c-aff4
c-aff4 copied to clipboard
Velocidex
PhysicalMemory Extraction using linpmem
Our team completed a memory collection using winpmem version 2.1 on an Azure VM running Windows Server 2016 The output was in AFF4 format.
I am attempting to extract the PhysicalMemory for processing with Rekall and Volatility and receiving the following output results.
root@workstation:# ./linpmem-v3.3.rc1 -V ../winpmem_collection.aff4 @prefix rdf: http://www.w3.org/1999/02/22-rdf-syntax-ns# . @prefix aff4: http://aff4.org/Schema# . @prefix xsd: http://www.w3.org/2001/XMLSchema# . @prefix memory: http://aff4.org/Schema#memory/ .
aff4://90283ff6-6777-4497-ac03-c711a870c8c0/PhysicalMemory aff4:category memory:physical ; aff4:stored aff4://90283ff6-6777-4497-ac03-c711a870c8c0 ; a aff4:map .
aff4://90283ff6-6777-4497-ac03-c711a870c8c0/PhysicalMemory/data aff4:chunk_size 32768 ; aff4:chunks_per_segment 1024 ; aff4:compression https://www.ietf.org/rfc/rfc1950.txt ; aff4:size 34359267328 ; aff4:stored aff4://90283ff6-6777-4497-ac03-c711a870c8c0 ; a aff4:image .
file:///root/winpmem_collection.aff4 aff4:contains aff4://90283ff6-6777-4497-ac03-c711a870c8c0 .
root@workstation:#
root@workstation:# ./linpmem-v3.3.rc1 -e '/PhysicalMemory' -D /root/linpmem/ ../winpmem_collection.aff4 root@workstation:# ll total 2724 drwxr-xr-x 2 root root 4096 Feb 21 19:49 ./ drwx------ 9 root root 4096 Feb 21 20:03 ../ -rwxrwxrwx 1 root root 2779456 Feb 19 15:37 linpmem-v3.3.rc1 root@workstation:# pwd /root/linpmem root@workstation:#
root@workstation:# ./linpmem-v3.3.rc1 -e '*/PhysicalMemory' --volume_format raw --output /root/linpmem/mem.raw ../winpmem_collection.aff4 2020-02-21 20:08:14 E Cannot specify an export and an output volume at the same time (did you mean --export_dir). 2020-02-21 20:08:14 E Imaging failed with error: INVALID_INPUT root@workstation:#
Check this reference for exporting command lines
https://winpmem.velocidex.com/docs/extracting/
Should be linpmem -e '*/PhysicalMemory' --export_dir /tmp/export/ winpmem_collection.aff4
you can also use -dd to increase verbosity.
I was able to run the above command against the collection. The command did not produce any output at all. I added the "-dd" command as suggested with the following output:
root@workstation:/cases/memtest# linpmem -dd -e '*/PhysicalMemory' --export_dir /cases/ output.aff4 2020-02-25 19:11:10 I Loaded AFF4 volume URN aff4://90283ff6-6777-4497-ac03-c711a870c8c0 from zip file. 2020-02-25 19:11:10 I Global offset: 0 root@workstation:/cases/memtest#
I was able to obtain a different AFF4 file, just to make sure the collection I was working with didnt have an issue with it. I am getting similar results of nothing exported.
root@workstation:/cases/memtest# linpmem -e '*/PhysicalMemory' --export_dir /tmp/export/ test_file.aff4 -dd 2020-02-26 01:23:20 I Loaded AFF4 volume URN aff4://85dc9819-ca86-47f1-bbf3-f0973905f6a1 from zip file. 2020-02-26 01:23:20 I Global offset: 0
root@workstation:/cases/memtest# ll /tmp/export/ total 8 drwxr-xr-x 2 root root 4096 Feb 26 01:21 ./ drwxrwxrwt 14 root root 4096 Feb 26 01:21 ../
root@workstation:/cases/memtest# uname -a Linux workstation 4.15.0-88-generic #88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Hi Lou, AFF4 containers are just zip files. Make sure the zip is working correctly by running
unzip -t myfile.aff4
There should be a file called information.turtle in the zip file, can you please post it here?
If I am understanding correctly, you took the image with linpmem 2.1 but are trying to extract it with linpmem 3.3?
Thanks Mike
Mike Cohen Digital Paleontologist, Velocidex Enterprises M +61 470 238 491 <+61+470+238+491> E [email protected] [email protected]
On Wed, Feb 26, 2020 at 11:28 AM Lou Sierra [email protected] wrote:
I was able to obtain a different AFF4 file, just to make sure the collection I was working with didnt have an issue with it. I am getting similar results of nothing exported.
root@workstation:/cases/memtest# linpmem -e '*/PhysicalMemory' --export_dir /tmp/export/ test_file.aff4 -dd 2020-02-26 01:23:20 I Loaded AFF4 volume URN aff4://85dc9819-ca86-47f1-bbf3-f0973905f6a1 from zip file. 2020-02-26 01:23:20 I Global offset: 0
root@workstation:/cases/memtest# ll /tmp/export/ total 8 drwxr-xr-x 2 root root 4096 Feb 26 01:21 ./ drwxrwxrwt 14 root root 4096 Feb 26 01:21 ../
root@workstation:/cases/memtest# uname -a Linux workstation 4.15.0-88-generic #88 https://github.com/Velocidex/c-aff4/issues/88-Ubuntu SMP Tue Feb 11 20:11:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Velocidex/c-aff4/issues/138?email_source=notifications&email_token=AA5NRIQ5SARWNN6STN3DXN3REXASXA5CNFSM4KZJZSSKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM6M7RY#issuecomment-591187911, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIRSRU6SPKBZXJ2SBETREXASXANCNFSM4KZJZSSA .
I ran the test of the AFF4 using the unzip command and there were no errors detected.
Correction - This was taken with WinPmem 2.1-post4.exe and I am attempting to extract PhysicalMemory using linpmem-3.3
Attached is the information.turtle file you requested. I renamed it to TXT for upload purposes. Please let me know what else you need.
Quick Update - I was able to move the test_file.aff4 to a windows machine for clarification.
winpmem.exe test_file.aff4 -e PhysicalMemory -o output.raw This command worked using winpmem-2.1-post4
This does not work using linpmem-v3.3.rc1
Sorry I have not looked at it. Winpmem 2.1 happened prior to the AFF4 standardization work and there was some changes in the internal file format. In principal the latest v3.3 is supposed to be backward compatible but obviously it is not really working and we probably dont test it with older versions of winpmem. We probably dont have the bandwidth to support compatibility with very old versions of winpmem.
I would just recommend you extract the image with the same version you used to acquire it (that is working right?). Moving forward images should be readable because AFF4 has been standardized now so in future you should use latest winpmem.
We are in the process of updating our utilities to v3.3 already and will keep your update in mind. This particular collection was done some time ago that we use for testing/validating our workflow. I have made adjustments for this particular file test until our v3.3 script update is complete.
root@workstation:/cases/memtest# mkdir export root@workstation:/cases/memtest# cd .. root@workstation:/cases# cp /mnt/s3fs/MemoryForensicTools/winpmem.exe . root@workstation:/cases# chmod 700 winpmem.exe root@workstation:/cases# wine winpmem.exe /mnt/s3fs/TestImages/test_file.aff4 -e PhysicalMemory -o memtest/export/mem.raw`
I will keep you updated on our v3.3 script completion for updated memory collections and analysis.