Many cases there are solutions for that purpose with forensics or endpoint security tools that have agents installed that allow for this.
However, came across an excellent Incident Response tricks and tools cheatsheet resource from:
"JPMinty" @ https://jpminty.github.io
Specifically at "https://jpminty.github.io/cheatsheet/DFIR/#belkasoft-live-ram-capturer"
JPMinty mentions using psexec for a live ram capture on a remote windows pc.
The command is as follows:
psexec \\remotepcname -c RamCapture64.exe "output.mem"So I set up two Windows 10 VMs with VMWare Workstation. And wanted to simulate a remote memory capture.
* Note this is not necessarily a forensically sound method for imaging. Because changes will be written to the remote machine. However if a forensic/endpoint tool fail this may be a potential backup method.
 |
| The machine on the left is the remote PC. And the right is the forensics host to launch psexec from.
TEST 1
Launching a cmd prompt with admin privileges.
And run the following command :
* PsExec64.exe <RemotePC> -u for username and -p for password -c <The Memory Capture tool> <output memory dump file>
Download of psexec can be found at:
 |
 |
| Running the PsExec with the RamCapture64.exe directly, returned an ERROR |
GOT an ERROR
TEST 2
The RamCapture64.exe download unzips with some dlls and a sys file in a folder called x64.
Will use the xcopy command.
To copy the x64 folder with the RamCapture64.exe in it to the target.
But FIRST...
With the following command had to mount a share to the target drive with the following command:
 |
| The net use command with mount a share and authenticating |
SECOND is using the XCOPY command to copy the memory dump tool to the target's C$ drive.
 |
| The RamCapture tool has been copied to the target. |
NEXT to initiate a remote cmd session with PsExec on the target and run the tool
 |
| Now in a remote cmd prompt
*NOTE, can skip the remote command prompt method and use psexec to just run the ".\RamCapture64.exe"
|
READY to run RamCapture64.exe
 |
| Memory dump completed and is located on the C:\ root of the target |
While we are here let's hash the memdump.mem file. We can use the certutil command
MD5 for memory file = b8eafad7bf112f2d565093b611a8b52b
Can exit the remote cmd session
LASTLY we can use xcopy again to bring the memdump.mem back to the Forensic host
 |
| xcopy <DESTINATION\memdump.mem> <FORENSIC HOST> |
 |
| The memdump.mem file copied |
 |
| The Memory Capture "memdump.mem" is now on the Forensics Host with the same MD5 hash. |
This method of using xcopy and psexec is kind of the long way around. But is not too many steps to run.
----NEXT POST----
I will be attempting to extract a pcap from the same memory dump using the bulk extractor tool.
Happy forensicating
--Bryan
No comments:
Post a Comment