Monday, June 25, 2012
Forense de Memória para Linux e Mac
[ UPDATE 01/07/2012 ]
Excelente notícia: "Announcing Mac Support in Volatility": http://memoryforensics.blogspot.com.br/2012/06/announcing-mac-support-in-volatility.html
[ POST ORIGINAL: 25/06/12 ]
Duas novas ferramentas para dump/análise de memória nas plataformas Linux e Mac foram anunciadas recentemente - confira:
Linux/Android:
LInux Memory Extractor (LIME): http://digitalforensicssolutions.com/lime/
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
MacOS:
Mac Memoryze: http://www.mandiant.com/resources/download/mac-memoryze-1.0trade
Mandiant Mac Memoryze is free memory forensic software that helps incident responders find evil in memory…on Macs. Mac Memoryze can acquire and/or analyze memory images. Analysis can be performed on offline memory images or on live systems.
image the full range of system memory; acquire individual processes memory regions; enumerate all running processes (including those hidden by rootkits); report all open file handles in a process (for example, all files, sockets, pipes, etc); list the virtual address space of a process including: loaded libraries, allocated portions of heap and execution stack, list network connections, enumerate all loaded kernel extensions, including those hidden by rootkits. enumerate the System Call Table and Mach Trap Table, enumerate all running Mach Tasks
Outra referência para MacOS - Mac Memory Reader: http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader
Outros posts sobre forense de memória (em Windows) já publicados por aqui:
Forense em Windows - Aquisição e Análise de Memória http://sseguranca.blogspot.com.br/2011/06/forense-em-windows-aquisicao-e-analise.html
Forense de Memória - Uma comparação de Ferramentas Disponíveis: http://sseguranca.blogspot.com.br/2008/12/forense-de-memria-uma-comparao-de.html
Oficina e Desafio de Análise Forense no Campus Party 2012 http://sseguranca.blogspot.com.br/2012/02/oficina-e-desafio-de-analise-forense-no.html
Aquisição e Análise de Memória ou "Memory Forensics": http://sseguranca.blogspot.com.br/2010/08/docencia-no-mestrado-em-informatica.html
pdymail - Forense de Memória para o Yahoo Mail http://sseguranca.blogspot.com/2009/01/pdymail-forense-de-memria-para-o-yahoo.html
pdgmail: nova ferramenta para Forense de Memória do GMAIL http://sseguranca.blogspot.com.br/2008/10/pdgmail-nova-ferramenta-para-forense-de.html