Search:

Chapter 2

Windows

Acquire and send Windows Machine’s full memory image or snapshot to Comae Stardust.

Installation

Once the registered email is successfully confirmed, use it to log into Stardust and display the Stardust Dashboard, as depicted in the screenshot below.

Dashboard

Each user must download and install the Comae-Toolkit.

  • Click on Download Comae Toolkit to navigate to Utilities screen.
  • From the Utilities page, click on Download Comae-Toolkit-.zip as depicted in the screenshot below.

Comae-Toolkit

Once clicked, a compressed (zip) file downloads to your machine.

  • After the download is complete, navigate to the folder where it resides (typically the Downloads folder) and extract the contents of the compressed file to the default location or one of your choosing.

A folder named Comae-Toolkit- is created with a license file, readme file and two folders containing executables for both x86- and x64-based operating systems.

System Type information is located on Windows machines in Control Panel/System. Most modern Windows machines can run either type, however.

If the Windows requires the Comae.ps1 file to be unblocked, do so by right-clicking the file, selecting Properties, and click Unblock button.

The following instructions require a basic understanding on the use of the PowerShell utility in order to use the Comae Stardust tool and related commands.

Open a Windows PowerShell session as an administrator to begin the process.

  • Type PowerShell in the Start | Search Programs and Files command box and, from the programs list, right-click PowerShell and select Run as Administrator.
  • From the PowerShell session, navigate to the folder that contains the Comae.ps1 file.
  • To access different Stardust commands from within the PowerShell, run the Import-Module cmdlet to import the Comae module:
    Import-Module .\Comae.ps1
    

If successful no errors are displayed and an empty command prompt is shown ready to accept more commands. Success can also be verified by running the following command to see the signature of the New-ComaeDumpFile cmdlet:

New-ComaeDumpFile -?

The following displays if the Comae.ps1 installed successfully:

New-ComaeDumpFile [-Directory] <string> [-IsCompress]

The Comae.ps1 module must be installed each time a new PowerShell session is initiated: it does not remain installed once the PowerShell console is closed.

Create and Upload Dump Files

Dump files are created from the user’s system and sent to Stardust for examination for unauthorized use and/or illegal activity. There are several different methods to create these files:

  1. Executing Dumpit command created by Comae Stardust.
  2. Taking a snapshot of memory metadata.
  3. Designating a startup date/time within a Windows task startup.
  • If not already open, open Windows PowerShell session to begin the process for creating a dump.
    • Type PowerShell in the Start | Search Programs and Files command box and, from the programs list, right-click PowerShell and select Run as Administrator.

Create Dump Files using DumpIt

Dump files are the exact copy of the entire memory state of a machine as a Microsoft Crash Dump. They are generated on the fly by the Comae DumpIt utility. The full signature of the DumpIt command was previously provided. This section focuses on the Directory parameter and related value and the IsCompress param.

The Directory parameter tells the cmdlet what directory to deposit the 2 files that are generated as part of its output. The directory is created by the command if it doesn’t already exist.

IsCompress compresses the output crash dump in an internal format created specifically by Comae Stardust to support large files e.g. 100Gb. The file extension is zdmp instead of dmp. Execute the New-ComaeDumpFile command from the Powershell session:

New-ComaeDumpFile -Directory "C:\Comae-CrashDumps" -IsCompress

The cmdlet takes a few minutes to complete its analysis and create a dmp and json files

New-ComaeDumpFile

Upload the Dump Files to Stardust

Once the dump files are created, they need to be uploaded to the remote Stardust system for pattern analysis. The dump file can be somewhat large and is compressed as a part of the Send command. The full signature of the Send-ComaeDumpFile command is as follows:

Send-ComaeDumpFile [-Key] <string> [-Path] <string> [-ItemType] <string> [-IsCompress]

The following cmdlet parameters are in scope to send one or both files to Stardust:

  • Key parameter us the user access token generated through the platform to enable the use of the API.
  • Path parameter is the input file or directory as indicated by the ItemType parameter.
  • ItemType parameter can be either File or Directory.

To retrieve the Key value, run the Get-ComaeAPIKey command with the -ClientId and -ClientSecret params with the respective values that can be found in your Stardust account in Settings > Integrations menu.

$APIKey = Get-ComaeAPIKey [-ClientId] <string> [-ClientSecret] <string>

The IsCompress parameter is also available for use in the Send-ComaeDumpFile if not previously used when executing the New-ComaeDumpFile command.

From the PowerShell session, execute the Send-ComaeDumpFile cmdlet with the following parameters, based on preference.

Send only the compressed dump file:

Send-ComaeDumpFile -Key $APIKey -Path "C:\ComaeCrashDumps\FileName.zdmp" -ItemType "File"

Create the crash dump into the provided directory before sending it to the server:

Send-ComaeDumpFile -Key $APIKey -Path "C:\Comae-CrashDumps" -ItemType "Directory"

The below screenshot shows the output from running the Send-ComaeDumpFile command.

Send-ComaeDumpFile

For added privacy, instead of sending full memory dumps to Stardust, the metadata archive (compressed .json files) cam be sent. Typically used for hybrid-cloud models, the memory dump is pre-processed locally instead of relying completely on the Stardust platform for analysis.

Create and upload Snapshot Files

Snapshots are the extracted metadata from dump files. They are referred to as Comae snapshot archives.

