|
|
Memory DD
ManTech Memory DD open source software captures a record of physical, or random access memory which is lost when the computer is shutdown. Released at no charge under the GPL license for government and private use, ManTech's Memory DD (MDD) is capable of acquiring memory images from the following Microsoft® products: Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008.
ManTech's Memory DD 1.0 acquires a forensic image of physical memory and stores it as a raw binary file. To help verify data integrity and aid in the preservation of the evidence, the information captured by ManTech Memory DD is checked by the Message-Digest algorithm 5 (MD5), the common Internet standard used in security applications. The binary file can then be analyzed using external tools to identify items of interest to the examiner.
There have been numerous, well-documented computer exploits that never leave evidence on the computers persistent storage devices, such as hard drives. These exploits reside solely in the physical memory of the machine. When the machine is powered off, the evidence of the exploit quickly vanishes. In some cases, evidence of online communication (such as chat sessions) resides in memory even after the communication has terminated. Encryption keys for disk encryption utilities can often be recovered from physical memory as well. The ability to image physical memory allows the forensic examiner to recover valuable information that would otherwise be lost forever. With ManTech Memory DD, it is now easy for Department of Defense, Intelligence Community, law enforcement, and commercial organizations to acquire and preserve physical memory images.
MDD was designed specifically to harvest a physical memory image from a running system. The software can copy up to 4 GB of memory to a file for later analysis. In this regard, MDD was built to harvest data that could be analyzed by another tool or software program to identify root kits and other malicious code residing undetectable on a system.
A root kit is a set of tools that work through subversion and/or aversion of typical operating system security controls to allow a non-administrator to gain administrator privileges over the system. As such, all data that is stored or accessible by the compromised system is available to the root kit. However, a root kit must load itself into memory to run. That is why MDD is so powerful. MDD can capture the root kit executable which can then be analyzed by other tools to identify that the system is compromised.
MDD is useful because it provides a binary file that can be coupled with other tools from ManTech International Corporation or other industry leaders to provide a comprehensive snapshot of physical memory.
As a free and open tool, MDD is managed via sourceforge.net.
MD5Deep
MD5Deep open (singular) source software is a cross-platform set of programs used to compute MD5, SHA-1, SHA-256, Tiger, or Whirlpool message digests on an arbitrary number of files. The programs run on Windows, Linux, Cygwin, *BSD, OS X, Solaris, and most other platforms.
Similar to the MD5sum program found in the GNU Coreutils package, MD5Deep offers some additional features. MD5Deep was developed by Jesse Kornblum, a current ManTech CSI employee.
To read more about the tools developed by Jesse, please visit his website at http://jessekornblum.com.
Recursive operation - md5deep is able to recursively examine an entire directory tree. That is, it can compute the MD5 for every file in a directory and for every file in every subdirectory.
Time estimation - md5deep can produce a time estimate when it's processing very large files.
Comparison mode - md5deep can accept a list of known hashes and compare them to a set of input files. The program can display either those input files that match the list of known hashes or those that do not match. Hashes sets can be drawn from the National Software Reference Library, iLook Investigator, Hashkeeper, md5sum, and other generic hash generating programs. Users are welcome to add functionality to read other formats too!
Piecewise hashing - Hash input files in arbitrary blocks.
File type mode - md5deep can process only files of a certain type, such as regular files, block devices, etc.
SSDeep
SSDeep open source software computes a checksum based on context triggered piecewise hashes for each input file. If requested, the program matches those checksums against a file of known checksums and reports any possible matches.
|
|
|
|
|
Teel Technologies provides advanced analysis and solutions to federal, state and local law enforcement, digital investigators, network operators and security professionals.
|
Mach 1 Development (M1D), LLC is a leading technology consulting and development firm offering a unique set of products and services. Our service offerings include Identity Management Systems expertise, smartcard design, encrypted communications, e-ID implementation, RFID design, Logistics integrity and boarder control systems expertise.
|
|
