Anyone here work li...
 
Notifications
Clear all

Anyone here work live forensics with FireEye, not GCFE stuff

3 Posts
2 Users
0 Likes
969 Views
(@tateconcepts)
Posts: 9
Active Member
Topic starter
 

For all those GCFA or whatnot out there, anyone here ever work with FireEye (Mandiant) MIR or HX and performed a full memory capture?

I received this huge 97GB mem capture from a DB server and the file captured by HX Full Memory Capture basically puts everything in one big zip file. Within the zip file is nothing but the manifest JSON file and a raw image (it's not raw dd either because it will not mount). The target OS is Windows Server 2012 R2 but the same is for Windows 7. See the example files below from the zip file collected with FE

Mode LastWriteTime Length Name
—- ————- —— —-
—— 6/27/2018 531 PM 1504 manifest.json
—— 6/27/2018 628 PM 5470 vNjQ2ssl7wf9e7SAtnLUa6
—— 6/27/2018 628 PM 1902 DsDzAjqdaM7gmVs2Ln76Na
—— 6/27/2018 628 PM 7449083904 CG66UNtP6K066e2jKvosCG
—— 6/27/2018 531 PM 8081 metadata.json
—— 6/27/2018 531 PM 617 script.xml

This is the view from Windows OS with PowerShell. If I use file command is Linux I just get the filenamedata if I use fdisk -l there are details but no file system. I cannot use Redline for this because (psst, doesn't support Windows 10/Server 2016) so I need to test the KDEDEBUGGER profile for each and see what is supported with volatility or rekall.

Does anyone have any idea what format they use for their memory captures (I say memory again folks, not disk)?

 
Posted : 18/07/2018 11:33 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

If you are talking about a RAM memory dump then it probably is dd but you can't 'mount' a RAM dump as it won't have a recognisable filesystem.

Have you tried using volatility?

 
Posted : 19/07/2018 7:56 am
(@tateconcepts)
Posts: 9
Active Member
Topic starter
 

Thanks for asking, you can close this thread. I apologize for the late reply however I didn't realize that it was raw memory and not put into an image. In this case, I ran vol.py imageinfo against it and viola!

As far as FE taking raw captures, they have no filename extensions but can be mounted either via with offset or by using imagemounter.py directly. Thank you for the replies everyone!

 
Posted : 26/09/2018 8:51 pm
Share: