3

How can I clone a system without leaving any footprint? I want to acquire RAM and other physical hard drives so that after cloning all the work can be done in VM without disturbing the target machine. If I install any software for cloning on the target machine I will leave a footprint. If I do something over network such as netcat, it will also leave the connection in the RAM. Also I don't want to remove the hard drive from the system and use a write blocker as it assumed that once the drive is unplugged and plugged again, the data will be wiped out.

I want to basically take a machine get all its data so that I have something to run in a VM which is exactly the same as original machine.

I am doing a project on windows forensics and as far as I have progressed I am unable to capture ram so that I can be run on a virtual machine.

I have seen some tools with which I can clone the hard disk to make a disk for virtual machine but for that I need to install that software on target machine and that would leave footprints

forest
  • 64,616
  • 20
  • 206
  • 257
Jheel rathod
  • 55
  • 6
  • @Jheelrathod they do look like very similar questions. Can you explain how they are different? Also, there are tons of tools that do this. I'm finding lots by Googling "cloning system RAM for forensic analysis" – schroeder Jun 04 '18 at 19:14
  • 1
    Why is not leaving footprints important? Anything you run has to use RAM, so there will be a footprint. If you are doing this for forensic analysis, then you simply record the tool you used and when, and you can rule it out of your analysis. – schroeder Jun 04 '18 at 19:15
  • Atleast tell me how to that for hard disks. If i take out the disk then use a write blocker, it wont leave a footprint but unfortunatley it cant be done here. – Jheel rathod Jun 04 '18 at 19:28
  • 1
    They are different since in one question, there is emphasis on acquiring RAM without footprints and in other i want to make a clone of target system which can be used in virtual machine and i can continue my investigation on that virtual machine – Jheel rathod Jun 04 '18 at 19:31
  • Well first off, it's hard to get something from hardware to run on a virtual machine, since it will likely be using drivers that your VM does not support. If you want to take the memory and resume it in a VM, you are out of luck. Second, is the goal to have a _legally_-viable snapshot? – forest Jun 05 '18 at 03:03
  • The professor under whom i am doing the project asked me to have no footprints – Jheel rathod Jun 05 '18 at 20:13
  • 1
    @Jheelrathod Ask him to elaborate on what he means by that. – forest Jun 10 '18 at 04:19

1 Answers1

4

You would need to use JTAG, a debugging protocol (specifically IEEE 1149.1) <!- https://www.xjtag.com/about-jtag/what-is-jtag/ -> and its interface on most modern devices. When a JTAG probe is attached, you can halt the machine state and read all the memory and registers. JTAG puts the system into a low-level debug state called probe mode, which the operating system has no control over. JTAG probes, prior to DCI, can be fairly expensive. The only trace left over by JTAG is the fact that the system's RTC will seem to jump forward. After all, the system will be in a stasis which it is unaware of for some time, while the RTC keeps ticking.

It is also possible to use a DMA attack which will typically have very little effect on the target system. However, a DMA attack on a running system is subject to memory smear which may complicate analysis and corrupts the memory temporally, rather than spatially (i.e. address x and address y may have been captured at different times, leading to inconsistencies). Additionally, DMA attacks require that the target system not support DMAR, which filters DMA using its IOMMU.

If you actually want to take the memory and drop it directly into a VM so it runs where it left off, you are out of luck, sorry. There is plenty of state which is not captured in memory (registers, PCI device configuration space / MMIO, etc). It would be an incredible undertaking to take the memory of running hardware and put it into a virtual machine, especially because you would need to write device emulators for all the proprietary devices on the target system. You should be able to comprehensively analyze a memory dump without it needing to be dropped into a virtual machine.

See some other answers I've written on this subject:

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
forest
  • 64,616
  • 20
  • 206
  • 257
  • okay i get that i cant get the ram. Can i get the physical drives without leaving a footprint? – Jheel rathod Jun 05 '18 at 20:18
  • Depends on what you mean by "footprint". Do you _need_ the computer to stay online the whole time? It's easy to use a hardware write blocker to get a forensically-valid image of the drive without modifying any of its contents. – forest Jun 06 '18 at 01:22
  • Can i take the image without plugging out the hard drive and convert it to a format(vdi or vhd) so that it can be put in a virtual machine? – Jheel rathod Jun 06 '18 at 10:47
  • @Jheelrathod That depends. You can do this while keeping the drive powered on by unplugging only the SATA cable and not the power cable. If you don't want to unplug _anything_ then it'll require some rather advanced engineering feats in order to splice probes into the SATA interface. – forest Jun 07 '18 at 02:45
  • @forest, JTAG is one way to do it ... however, after talking with a M$ engineer I was directed to a systernals tool that allowed me to remotely crash the windows computer which in-turn leaves a full core-dump of the ram. I guess it largely depends on what OP classifies as a 'footprint' – CaffeineAddiction Jun 10 '18 at 05:06
  • @CaffeineAddiction True, but OP seems to want a (likely impossible) solution that doesn't modify the running state of the system at all. – forest Jun 10 '18 at 05:08
  • @forest yah, I get the impression that OP may not own the box he is attempting to hack, and `asking us to break the security of a specific system for (them)` – CaffeineAddiction Jun 10 '18 at 05:12
  • @CaffeineAddiction I don't think it's a good idea to make assumptions like that. He says he is doing a project on forensics, so let's give him the benefit of the doubt. I imagine he is just misunderstanding what his professor is asking (or miscommunicating it to us). Not leaving footprints is a very common requirement in forensic analysis, especially when done for legal reasons (even a single changed file timestamp can get a case thrown out of court, in the case of criminal digital forensics). – forest Jun 10 '18 at 05:17