The LeechAgent listens on the port tcp/28473 - please ensure network connectivity for this port in the firewall. ![]() If run in interactive mode a user may also start the LeechAgent in "insecure" mode - which means no authentication or logging at all. There is also a possibility to run the LeechAgent in interactive mode (as a normal program). The clients must also authenticate the agent itself against the SPN used by the agent - please check the Application Event Log for information about the SPN and also successful authentication events against the agent. The LeechAgent authenticates all incoming connections against membership in the Local Administrators group. Memory analysis scripts, written in Python, may also be submitted for remote processing by the LeechAgent. Once connected physical memory may be acquired over the secure compressed connection. The connection is secured, by default, with mutually authenticated encrypted kerberos. It allows users of the LeechCore library (PCILeech and MemProcFS) to connect to remotely installed LeechAgents over the network. The LeechAgent Memory Acquisition and Analysis Agent exists for Windows only. The LeechAgent Memory Acquisition and Analysis Agent: The FPGA based methods however have a performance penalty on Linux and will max out at approx: 90MB/s compared to 150MB/s on Windows due to less optimized drivers. All hardware based memory acquisition methods are supported on both Windows and Linux. ![]() Please find a summary of the supported hardware based memory acquisition methods listed below. It's possible to use both hardware and software based memory acquisition once connected. Please note that the LeechAgent only provides a network connection to a remote LeechCore library. Please find a summary of the supported software based memory acquisition methods listed below. Memory Acquisition Methods: Software based memory aqusition methods: No executable exists for LeechCore - the library is always loaded by other applications using it - such as PCILeech and The Memory Process File System MemProcFS.exe.įor detailed information about individual memory acquisition methods, the API and related examples please check out the LeechCore wiki. The LeechCore library is supported on 32/64-bit Windows (. The LeechCore library is used by PCILeech and The Memory Process File System (MemProcFS). The connection is by default compressed and secured with mutually authenticated kerberos - making it ideal in incident response when combined with analysis and live memory capture using Comae DumpIt or WinPMEM - even over high latency low-bandwidth connections! ![]() Use the LeechCore library locally or connect to, over the network, a LeechAgent to acquire physical memory or run commands remotely. If using Python it's recommended to install the leechcorepyc python pip package which is available for 64-bit Linux and Windows. Download the latest release of the library here on Github. LeechCore provides API-based access to various hardware and software based memory sources via its C/C++, Python and C# APIs. The LeechCore Memory Acquisition Library focuses on Physical Memory Acquisition using various hardware and software based methods. The LeechCore Physical Memory Acquisition Library:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |