Monday, July 16, 2012

Performing forensics on RAMDisk based operating system via QEMU

I came across a problem requiring me to get to a filesystem resident in RAM via a RAMDisk. I used QEMU to dump this to a file for further analysis.

The system at hand was disk encryption software that performs some disk trickery in order to unlock the drive after supplying credentials to the disk encryption software. The disk encryption software was Linux based. However, the RAMDisk was being initiated by MSDOS startup files. It was a very weird setup.

I was able to use QEMU and an Ubuntu Live USB disk to dump what I needed. Because the disk encryption was resident on the HDD instead of the BIOS, I was able to boot to my Live USB and circumvent the HDD entirely. Once in the Live System, I installed qemu and ghex.

qemu-system-i386 -hda /dev/sda -monitor stdio
I was able to boot the hard disk into a virtualised environment. -monitor stdio gives me a qemu shell prompt in the bash shell that I started the QEMU instance in. This is how we will be saving the full state of the VM. Once booted into the disk encryption software, I ran the following to see what devices I had at my disposal

(qemu) info block
ide0-hd0: removable=0 io-status=ok file=/dev/sda ro=0 drv=raw encrypted=0
ide1-cd0: removable=1 locked=0 tray-open=0 io-status=ok [not inserted]
floppy0: removable=1 locked=0 tray-open=0 [not inserted]
sd0: removable=1 locked=0 tray-open=0 [not inserted]

Now that I have the disks, the hd0 block is what I want. We want to create a new file to save our vm into.

snapshot_blkdev ide0-hd0 dump

Now save the vm's state into the dump file


You may now use further, more advanced techniques to analyse the contents of the RAM disk by using a hex editor or various other tools to extract the wanted data from the saved state of the vm.