Perform mem forensics remotely over the network.
shinde.a...@gmail.com
I was trying a small project. I am building something similar to GRR but agentless. I dont want an agent running on the target machine.
I want to deploy a standalone rekal.exe on the target, run plugins remotely, and get back the output files, and cleanup after. I am using impacket's wmiexec to transfer the exe and run commands remotely, since my targets are primarily going to be windows machines.
This is how i am doing it.
1. connect to remote machine over WMI.
2. transfer standalone version of rekall.
3. take a memdump on the remote computer.
4. run a few plugins on the image.
5. zip and download the output files.
6. delete everything on the target.
It does take a long time to complete. around 15 mins if the target is a win 8.1 with around 4 gb ram.
What would be a more efficient way to achieve this? How do i improve the performance? Any suggestions would be really helpful.
Michael Cohen
This sounds exactly what the artifact collector is designed for. The
idea is that you write a bunch of artifacts in a yaml file and then
run Rekall's artifact collector telling it to collect the artifacts.
The result will be just a zip file with all the output of the plugins
you want in it. It will also copy any files off the system that match
the artifacts into the zip file and optionally make a timeline in that
zip file.
Besides this capability have you heard about the rekall agent which
was released in OSDFC? The agent is basically similar in functionality
to GRR except that everything is treated as a file. So the agent
consumes a job file with instructions of what flows to run and then
generates output in other files.
Currently the rekall agent is similar to GRR in deployment
functionality (i.e. it polls the server and uploads results to the
server) but in future we are planning to make it more flexible in the
way it accepts commands and where it should put the results. The use
case of preparing a single job file for a one shot execution and
collection is certainly a good use case. This is especially useful for
integrators of Rekall inside other agents which would rather just
shell out to Rekall with a jobs file and collect the results
themselves without necessarily running Rekall agent per se.
IMHO you should aim to avoid taking a memory image if at all possible
- it takes a lot longer and disturbs the system (causing caches to
flush etc). It is better to perform analysis live and just extract
what you want from the system.
Thanks
Michael.
> You received this message because you are subscribed to the Google Groups
> "rekall-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rekall-discus...@googlegroups.com.
> To post to this group, send email to rekall-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
shinde.a...@gmail.com
Hi Michael,
Thanks for your reply.
As you suggested, ill run the plugins on the live memory, that's a very good idea. Thanks.
Also, i have heard of rekall agent. but the whole purpose of what i am doing here is to avoid polling on the target. So i still prefer not using the agent.
Artifact collector sounds interesting but i couldn't find much about it. It will be great if you can point me towards some documentation.
Thanks,
Aditya Shinde