).

scudette avatar Mar 01 '21 21:03 scudette

Currently this project is windows only. I have no plans to support other operating systems (but would love contributions). Supporting other operating systems would require a totally different code base and so it makes sense these should be in a different project (hence the name WinPmem).

I thought the same also but then I saw your page here: https://winpmem.velocidex.com/ which states that OSXPmem and LinPMem were included:

"This is the official site of the Pmem memory acquisition tools. These include WinPmem, OSXPmem and LinPmem.

So I thought I'd ask. May want to updated that.

Thanks

nmcbride avatar Mar 02 '21 00:03 nmcbride

Ah thanks for pointing it out. This is a case of out of date documentation.

On Tue, Mar 2, 2021, 10:13 Nathan McBride [email protected] wrote:

Currently this project is windows only. I have no plans to support other operating systems (but would love contributions). Supporting other operating systems would require a totally different code base and so it makes sense these should be in a different project (hence the name Win Pmem).

I thought the same also but then I saw your page here: https://winpmem.velocidex.com/ which states that OSXPmem and LinPMem were included:

"This is the official site of the Pmem memory acquisition tools. These include WinPmem, OSXPmem and LinPmem.

So I thought I'd ask. May want to updated that.

Thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/28#issuecomment-788420215, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIWNOIKVH4AOGTMNPYTTBQURLANCNFSM4YM27KJA .

scudette avatar Mar 02 '21 02:03 scudette

@scudette what happened to Rekall? Why was it dropped out? Sorry if it is a bit off topic.

Is there then anyone else looking at macOS and Linux memory dumping drivers and tools now?

diogo-fernan avatar Apr 15 '21 11:04 diogo-fernan

Hi Diogo,

AFAIK no one took over the Rekall project when I left Google in 2018... Rekall used a lot of time and effort to keep the project in sync with the latest kernel builds.

I just saw a SANS video that suggests macpmem still works in 2021 :-). https://www.youtube.com/watch?v=KDKRjeQk7ds

Linux acquisition still depends on /dev/kcore or compiling a custom driver (not practical in most DFIR cases). I do not think any of this changed but I am not sure.

To be perfectly honest I dont do memory acquisition or analysis very much these days since the utility and reliability of memory analysis vs other methods does not justify the cost (in terms of time and maintenance). It is simpler and more reliable to get the same information using APIs or other methods than through memory analysis.

Thanks Mike

Mike Cohen Digital Paleontologist, Velocidex Enterprises M ‭+61 470 238 491‬ <‭+61+470+238+491‬> E @.*** @.***>

On Thu, Apr 15, 2021 at 9:06 PM Diogo Fernandes @.***> wrote:

@scudette https://github.com/scudette what happened to Rekall? Why was it dropped out?

Is there then anyone else looking at macOS and Linux memory dumping drivers and tools now?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/28#issuecomment-820338584, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIVLXQHWBWRORSWBUXTTI3CEZANCNFSM4YM27KJA .

scudette avatar Apr 15 '21 11:04 scudette

The Rekall repo (https://github.com/google/rekall) has been archived by Google, so supposedly no one took over indeed. It would actually be great if you guys at Velocidex could somehow manage to continue with pmem support for all platforms.

diogo-fernan avatar Apr 15 '21 16:04 diogo-fernan

Well we do support winpmem development to some extent in this repository, but I really have no idea about osxpmem development (but I believe it still works?). I think linpmem is just a user space program that copies kcore so it should continue to work?

Are you just suggesting we copy those into this repository so they are easier to find?

Thanks Mike

On Fri, Apr 16, 2021, 02:17 Diogo Fernandes @.***> wrote:

The Rekall repo (https://github.com/google/rekall) has been archived by Google, so supposedly no one took over indeed. It would actually be great if you guys at Velocidex could somehow manage to continue with pmem support for all platforms.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/28#issuecomment-820556299, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIS6UBA33VBT3RSWNNDTI4GQVANCNFSM4YM27KJA .

scudette avatar Apr 15 '21 21:04 scudette

Definitely grateful for continuing on with winpmem!

As for osxpmem and linpmem, it sounds like a good idea to copy them over into this repository considering the documentation that you have on your website, which might prevent others from getting confused! Perhaps it would also be helpful mentioning that the development of those is not supported any longer.

diogo-fernan avatar Apr 16 '21 06:04 diogo-fernan