Open Jon-Rowe opened 3 years ago
scudette
commented
3 years ago We currently do all logical images using velociraptor in offline collector mode. This can also collect memory and it's far better than the old aff4imager.
Here is a video that explains how that works https://youtu.be/DX1CcoNl_q8
Jon-Rowe
commented
3 years ago Hi Mike, Thank you for your quick response and assistance. I’m watching the video now, and I’m sure we’ll have questions for you.
Thanks! Jon
Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.
From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 5:20 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)
We currently do all logical images using velociraptor in offline collector mode. This can also collect memory and it's far better than the old aff4imager.
Here is a video that explains how that works https://youtu.be/DX1CcoNl_q8
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857216806, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY5ZKGB2FYJCA4K425TTR2JSXANCNFSM46KQUEFA.
Jon-Rowe
commented
3 years ago Mike, I’ve watched a couple videos; very impressive work! I was especially looking at the collection target options and I see zip and AWS, Google etc but I don’t see aff4 containers in the options list. Is there another setting we would need to use for logical containers?
Thanks, Jon
Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.
From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 5:20 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)
We currently do all logical images using velociraptor in offline collector mode. This can also collect memory and it's far better than the old aff4imager.
Here is a video that explains how that works https://youtu.be/DX1CcoNl_q8
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857216806, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY5ZKGB2FYJCA4K425TTR2JSXANCNFSM46KQUEFA.
scudette
commented
3 years ago Aff4 is not currently supported by velociraptor. We support writing to a regular zip container instead and the metadata is written as Json files.
I did consider previously adding aff4 support but it's not clear that aff4 will provide a large advantage for this use case. It's potentially better for large single images because it allows them to be spilt into chucks that can be compressed in parallel, but for a large number of smaller files that advantage disappears and compatibility with regular zip files is more important.
The metadata scheme in aff4 is not that useful for the general case of collecting arbitrary artifacts, so we will always write Json files anyway, and converting back and forth from rdf just burns CPU cycles and memory, so even if we did write aff4 probably we will skip a lot of the rdf stuff.
Interested to hear your view on this though?
Jon-Rowe
commented
3 years ago Mike, You point out all the great reasons zip files work well. What we've encountered are larger corporations and government agencies that prefer forensic containers and believe in some government agencies that have mentioned FIPS encrypted data. The typical reasoning behind forensic containers is the data is read-only, and they don't worry someone is going to alter file metadata or container contents and better encryption.
I continue to look for libraries that will create a logical forensic file container and keep coming short. AFF looked promising but I don't see any active binaries and looking for assistance compiling if it is going to continue being supported. Any advice you can give when it comes to building an AFF4 logical imaging tool? If you don't mind sending me an email address, that would be great. I send you a message on LinkedIn.
Thanks! Jon
Jonathan P. Rowe
President|CEO
www.pinpointlabs.comhttp://www.pinpointlabs.com/
@.**@.>
402.235.2381 (Direct)
Preserve. Collect. Discover.
From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 8:36 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)
Aff4 is not currently supported by velociraptor. We support writing to a regular zip container instead and the metadata is written as Json files.
I did consider previously adding aff4 support but it's not clear that aff4 will provide a large advantage for this use case. It's potentially better for large single images because it allows them to be spilt into chucks that can be compressed in parallel, but for a large number of smaller files that advantage disappears and compatibility with regular zip files is more important.
The metadata scheme in aff4 is not that useful for the general case of collecting arbitrary artifacts, so we will always write Json files anyway, and converting back and forth from rdf just burns CPU cycles and memory, so even if we did write aff4 probably we will skip a lot of the rdf stuff.
Interested to hear your view on this though?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857304080, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY5GIFNREEGVUXIX6RTTR3ARRANCNFSM46KQUEFA.
scudette
commented
3 years ago Just to clarify, aff4 is just a zip file with some metadata.
I believe there are some libraries that support it in the aff4 GitHub org https://github.com/aff4 and there are some commercial tools that image to aff4.
Jon-Rowe
commented
3 years ago Mike, That's good to know, thanks! A couple questions:
Jon
Jonathan P. Rowe
President | CEO
www.pinpointlabs.comhttp://www.pinpointlabs.com/
@.**@.>
402.235.2381 (<tel:+14022352381>Direct)
Preserve. Collect. Discover.
Sent from my Verizon, Samsung Galaxy smartphone
From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 9:59:28 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)
Just to clarify, aff4 is just a zip file with some metadata.
I believe there are some libraries that support it in the aff4 GitHub org https://github.com/aff4 and there are some commercial tools that image to aff4.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857333446, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOYZ5UGY77P5STHKZQPTTR3KJBANCNFSM46KQUEFA.
scudette
commented
3 years ago AFF4 standard is here https://github.com/aff4/Standard it does not define any encryption or signing. The standard does define hashing and also a block based hashing scheme which can be parallelized for speed. The underlying storage format is a zip file therefore standard zip tools can read/write it.
Therefore it is fairly easy to alter the file directly - which is why users need to record hashes as part of the chain of custody as is always the case.
This BTW this is not different from many of the other formats (EWF, dd) etc. AFF4 is just a way to store multiple streams in the same zip file with metadata geared towards forensic imaging use case.
Jon-Rowe
commented
3 years ago Great points about altering existing forensic containers. I downloaded a zip for the repo link you sent and see the stand spec PDF, Readme and a project file with a few lines in it. Is there suppose to be any code files, or binaries in this repo?
Thanks,
Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.
From: Mike Cohen @.> Sent: Wednesday, June 9, 2021 8:58 AM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)
AFF4 standard is here https://github.com/aff4/Standard it does not define any encryption or signing. The standard does define hashing and also a block based hashing scheme which can be parallelized for speed. The underlying storage format is a zip file therefore standard zip tools can read/write it.
Therefore it is fairly easy to alter the file directly - which is why users need to record hashes as part of the chain of custody as is always the case.
This BTW this is not different from many of the other formats (EWF, dd) etc. AFF4 is just a way to store multiple streams in the same zip file with metadata geared towards forensic imaging use case.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857717097, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY4ZIXDPUUWLUIK2C2DTR5XNHANCNFSM46KQUEFA.
scudette
commented
3 years ago The code is kept in different projects in the aff4 github org
Jon-Rowe
commented
3 years ago I thought so; we’ve pulled from the aff4 repo. Just need to find a dev to help us with the build (think we’ll try the Docker implementation next) and possible customizations. Let me know if you have any referrals! Can’t thank you enough for all the assistance and speedy responses.
Jon
Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.
From: Mike Cohen @.> Sent: Wednesday, June 9, 2021 9:28 AM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)
The code is kept in different projects in the aff4 github org
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857743368, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY3R4JAX4E3HNNE6ES3TR525XANCNFSM46KQUEFA.
We're interested in running a standalone aff4imager with logical file copy options to test it out. Is there a current .exe build we can download? I noticed the latest WinPmem doesn't include the feature.
Thanks!