Wednesday, February 16, 2011

Extracting memory mapped files from memory dumps

computer-forensics.sans.org explains how to extract memory mapped files from memory dumps. This technique is useful when the files we want to investigate (like log files)  are not available in the HD, perhaps because they were deleted.

They use Volatility to extract from the dump all the files opened by the  Event Log service.

Memory Mapped File is:
is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource. This resource is typically a file that is physically present on-disk, but can also be a device, shared memory object, or other resource that the operating system can reference through a file descriptor. Once present, this correlation between the file and the memory space permits applications to treat the mapped portion as if it were primary memory.
The primary benefit of memory mapping a file is increased I/O performance, especially when used on small files.[citation needed] Accessing memory mapped files is faster than using direct read and write operations for two reasons. Firstly, a system call is orders of magnitude slower than a simple change to a program's local memory. Secondly, in most operating systems the memory region mapped actually is the kernel's page cache (file cache), meaning that no copies need to be created in user space.

No comments:

Post a Comment