Velocidex / WinPmem

The multi-platform memory acquisition tool.
Apache License 2.0
695 stars 102 forks source link

Current binaries with logical file options? #31

Open Jon-Rowe opened 3 years ago

Jon-Rowe commented 3 years ago

We're interested in running a standalone aff4imager with logical file copy options to test it out. Is there a current .exe build we can download? I noticed the latest WinPmem doesn't include the feature.

Thanks!

scudette commented 3 years ago

We currently do all logical images using velociraptor in offline collector mode. This can also collect memory and it's far better than the old aff4imager.

Here is a video that explains how that works https://youtu.be/DX1CcoNl_q8

Jon-Rowe commented 3 years ago

Hi Mike, Thank you for your quick response and assistance. I’m watching the video now, and I’m sure we’ll have questions for you.

Thanks! Jon

Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.

From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 5:20 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)

We currently do all logical images using velociraptor in offline collector mode. This can also collect memory and it's far better than the old aff4imager.

Here is a video that explains how that works https://youtu.be/DX1CcoNl_q8

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857216806, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY5ZKGB2FYJCA4K425TTR2JSXANCNFSM46KQUEFA.

Jon-Rowe commented 3 years ago

Mike, I’ve watched a couple videos; very impressive work! I was especially looking at the collection target options and I see zip and AWS, Google etc but I don’t see aff4 containers in the options list. Is there another setting we would need to use for logical containers?

Thanks, Jon

Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.

From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 5:20 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)

We currently do all logical images using velociraptor in offline collector mode. This can also collect memory and it's far better than the old aff4imager.

Here is a video that explains how that works https://youtu.be/DX1CcoNl_q8

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857216806, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY5ZKGB2FYJCA4K425TTR2JSXANCNFSM46KQUEFA.

scudette commented 3 years ago

Aff4 is not currently supported by velociraptor. We support writing to a regular zip container instead and the metadata is written as Json files.

I did consider previously adding aff4 support but it's not clear that aff4 will provide a large advantage for this use case. It's potentially better for large single images because it allows them to be spilt into chucks that can be compressed in parallel, but for a large number of smaller files that advantage disappears and compatibility with regular zip files is more important.

The metadata scheme in aff4 is not that useful for the general case of collecting arbitrary artifacts, so we will always write Json files anyway, and converting back and forth from rdf just burns CPU cycles and memory, so even if we did write aff4 probably we will skip a lot of the rdf stuff.

Interested to hear your view on this though?

Jon-Rowe commented 3 years ago

Mike, You point out all the great reasons zip files work well. What we've encountered are larger corporations and government agencies that prefer forensic containers and believe in some government agencies that have mentioned FIPS encrypted data. The typical reasoning behind forensic containers is the data is read-only, and they don't worry someone is going to alter file metadata or container contents and better encryption.

I continue to look for libraries that will create a logical forensic file container and keep coming short. AFF looked promising but I don't see any active binaries and looking for assistance compiling if it is going to continue being supported. Any advice you can give when it comes to building an AFF4 logical imaging tool? If you don't mind sending me an email address, that would be great. I send you a message on LinkedIn.

Thanks! Jon

Jonathan P. Rowe

President|CEO

www.pinpointlabs.comhttp://www.pinpointlabs.com/

@.**@.>

402.235.2381 (Direct)

Preserve. Collect. Discover.


From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 8:36 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)

Aff4 is not currently supported by velociraptor. We support writing to a regular zip container instead and the metadata is written as Json files.

I did consider previously adding aff4 support but it's not clear that aff4 will provide a large advantage for this use case. It's potentially better for large single images because it allows them to be spilt into chucks that can be compressed in parallel, but for a large number of smaller files that advantage disappears and compatibility with regular zip files is more important.

The metadata scheme in aff4 is not that useful for the general case of collecting arbitrary artifacts, so we will always write Json files anyway, and converting back and forth from rdf just burns CPU cycles and memory, so even if we did write aff4 probably we will skip a lot of the rdf stuff.

