Sunday, January 27, 2008

XPSP3 - How this is going to affect RAM Analysis?

Well to sum up XPSP3 (for RAM Analysis) I’d say the prognosis is great.

The key offsets that I look for in the EPROCESS (Page Directory Base, Create Time Low, Create Time High, Exit Time Low, Exit Time High, PID, Image File Name) appear to be the same as XPSP2. The Kernel Program (NTOSKRNL.exe) I use to gauge the OS Version of the RAM is also similar to previous versions.

I tried to use Windbg (v6.8.0004.0) to confirm the EPROCESS Structure but I was unable to find the new Symbols at Microsoft.

The following is my Grep Search for determining the OS Version in a RAM Analysis:

The above GREP was run against a VMEM file running XPSP3 and returned the following:

N•T• •K•e•r•n•e•l• •&• •S•y•s•t•e•m•••••b•!•••
F•i•l•e•V•e•r•s•i•o•n•••••5•.•1•.•2•6•0•0•.•3•2•6•4• •(•x•p•s•p•.•0•7•1•1•3•0•-•1•4•2•7•)

The numeration is added below:
*** Fixed Thanks to Andreas Schuster****•

Windows 2000 = 5.0.2195.x
Windows XP 32bit = 5.1.2600.x
Windows XP 64bit and Server 2003 = 5.2.3790.x
Windows Vista = 6.0.6000.x

The following is a list of the EPROCESS Information for all current versions of Windows. The XPSP3 entries are tentative and identified from hex analysis of a RAM Acquisition and should be confirmed using WinDbg as soon as possible. PTFinder and PTfinderFE work on XPSP3 just use the XPSP2 option.


Keydet89 said...

You could use from the Windows Forensic Analysis DVD (or from Sourceforge) to get the OS of the RAM dump.

ForensicZone said...

Keydet is a great tool for determining the OS of a RAM Capture and is also used in PTFinderFE. I do need to update PTFinderFE which is built on Andres Schuster’s PTFinder. Is there any similar tools to this in you new Perl Script book?” Perl Scripting for IT Security