Search:

Chapter 2

Windows

Acquire and send Windows Machine’s full memory image or snapshot to Comae Stardust.

Installation

Once the registered email is successfully confirmed, use it to log into Stardust and display the Stardust Dashboard, as depicted in the screenshot below.

Dashboard

Each user must download and install the Comae-Toolkit.

  • Click on Download Comae Toolkit to navigate to Utilities screen.
  • From the Utilities page, click on Download Comae-Toolkit-.zip as depicted in the screenshot below.

Comae-Toolkit

Once clicked, a compressed (zip) file downloads to your machine.

  • After the download is complete, navigate to the folder where it resides (typically the Downloads folder) and extract the contents of the compressed file to the default location or one of your choosing.

A folder named Comae-Toolkit- is created with a license file, readme file and two folders containing executables for both x86- and x64-based operating systems.

System Type information is located on Windows machines in Control Panel/System. Most modern Windows machines can run either type, however.

If the Windows requires the Comae.ps1 file to be unblocked, do so by right-clicking the file, selecting Properties, and click Unblock button.

The following instructions require a basic understanding on the use of the PowerShell utility in order to use the Comae Stardust tool and related commands.

Open a Windows PowerShell session as an administrator to begin the process.

  • Type PowerShell in the Start | Search Programs and Files command box and, from the programs list, right-click PowerShell and select Run as Administrator.
  • From the PowerShell session, navigate to the folder that contains the Comae.ps1 file.
  • To access different Stardust commands from within the PowerShell, run the Import-Module cmdlet to import the Comae module:
    Import-Module .\Comae.ps1
    

If successful no errors are displayed and an empty command prompt is shown ready to accept more commands. Success can also be verified by running the following command to see the signature of the New-ComaeDumpFile cmdlet:

New-ComaeDumpFile -?

The following displays if the Comae.ps1 installed successfully:

New-ComaeDumpFile [-Directory] <string> [-IsCompress]

The Comae.ps1 module must be installed each time a new PowerShell session is initiated: it does not remain installed once the PowerShell console is closed.

Create and Upload Dump Files

Dump files are created from the user’s system and sent to Stardust for examination for unauthorized use and/or illegal activity. There are several different methods to create these files:

  1. Executing Dumpit command created by Comae Stardust.
  2. Taking a snapshot of memory metadata.
  3. Designating a startup date/time within a Windows task startup.
  • If not already open, open Windows PowerShell session to begin the process for creating a dump.
    • Type PowerShell in the Start | Search Programs and Files command box and, from the programs list, right-click PowerShell and select Run as Administrator.

Create Dump Files using DumpIt

Dump files are the exact copy of the entire memory state of a machine as a Microsoft Crash Dump. They are generated on the fly by the Comae DumpIt utility. The full signature of the DumpIt command was previously provided. This section focuses on the Directory parameter and related value and the IsCompress param.

The Directory parameter tells the cmdlet what directory to deposit the 2 files that are generated as part of its output. The directory is created by the command if it doesn’t already exist.

IsCompress compresses the output crash dump in an internal format created specifically by Comae Stardust to support large files e.g. 100Gb. The file extension is zdmp instead of dmp. Execute the New-ComaeDumpFile command from the Powershell session:

New-ComaeDumpFile -Directory "C:\Comae-CrashDumps" -IsCompress

The cmdlet takes a few minutes to complete its analysis and create a dmp and json files

New-ComaeDumpFile

Upload the Dump Files to Stardust

Once the dump files are created, they need to be uploaded to the remote Stardust system for pattern analysis. The dump file can be somewhat large and is compressed as a part of the Send command. The full signature of the Send-ComaeDumpFile command is as follows:

Send-ComaeDumpFile [-Key] <string> [-Path] <string> [-ItemType] <string> [-IsCompress]

The following cmdlet parameters are in scope to send one or both files to Stardust:

  • Key parameter us the user access token generated through the platform to enable the use of the API.
  • Path parameter is the input file or directory as indicated by the ItemType parameter.
  • ItemType parameter can be either File or Directory.

To retrieve the Key value, run the Get-ComaeAPIKey command with the -ClientId and -ClientSecret params with the respective values that can be found in your Stardust account in Settings > Integrations menu.

$APIKey = Get-ComaeAPIKey [-ClientId] <string> [-ClientSecret] <string>

From the PowerShell session, execute the Send-ComaeDumpFile cmdlet with the following parameters, based on preference.

Send a previously generated dump file:

Send-ComaeDumpFile -Key $APIKey -Path "C:\Comae-CrashDumps\FileName.zdmp" -ItemType "File"

For added privacy, instead of sending full memory dumps to Stardust, the metadata archive (compressed .json files) cam be sent. Typically used for hybrid-cloud models, the memory dump is pre-processed locally instead of relying completely on the Stardust platform for analysis.