Interested to hear your view on this though?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857304080, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY5GIFNREEGVUXIX6RTTR3ARRANCNFSM46KQUEFA.

scudette commented 3 years ago

Just to clarify, aff4 is just a zip file with some metadata.

I believe there are some libraries that support it in the aff4 GitHub org https://github.com/aff4 and there are some commercial tools that image to aff4.

Jon-Rowe commented 3 years ago

Mike, That's good to know, thanks! A couple questions:

  1. Can contents be altered as easily as a zip?
  2. Does AFF4 use same zip encryption method?

Jon

Jonathan P. Rowe

President | CEO

www.pinpointlabs.comhttp://www.pinpointlabs.com/

@.**@.>

402.235.2381 (<tel:+14022352381>Direct)

Preserve. Collect. Discover.

Sent from my Verizon, Samsung Galaxy smartphone


From: Mike Cohen @.> Sent: Tuesday, June 8, 2021 9:59:28 PM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)

Just to clarify, aff4 is just a zip file with some metadata.

I believe there are some libraries that support it in the aff4 GitHub org https://github.com/aff4 and there are some commercial tools that image to aff4.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857333446, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOYZ5UGY77P5STHKZQPTTR3KJBANCNFSM46KQUEFA.

scudette commented 3 years ago

AFF4 standard is here https://github.com/aff4/Standard it does not define any encryption or signing. The standard does define hashing and also a block based hashing scheme which can be parallelized for speed. The underlying storage format is a zip file therefore standard zip tools can read/write it.

Therefore it is fairly easy to alter the file directly - which is why users need to record hashes as part of the chain of custody as is always the case.

This BTW this is not different from many of the other formats (EWF, dd) etc. AFF4 is just a way to store multiple streams in the same zip file with metadata geared towards forensic imaging use case.

Jon-Rowe commented 3 years ago

Great points about altering existing forensic containers. I downloaded a zip for the repo link you sent and see the stand spec PDF, Readme and a project file with a few lines in it. Is there suppose to be any code files, or binaries in this repo?

Thanks,

Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.

From: Mike Cohen @.> Sent: Wednesday, June 9, 2021 8:58 AM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)

AFF4 standard is here https://github.com/aff4/Standard it does not define any encryption or signing. The standard does define hashing and also a block based hashing scheme which can be parallelized for speed. The underlying storage format is a zip file therefore standard zip tools can read/write it.

Therefore it is fairly easy to alter the file directly - which is why users need to record hashes as part of the chain of custody as is always the case.

This BTW this is not different from many of the other formats (EWF, dd) etc. AFF4 is just a way to store multiple streams in the same zip file with metadata geared towards forensic imaging use case.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857717097, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY4ZIXDPUUWLUIK2C2DTR5XNHANCNFSM46KQUEFA.

scudette commented 3 years ago

The code is kept in different projects in the aff4 github org

Jon-Rowe commented 3 years ago

I thought so; we’ve pulled from the aff4 repo. Just need to find a dev to help us with the build (think we’ll try the Docker implementation next) and possible customizations. Let me know if you have any referrals! Can’t thank you enough for all the assistance and speedy responses.

Jon

Jonathan P. Rowe President|CEO www.pinpointlabs.comhttp://www.pinpointlabs.com/ @.**@.> 402.235.2381 (Direct) Preserve. Collect. Discover.

From: Mike Cohen @.> Sent: Wednesday, June 9, 2021 9:28 AM To: Velocidex/WinPmem @.> Cc: Jon Rowe @.>; Author @.> Subject: Re: [Velocidex/WinPmem] Current binaries with logical file options? (#31)

The code is kept in different projects in the aff4 github org

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/Velocidex/WinPmem/issues/31#issuecomment-857743368, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGYUOY3R4JAX4E3HNNE6ES3TR525XANCNFSM46KQUEFA.