Edit

How To Capture an Image

  • Article

alt text

Project Freta accepts four types of memory images:

  • Hyper-V Memory Snapshot (.vmrs files)
  • LiME image (.lime files)
  • Elf Core Dump of Physical Memory (.core files)
  • Raw Physical Memory Dump (.raw files)

From a forensics perspective, the less impact made to the running system while snapshotting memory, the better. Best case scenario is to obtain a memory dump from a virtualized machine, in which the host takes a memory dump of a guest without the guest (and any malware running on it) being able to detect it and without any modification to the RAM or file contents. Less ideal are memory dumps of a running system taken from within the system, since this requires code to the run (and potentially the output to be stored) on the machine itself, which modifies the system state and potentially overwrites evidence.

Following are four methods of obtaining memory snapshots from running systems, in rough descending order of preference.


Capture a Hyper-V Linux Guest

Hyper-V memory snapshots are virtual machine runtime state (VMRS) files. To take a snapshot of a virtual machine's memory in Hyper-V, you need to use the Checkpoint functionality, either via the Hyper-V Manager or PowerShell.

Prior to doing so, we recommend that you ensure the VM has checkpoints enabled and that they are configured as Standard checkpoints, rather than Production. As the UI indicates, we want to "capture the current state of applications". Also take note of the Checkpoint File Location path, as that's the location to which the VMRS file will be written.

How To Capture An Image Checkpoint Settings

Via the Hyper-V Manager

To create a checkpoint using the Hyper-V Manager, locate the appropriate Linux VM, right-mouse click, and select Checkpoint.

How To Capture An Image Select Checkpoint

Via PowerShell

To create a checkpoint using PowerShell, use the Checkpoint-VM command and pass in the Linux VM name as an argument:

PS > Checkpoint-VM -Name [VMName]

This will instruct Hyper-V to take the checkpoint:

How To Capture An Image Checkpoint Progress

Upload the Image

Once extraction is complete via either method, browse to the checkpoint directory for the given VM:

Capture An Image Vmrs File

Identify the VMRS file and submit it to Project Freta for analysis.


Capture a Linux Instance using AVML

AVML is an X86_64 usermode volatile memory acquisition tool written in Rust. It can be used to acquire memory without knowing the target OS distribution or kernel, and no on-target compilation or fingerprinting is needed.

AVML leverages the /proc/kcore interface present on several Linux distributions. Unlike other on-instance memory capture methods, this is a lighter touch as no modification to the kernel (e.g., loading of a kernel module) is required. However, /proc/kcore is not universal, so this tool is not always an option.

AVML is open source and available on GitHub. Compiled binaries are located under the releases folder, or you may opt to build it yourself.


Building AVML

  1. Clone the AVML repo and browse to the src folder

    $ git clone https://github.com/microsoft/avml
$ cd avml/src

  2. If needed, install MUSL and Build the source according to the following from the AVML notes:

    # Install MUSL
$ sudo apt-get install musl-dev musl-tools musl

# Install Rust via rustup
$ curl https://sh.rustup.rs -sSf | sh -s -- -y

# Add the MUSL target for Rust
$ rustup target add x86_64-unknown-linux-musl

# Build
$ cargo build --release --target x86_64-unknown-linux-musl

# Build without upload functionality
$ cargo build --release --target x86_64-unknown-linux-musl --no-default-features

    The result should be a new avml file (or similar) in the target/x86_64-unknown-linux-musl/release folder.

Note

You should build AVML on a different machine than the one on which you use it.


Using AVML

To obtain a memory snapshot using AVML, take the following steps.

  1. Copy the avml file to the target Linux machine (via USB or otherwise) and execute the following command, providing the flags, options, and filename as appropriate. Note that this can take a while to run, depending on the hardware characteristics of the target machine.

    $ avml [FLAGS] [OPTIONS] <filename>

FLAGS:
        --compress    compress pages via snappy
        --delete      delete upon successful upload
    -h, --help        Prints help information
    -V, --version     Prints version information

OPTIONS:
        --sas_block_size <sas_block_size>  Specify maximum block size in MiB
        --sas_url <sas_url>                Upload via Azure Blob Store upon acquisition
        --source <source>                  Specify input source [possible values: /proc/kcore, /dev/crash, /dev/mem]
        --url <url>                        Upload via HTTP PUT upon acquisition

ARGS:
    <filename>    name of the file to write to on local system

  2. Retrieve the file and submit it to Project Freta for analysis.


Convert a VMWare Snapshot

Project Freta can ingest VMWare snapshots that have been converted for GDB using the vmss2core tool with the -M flag.

Please take the following steps as detailed in the VMWare docs:

  1. Create a snapshot or suspend the virtual machine
  2. Locate the snapshot (.vmsn) or suspend file (.vmss) in the virtual machine directory; the vmss2core tool also accepts monolithic or non-monolithic memory (.vmem) files
  3. Run the vmss2core tool with the -M flag to create a core file (vmss.core) with a physical memory view suitable for the Gnu debugger gdb
  4. Submit the file to Project Feta

Capture a Linux Instance using LiME

The Linux Memory Extractor (LiME) Loadable Kernel Module (LKM) is designed to acquire a full volatile memory (i.e., RAM) dump of the host system for forensic analysis or security research. It does it all in kernel space and can dump an image either to the local file system or over TCP. It's designed to give you as close of a copy of physical memory as possible while minimizing its interaction with (and therefore impact on) the host system, but it does require kernel modification via loading the kernel module.

The LiME LKM is open source and available on GitHub.


Building LiME

  1. Clone the LiME repo

    $ git clone https://github.com/504ensicsLabs/LiME

  2. If needed, install the GNU build tools to enable the make command

    $ sudo apt install build-essential

  3. Browse to the src folder and run the make command

    $ cd liME/src
$ make

    The result should be a new lime-5.4.0-26-generic.ko file (or similar) in the current directory.

Note

You should build the LiME LKM on a different machine than the one on which you use it.


Using LiME

To obtain a memory snapshot using LiME, take the following steps.

  1. Copy the lime-5.4.0-26-generic.ko file to the target Linux machine (via USB or otherwise) and execute the following command, substituting the path and format values as appropriate. Note that this can take a while to run, depending on the hardware characteristics of the target machine.

    $ sudo insmod lime-5.4.0-26-generic.ko "path=/media/USBDrive/image.lime format=raw"

  2. Retrieve the resulting image.lime file (or whatever you chose to call it) and submit it to Project Freta for analysis.