Memory analysis is an essential method of electronic evidence discovery. It allows computer forensics to decrypt hard disks and files and extract encryption keys and passwords.
Passware Bootable Memory Imager is a UEFI compatible tool that runs from a bootable USB drive and acquires memory images of Windows, Linux, and Mac computers.
The tool allows users to acquire a memory image after a warm boot or cold boot of the target machine. Warm boot memory acquisition may contain passwords and encryption keys for hard drives protected with Bitlocker or other full disk encryption. For example, the tool can be used against hard drives encrypted with Bitlocker TPM protector or APFS/FileVault without T2 chip inside (does not support Macs with T2 or M-chip architecture).
NOTE: The presence of encryption keys in the acquired memory image depends on the computer having a hardware reboot/reset button, absence of the security measures implemented by the computer manufacturers and is not guaranteed. We strongly recommend trying the Demo version first. A physical image of the encrypted drive is required for full-disk decryption.
Passware Tip: Use KeyTool certificate management utility to remove traces of using Passware Bootable Memory Imager to acquire a memory image.
The overall steps are as follows:
1. Create a bootable USB with Passware Bootable Memory Imager
2. Perform warm-boot and acquire a memory image
● Personal Computer (PC)
● PCs with Secure Boot enabled
● Macintosh (MAC)
4. Analyze the acquired memory image for encryption keys and other artifacts
Passware Memory Imager leaves a small memory footprint so it can be run while minimizing the volatile data that is overwritten in memory. The memory is acquired before the boot of the operating system, allowing it to be used on 64-bit Windows, Linux, and Mac computers.
Create a bootable USB
Launch Passware Kit Forensic as Administrator. On the Start Page, click Memory Analysis and follow the on-screen instructions to create a Memory Imager USB.
NOTE: USB should be formatted with MBR partition table.
Perform warm-boot and acquire a memory image
Now a warm-boot of the target machine is required for Passware Memory Imager to start from the USB drive. Warm-boot procedure differs from system to system:
● Personal Computer (PC)
● PCs with Secure Boot enabled
● Macintosh (MAC)
_____________________________________
Personal Computer
1. Connect the Passware Memory Imager USB to the target machine.
2. Perform warm-boot using the hardware Reboot/Reset button.
NOTE: Soft boot like Ctrl+Alt+Del or Shutdown might erase all encryption keys from the memory. Moreover, BIOS passwords and other built-in security pre-boot options might be insoluble obstacles for acquiring live memory images.
3. Set BIOS to boot from a bootable USB drive.
NOTE: Google the target system for exact instructions on setting it up to boot from the USB drive.
3.1. If Secure Boot is enabled, check out the following instructions. Alternatively, disable the Secure Boot option in BIOS before booting from the created bootable USB drive.
PCs with Secure Boot enabled
If Secure Boot is enabled, the warm-boot steps should be as follows:
- After the boot from a bootable USB, a blue screen with the message ERROR – Verification Failed: (0X1A) Security Violation (or (15) Access Denied) appears. Press OK or Enter to continue.
-
On the [Shim UEFI key management] screen appears, press any key to perform the MOK management.
-
On the [Perform MOK management] screen, select Enroll hash from disk and press Enter to continue.
-
The next [Select Binary] screen lists the partitions. Select the PASSWARE MI and press Enter.
-
Select EFI/ and press Enter. Then select BOOT/ and press Enter. Finally, select the grubx64.efi file from the list and press Enter to continue.
-
On the next [Enroll MOK] screen, select Continue and press Enter.
-
On the [Enroll the key(s)] screen, select Yes and press Enter.
-
The [Perform MOK management] screen from step 3 appears. Select Reboot and press Enter to continue.
-
Perform the warm-boot using the hardware Reboot/Reset button.
Macintosh
- Connect the Passware Memory Imager USB to the target machine
- Press Command + Control + Power
- Hold the Option key during startup, other keys can be released. It allows booting from a USB drive.
_____________________________________
If all steps are performed correctly, the memory image and log file of the acquisition process will be saved on the Passware Memory Image USB. Use the “Reboot” or “Shut down” action as needed.
IMPORTANT NOTE: In most cases, there is only one attempt to try warm-boot memory acquisition while the keys reside in memory.
Memory Analysis
To extract passwords from the acquired memory image, click Memory Analysis on the Start Page. Browse for any of the 2GB memory image parts from the Passware Memory Imager USB and select the options to try. Click Next to start the analysis.
To analyze the acquired image for the FDE encryption keys, click Full Disk Encryption on the Start Page. Choose the encryption type and click the "I have a memory image" tab. In the Physical memory image file field, click Browse... and locate any one of the 2GB memory image parts from the Passware Memory Imager USB (other parts will be parsed automatically). Browse for the encrypted volume image and specify the destination file. Click Decrypt.
Example:
If you need to use it with other memory analyzing software, you will have to cut the first 64 bytes from each of the memory 2GB segments and then merge them into one file in the order they are numbered.
For more information on FDE decryption, refer to the following articles:
- Tips for Efficient TrueCrypt/VeraCrypt Decryption
- From FileVault to T2: How to Deal with Native Apple Encryption
- How to decrypt BitLocker using Passware Kit
- How to decrypt Full Disk Encryption
Comments
0 comments
Article is closed for comments.