Articles in this section

See more

How to use Passware Bootable Memory Imager

Avatar
Yana Gourenko
  • Updated
Follow

Memory analysis is an essential method of electronic evidence discovery. It allows computer forensics to decrypt hard disks and files and extract encryption keys and passwords.

Passware Bootable Memory Imager is a UEFI compatible tool that runs from a bootable USB drive and acquires memory images of Windows, Linux, and Mac computers.

The tool allows users to acquire a memory image after a warm boot or cold boot of the target machine. Warm boot memory acquisition may contain passwords and encryption keys for hard drives protected with Bitlocker or other full disk encryption. For example, the tool can be used against hard drives encrypted with Bitlocker TPM protector or APFS/FileVault without T2 chip inside (does not support Macs with T2 or M1).

The overall steps are as follows:

  1. Create a bootable USB with Passware Bootable Memory Imager
  2. Perform warm-boot and acquire a memory image
  3. Analyze the acquired memory image for encryption keys and other artifacts

Passware memory imager leaves a small memory footprint so it can be run while minimizing the volatile data that is overwritten in memory. The memory is acquired before the boot of the operating system, allowing it to be used on 64-bit Windows, Linux, and Mac computers.

 

Create a bootable USB

Launch Passware Kit Forensic as Administrator. On the Start Page, click Memory Analysis and follow the on-screen instructions to create a Memory Imager USB.

NOTE: USB should be formatted with MBR partition table.

PBMI-UI.gif

Perform warm-boot and acquire a memory image

Now a warm-boot of the target machine is required for Passware Memory Imager to start from the USB drive. Warm-boot procedure differs from system to system:

  • Personal Computer (PC)
  • Macintosh (MAC)

_____________________________________

Personal Computer

1. Connect the Passware Memory Imager USB to the target machine.

2. Perform warm-boot using the hardware Reboot/Reset button. 

NOTE: Soft boot like Ctrl+Alt+Del or Shutdown might erase all encryption keys from the memory. Moreover, BIOS passwords and other built-in security pre-boot options might be insoluble obstacles for acquiring live memory images.

3. Set BIOS to boot from a bootable USB drive. 

NOTE: Google the target system for exact instructions on setting it up to boot from the USB drive. 

   3.1. If Secure Boot is enabled, check out the following instructions. Alternatively, disable the Secure Boot option in BIOS before booting from the created bootable USB drive.

 

PCs with Secure Boot enabled

If Secure Boot is enabled, the warm-boot steps should be as follows:

  1. After the boot from a bootable USB a blue screen with the message ERROR – Verification failed: (15) Access Denied appears.ERROR-Verification-failed-15-Access-Denied.jpg
  2. Press Enter to continue.
  3. In the Shim UEFI key management screen, press any key to perform MOK management.
  4. On the Perform MOK management screen, choose Enroll hash from disk and press Enter to continue.
  5. The next Select Binary screen lists the partitions. Select the Passware MI partition of the AIO Boot, which contains the file /EFI/BOOT/grubx64.efi.
  6. Press Enter and browse for the file grubx64.efi. Select grubx64.efi from the list and press Enter to continue.
  7. On the next screen [Enroll MOK] choose Continue.
  8. On the screen [Enroll the key(s)] choose Yes.
  9. Perform MOK management screen from step #3 appears. 
  10. Perform the warm-boot using the hardware Reboot/Reset button. 

 

Macintosh

  1. Connect the Passware Memory Imager USB to the target machine
  2. Press Command + Control + Power
  3. Hold the Option key during startup. It allows booting from a USB drive.

_____________________________________

If all steps are performed correctly, the memory image and log file of the acquisition process will be saved on the Passware Memory Image USB. Use the “Reboot” or “Shut down” action as needed.

IMPORTANT NOTE: In most cases, there is only one attempt to try warm-boot memory acquisition while the keys reside in memory.

PBMI.JPG

 

Memory Analysis

To extract passwords from the acquired memory image, click Memory Analysis on the Start Page. Browse for any of the 2GB memory image parts from the Passware Memory Imager USB and select the options to try. Click Next to start the analysis.Snag_532d7bd.png

To analyze the acquired image for the FDE encryption keys, click Full Disk Encryption on the Start Page. Choose the encryption type and click the "I have a memory image" tab. In the Physical memory image file field, click Browse... and locate any one of the 2GB memory image parts from the Passware Memory Imager USB (other parts will be parsed automatically). Browse for the encrypted volume image and specify the destination file. Click Decrypt

Example:BitLocker_Memory_Dialog.jpg

 

If you need to use it with other memory analyzing software, you will have to cut the first 64 bytes from each of the memory 2GB segments and then merge them into one file in the order they are numbered.

For more information on FDE decryption, refer to the following articles:

Tips for Efficient TrueCrypt/VeraCrypt Decryption

How to decrypt BitLocker using Passware Kit

How to decrypt Full Disk Encryption

 

Related articles

Comments

0 comments

Article is closed for comments.