Create and upload Snapshot Files

Snapshots are the extracted metadata from dump files. They are referred to as Comae snapshot archives.

Create a snapshot from a running machine using the live parameter of Dmp2Json program and /L option of Comae DumpIt.

  • If not already open, open a Windows PowerShell session to begin the process for creating a dump.
    • Type PowerShell in the Start | Search Programs and Files command box and, from the programs list, right-click PowerShell and select Run as Administrator.

New-ComaeDumpFile

New-ComaeDumpFile

The New-ComaeSnapshot cmdlet will generate an archive containing the extracted Stardust metadata from the dump files. New-ComaeDumpFile

Upload Snapshots

Once the Snapshot completes the output needs to be uploaded to the remote Stardust system for analysis. The files can be somewhat large and is compressed as part of the Send command. The full signature of the Send-ComaeSnapshot command is as follows:

Send-ComaeSnapshot [-Key] <string> [-Path] <string> [-ItemType] <string>

Parameters:

  • Key parameter is the user access token generated through the platform to able the use of the API
  • Path is the input file or directory given the ItemType value.
  • ItemType can either be File or Directory

From the PowerShell session, execute the Send-ComaeSnapshot cmdlet with the following parameters, based on preference.

Send only the json file:

Send-ComaeSnapshot -Key $APIKey -Path "C:\Comae-Snapshots\FileNmae.json.zip" -ItemType "File"

Create the snapshot in the provided directory before sending it to the server.

Send-ComaeSnapshot -Key $APIKey -Path "C:\Comae-Snapshots" -ItemType "Directory"

For added privacy, instead of sending full memory of sending full memory snapshot to Stardust, the metadata archive (compressed .json files) can be sent. Typically used for hybrid-cloud models, the snapshot is pre-processed locally instead of relying completely on the Stardust platform for analysis.

Create Snapshots

New-ComaeSnapshot simulates a live mode and generates the metadata directly. Using this command prevents the need to re-run analysis in the future as it doesn’t archive a copy of the physical memory. The full signature of the New-ComaeSnapshot command is as follows:

New-ComaeSnapshot [-Directory] <string>

The following cmdlet parameters are in scope to create the Snapshot:

  • Directory parameter is the output directory.

From the PowerShell session execute the New-ComaeSnapshot cmdlet with the Directory parameter:

New-ComaeSnapshot -Directory C:\Comae-Snapshots

The below screenshots show the output from the New-ComaeSnapshot command. The command may take few to complete.

Convert Dump Files Snapshot

The Convert-DumpFileToSnapshot cmdlet converts a Microsoft crash dump file into a Comae Snapshot using the Dmp2Json program. The full signature of the Convert-DumpFileToSnapshot command is as follows:

Convert-DumpFileToSnapshot [-FilePath] <string> [-Directory] <string> [[-SymbolPath] <string>] [[-SymbolServer] <string>]

In scope parameters:

  • FilePath parameters is the input Microsoft crash dump file.
  • Directory is the output directory where the Comae snapshot archive will be located.
  • SymbolPath (optional) is the input directory for pre-downloaded Microsoft PDB symbols.
  • SymbolServer (optional) is the input server address for scenarios with custom symbol servers.
Convert-DumpFileToSnapshot -FilePath "TEST-MEMORY.dmp" -Directory "C:\Comae-Snapshots"

In certain cases, user may want to provide a custom symbol directory path, or a custom symbol server path.

Convert-DumpFileToSnapshot -FilePath "TEST-MEMORY.dmp" -Directory "C:\Comae-Snapshots" -SymbolPath "C:\Symbols" -SymbolServer https://msdl.microsoft.com/downloads/symbols

Convertion Upload

Using the above commands, user can combine the conversion & upload procedures for multiple files within a given folder.

{ Convert-DumpFileToSnapshot -FilePath $_.FullName -Directory "C:\Snaphots" }

Get-ChildItem -Path "C:\Snapshots" -File | ForEach-Object { Send-ComaeSnapshot -Key $APIKey -Path $_.FullName -ItemType "File" }

Managing Machines Snapshots

The Stardust platform manages the uploaded snapshots and the information contained within the files generated by the PowerShell commands. User can upload the following the Stardust platform:

  • Microsoft crash dump files uncompressed or compressed (Only Zip archives are supported)
  • Comae snapshot archives (smaller, pre-processed by Mem2Json)
    • This often used in hybrid cloud scenarios where the user prefers to keep a copy of crash dump files in local storage rather than in the cloud.

Machine Acquisition

Running the Comae DumpIt utility with the /Q (for quiet) option is used to automatically answer confirmation prompts, such as Proceed with the acquisition? [y/n], when running memory acquisition in a script.

New-ComaeDumpFile

Windows Scheduled Tasks can be setup to run the DumpIt program as a time-based utility and generate a historical record of machine activity. Doing so enables retro-hunting investigations.