Create a snapshot from a running machine using the live parameter of Dmp2Json program and /L option of Comae DumpIt.

  • If not already open, open a Windows PowerShell session to begin the process for creating a dump.
    • Type PowerShell in the Start | Search Programs and Files command box and, from the programs list, right-click PowerShell and select Run as Administrator.

New-ComaeDumpFile

New-ComaeDumpFile

The New-ComaeSnapshot cmdlet will generate an archive containing the extracted Stardust metadata from the dump files. New-ComaeDumpFile

Upload Snapshots

Once the Snapshot completes the output needs to be uploaded to the remote Stardust system for analysis. The files can be somewhat large and is compressed as part of the Send command. The full signature of the Send-ComaeSnapshot command is as follows:

Send-ComaeSnapshot [-Key] <string> [-Path] <string> [-ItemType] <string>

Parameters:

  • Key parameter is the user access token generated through the platform to able the use of the API
  • Path is the input file or directory given the ItemType value.
  • ItemType can either be File or Directory

From the PowerShell session, execute the Send-ComaeSnapshot cmdlet with the following parameters, based on preference.

Send only the json file:

Send-ComaeSnapshot -Key $APIKey -Path "C:\Comae-Snapshots\FileNmae.json.zip" -ItemType "File"

Create the snapshot in the provided directory before sending it to the server.

Send-ComaeSnapshot -Key $APIKey -Path "C:\Comae-Snapshots" -ItemType "Directory"

For added privacy, instead of sending full memory of sending full memory snapshot to Stardust, the metadata archive (compressed .json files) can be sent. Typically used for hybrid-cloud models, the snapshot is pre-processed locally instead of relying completely on the Stardust platform for analysis.

Create Snapshots

New-ComaeSnapshot simulates a live mode and generates the metadata directly. Using this command prevents the need to re-run analysis in the future as it doesn’t archive a copy of the physical memory. The full signature of the New-ComaeSnapshot command is as follows:

New-ComaeSnapshot [-Directory] <string>

The following cmdlet parameters are in scope to create the Snapshot:

  • Directory parameter is the output directory.

From the PowerShell session execute the New-ComaeSnapshot cmdlet with the Directory parameter:

New-ComaeSnapshot -Directory C:\Comae-Snapshots

The below screenshots show the output from the New-ComaeSnapshot command. The command may take few to complete.

Convert Dump Files Snapshot

The Convert-DumpFileToSnapshot cmdlet converts a Microsoft crash dump file into a Comae Snapshot using the Dmp2Json program. The full signature of the Convert-DumpFileToSnapshot command is as follows:

Convert-DumpFileToSnapshot [-FilePath] <string> [-Directory] <string> [[-SymbolPath] <string>] [[-SymbolServer] <string>]

In scope parameters:

  • FilePath parameters is the input Microsoft crash dump file.
  • Directory is the output directory where the Comae snapshot archive will be located.
  • SymbolPath (optional) is the input directory for pre-downloaded Microsoft PDB symbols.
  • SymbolServer (optional) is the input server address for scenarios with custom symbol servers.
Convert-DumpFileToSnapshot -FilePath "TEST-MEMORY.dmp" -Directory "C:\Comae-Snapshots"

In certain cases, user may want to provide a custom symbol directory path, or a custom symbol server path.

Convert-DumpFileToSnapshot -FilePath "TEST-MEMORY.dmp" -Directory "C:\Comae-Snapshots" -SymbolPath "C:\Symbols" -SymbolServer https://msdl.microsoft.com/downloads/symbols

Convertion Upload

Using the above commands, user can combine the conversion & upload procedures for multiple files within a given folder.

{ Convert-DumpFileToSnapshot -FilePath $_.FullName -Directory "C:\Snaphots" }

Get-ChildItem -Path "C:\Snapshots" -File | ForEach-Object { Send-ComaeSnapshot -Key $APIKey -Path $_.FullName -ItemType "File" }

Managing Machines Snapshots

The Stardust platform manages the uploaded snapshots and the information contained within the files generated by the PowerShell commands. User can upload the following the Stardust platform:

  • Microsoft crash dump files uncompressed or compressed (Only Zip archives are supported)
  • Comae snapshot archives (smaller, pre-processed by Mem2Json)
    • This often used in hybrid cloud scenarios where the user prefers to keep a copy of crash dump files in local storage rather than in the cloud.

Machine Acquisition

Running the Comae DumpIt utility with the /Q (for quiet) option is used to automatically answer confirmation prompts, such as Proceed with the acquisition? [y/n], when running memory acquisition in a script.

New-ComaeDumpFile

Windows Scheduled Tasks can be setup to run the DumpIt program as a time-based utility and generate a historical record of machine activity. Doing so enables retro-hunting investigations.

Preprocessing

The output directory can be manually specified to either a local folder or a remote file share if user preference id to manage their own local memory copy. If pre-processing crash dump files locally to generate a Comae snapshot archive instead of sending an entire memory copy to the Stardust platform is preferred, the Dmp2Json program is used to perform the pre-processing. The command is run outside the Powershell using DOS command session.

srv*C:Symbols*http://msdl.microsoft/download/symbols /Z C:FileName.dmp /c "/all /datetime /archive /snapshot C:\Snapshots\Snapshot"

A faster pre-processing tool is currently available on request.