Information Technology Reference
In-Depth Information
DCFLDD, hence, is a modified version of DD that calculates the hash value of the
created image. Example:
# dcfldd -hashwindow=BYTE -hashlog=FILE if=Dev of=dev
Hashwindow indicates the number of bytes for which a hash should be created and
Hashlog generates the text file containing the calculated values.
Another handy freeware tool for generating hashes is Hashish. This tool has the
sole objective of generating a hash on the basis of an input file or a simple data string.
The potentials of this tool derive from the number of its algorithms. It is a complete
and easy-to-use tool with a GUI. And the fact that it can run both under Windows
and LINUX/UNIX is nothing to turn your nose up at.
DD, furthermore, may be used also in the event of memory dumping. This occurs
when the machine is still on when delivered to the forensic examiner. In this case the
procedure is as follows:
dd if= /dev/kmem of=output
dd if= /dev/mem of=output
Regarding how to handle memory images, it should be mentioned that a num-
ber of examiners have provided feedback speaking of systems freezing up follow-
ing the above-described procedure. As an alternative,
Memdump
, written by Wi-
etse Venema can be used. The MemDump utility is designed to dump any part
of 4GB linear memory address space under MS-DOS and Windows 9x DOS to
a console or a text file. This utility provides transparent access to memory with
or without installed memory managers. The software can be downloaded from
To dump physical memory:
memdump
|
nc host port
|
memdump
|
openssl s_client -connect host:port
In the meantime, research is looking into alternative methods for acquiring the
memory contents based on hardware cards [Carrier02]. These cards would dump
the memory without performing any operations on it and without interacting with
the operating system kernel of the compromised machine, and might solve a lot of
problems. However, from the practical point of view there are a lot of limitations,
mainly in the deployment phase.
At any rate, the memory dump is generally more useful in the “pure” investigation
phases, rather than for subsequent appearances in court. Whatever the case, do not
forget that all imaging operations, including the description and specifications of the
tools used, must be documented in the report.