Preprocessing

The output directory can be manually specified to either a local folder or a remote file share if user preference id to manage their own local memory copy. If pre-processing crash dump files locally to generate a Comae snapshot archive instead of sending an entire memory copy to the Stardust platform is preferred, the Dmp2Json program is used to perform the pre-processing. The command is run outside the Powershell using DOS command session.

srv*C:Symbols*http://msdl.microsoft/download/symbols /Z C:FileName.dmp /c "/all /datetime /archive /snapshot C:\Snapshots\Snapshot"

A faster pre-processing tool is currently available on request.

Remote Acquisition of Azure VM

The Invoke-ComaeAzVMWinAnalyze cmdlet remotely acquire the memory of an Azure Virtual Machine and sends it to Stardust.

Invoke-ComaeAzVMWinAnalyze [-ClientId] <string> [-ClientSecret] <string> [-ResourceGroupName] <string> [-VMName] <string>

In scope parameters:

  • ClientId
  • ClientSecret
  • ResourceGroupName is the name of the Azure resource group.
  • VMName is the name of the targer VM.
  • Hostname (optional) is an optional parameter for Enterprise customers.

To retrieve the Key value, run the Get-ComaeAPIKey command with the -ClientId and -ClientSecret params with the respective values that can be found in your Stardust account in Settings > Integrations menu.

Getting Started

Commands

Note that the -Hostname parameter is only mandatory for hosted clusters, the default api endpoint is api.comae.com

PS \comae-cli\powershell> $Key = Get-ComaeAPIKey -ClientId "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -ClientSecret "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"

Retrieve information

Get the list of organizations

PS \comae-cli\powershell> Get-ComaeOrganizations -Key $Key

_id                      name
---                      ----
fff72a9e9fcc6f0011b631bb msuiche@comae.io
fffa58af916ac0001d4027d9 Comae Response

Get the list of cases

PS \comae-cli\powershell> $Key = Get-ComaeAPIKey -ClientId "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" -ClientSecret "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"

PS \comae-cli\powershell> Get-ComaeCases -Key $Key -Hostname api.hosted.comae.com

organizationId           _id                      name          description              creationDate             lastModificationDate     labels
--------------           ---                      ----          -----------              ------------             --------------------     ------
fff813b77fbb0a0011667632 fffbf605bb9bf2001ddd418f symphony      Case without description 2020-11-23T17:48:53.868Z 2020-11-23T17:48:53.868Z {}
fff2e8e0bd5666001174ac17 fffb712dbab310001ce952b5 Untitled Case Untitled Case            2020-11-23T08:22:05.253Z 2020-11-23T08:22:05.253Z {}
PS \comae-cli\powershell> $Key = Get-ComaeAPIKey -ClientId "XXXXXXXXXXXXXXXXXXXXXX" -ClientSecret "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"                                                                                                                    

PS \comae-cli\powershell> Get-ComaeCases -Key $Key

organizationId           _id                      name          description             creationDate             lastModificationDate     labels
--------------           ---                      ----          -----------             ------------             --------------------     ------
fff72a9e9fcc6f0011b631bb fff769e61eac0f001d4fcd27 TestCase      Hello                   2020-11-20T07:01:58.543Z 2020-11-20T07:01:58.543Z {demo}
fff72a9e9fcc6f0011b631bb fff76ad0b1f656001ef0e2e6 TestCase2     Description2            2020-11-20T07:05:52.495Z 2020-11-20T07:05:52.495Z {workflow:state="complete"}
fff72a9e9fcc6f0011b631bb fff77091ac3d30001d11f19a Demomaker     A bunch of random dumps 2020-11-20T07:30:25.246Z 2020-11-20T07:30:25.246Z {iep2-policy:tlp="amber", i...
fff72a9e9fcc6f0011b631bb fff787a057ec85001ed7a7bf Test3         Untitled                2020-11-20T09:08:48.546Z 2020-11-20T09:08:48.546Z {workflow:state="incomplete"}
fff72a9e9fcc6f0011b631bb fff79a08ac3d30001d11f1a2 NewOmega1     Untitled                2020-11-20T10:27:20.991Z 2020-11-20T10:27:20.991Z {workflow:todo="add-tagging"}
fff72a9e9fcc6f0011b631bb fff79cb0ac3d30001d11f1a4 Case123       Untitled                2020-11-20T10:38:40.916Z 2020-11-20T10:38:40.916Z {}
fff72a9e9fcc6f0011b631bb fff7c24b1306f8001c2ab845 Untitled Case Untitled Case           2020-11-20T13:19:07.312Z 2020-11-20T13:19:07.312Z {}

Send a local file

PS \comae-cli\powershell> Send-ComaeDumpFile -Key $Key -Path 'D:\Dumps\NVIDIA RTX Voice Process.dmp.zip' -ItemType File -CaseId fff77091ac3d30001d11f19a
D:\Dumps\NVIDIA RTX Voice Process.dmp.zip