Many cases there are solutions for that purpose with forensics or endpoint security tools that have agents installed that allow for this.
However, came across an excellent Incident Response tricks and tools cheatsheet resource from:
"JPMinty" @ https://jpminty.github.io
Specifically at "https://jpminty.github.io/cheatsheet/DFIR/#belkasoft-live-ram-capturer"
JPMinty mentions using psexec for a live ram capture on a remote windows pc.
The command is as follows:
psexec \\remotepcname -c RamCapture64.exe "output.mem"
So I set up two Windows 10 VMs with VMWare Workstation. And wanted to simulate a remote memory capture.
* Note this is not necessarily a forensically sound method for imaging. Because changes will be written to the remote machine. However if a forensic/endpoint tool fail this may be a potential backup method.
Running the PsExec with the RamCapture64.exe directly, returned an ERROR |
GOT an ERROR
TEST 2
The RamCapture64.exe download unzips with some dlls and a sys file in a folder called x64.
Will use the xcopy command.
To copy the x64 folder with the RamCapture64.exe in it to the target.
But FIRST...
With the following command had to mount a share to the target drive with the following command:
The net use command with mount a share and authenticating |
NEXT to initiate a remote cmd session with PsExec on the target and run the tool
Now in a remote cmd prompt
*NOTE, can skip the remote command prompt method and use psexec to just run the ".\RamCapture64.exe"
|
READY to run RamCapture64.exe
While we are here let's hash the memdump.mem file. We can use the certutil command
MD5 for memory file = b8eafad7bf112f2d565093b611a8b52b
Can exit the remote cmd session
LASTLY we can use xcopy again to bring the memdump.mem back to the Forensic host
xcopy <DESTINATION\memdump.mem> <FORENSIC HOST> |
The memdump.mem file copied |
The Memory Capture "memdump.mem" is now on the Forensics Host with the same MD5 hash. |
This method of using xcopy and psexec is kind of the long way around. But is not too many steps to run.
----NEXT POST----
I will be attempting to extract a pcap from the same memory dump using the bulk extractor tool.
Happy forensicating
--Bryan
No comments:
Post a Comment