Stop Pulling The Plug
Incident Response
Preparation
Identification
and Analysis
Containment
Eradication
Recovery
Lessons learnt
Why Memory Forensics
 Everything in the OS traverses RAM
 Best place to identify malicious software
activity
 Analyze a...
Artifacts that can be found in Memory
Processes Logged Users
Drivers Open files
Kernel Modules Unsaved documents
Socket In...
Advantages of Memory Forensics
 Password in clear text in memory
 Programs running
 Open Documents / Files
 Open conte...
The Malware Paradox
 Malware may be successful at either hiding or
executing, but it is nearly impossible to do
both!
 M...
Memory Forensics
 Acquisition
• Executing Memory
• Pagefile
• Hibernation file
 Context
• Find offset from the needed st...
Memory Analysis Process
1. Identify Rouge processes
2. Analyze process DLLs and handles
3. Review Network Artifacts
4. Loo...
Finding the First Hit
Analyzing
Processes
Image
Name
Full Path
Parent
Process
Command
Line
StartTime SIDs
Redline
 Free but not open source
 Identify Rouge processes
 Was the process started at boot?
 What user was logged on...
SIFT Forensic Workstation
Download SANS SIFTWorkstation from
http://computer-
forensics.sans.org/community/downloads
Let’s start
 Login "sansforensics"
 Password "forensics"
 $ sudo su
Elevate privileges to root while mounting disk
imag...
Volatility
 Free and open source
 Vol.py –f <image> <plugin> --
profile=<profile>
 Export
VOLATILITY_LOCATION=file://<f...
It’s Show Time
 Memory Analysis using Redline
 Memory Analysis usingVolatility
What Next…
 Volatility RegistryAnalysis
 MemoryTimelining
References
 Windows Forensic AnalysisToolkit – Harlan
Carvey
 https://www.mandiant.com/resources/downl
oad/redline
 htt...
THANK YOU 
Kamal Ranjan
Incident Response/Forensic Analyst @ FIS
Upcoming SlideShare
Loading in …5
×

Stop pulling the plug

437 views

Published on

Understand how essential it is to do memory analysis in order to find evidences which are rarely found anywhere else. This is not a copyright material and the information included is collected from various sources for educational purposes

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
437
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Stop pulling the plug

  1. 1. Stop Pulling The Plug
  2. 2. Incident Response Preparation Identification and Analysis Containment Eradication Recovery Lessons learnt
  3. 3. Why Memory Forensics  Everything in the OS traverses RAM  Best place to identify malicious software activity  Analyze and track recent activity on the system  Collect evidence that cannot be found anywhere else
  4. 4. Artifacts that can be found in Memory Processes Logged Users Drivers Open files Kernel Modules Unsaved documents Socket Information Live registries Passwords Video Buffers (Screenshots) Crypto Passphrases BIOS Memory Decrypted Files VOIP Calls Execution State Malicious Code Clipboard Material IM chats Network Drive buffers Rootkit Footprints
  5. 5. Advantages of Memory Forensics  Password in clear text in memory  Programs running  Open Documents / Files  Open content of compressed programs (packers)  Network Connections – current and recent  Crypto Keys (BitLocker, PGP Whole Disk Encryption, TrueCrypt etc.)  Command Line parameters (DOSKEY/cmd.exe)
  6. 6. The Malware Paradox  Malware may be successful at either hiding or executing, but it is nearly impossible to do both!  Malware can hide, but it has to execute to be effective.
  7. 7. Memory Forensics  Acquisition • Executing Memory • Pagefile • Hibernation file  Context • Find offset from the needed structures • Extract structures from memory • Isolate Processes
  8. 8. Memory Analysis Process 1. Identify Rouge processes 2. Analyze process DLLs and handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of rootkit 6. Dump suspicious processes and drivers
  9. 9. Finding the First Hit Analyzing Processes Image Name Full Path Parent Process Command Line StartTime SIDs
  10. 10. Redline  Free but not open source  Identify Rouge processes  Was the process started at boot?  What user was logged on?  Any other suspicious processes?  Any further clues/string searches  Explore more  What did you collect so far…. Binaries/network connections/compromised user accounts……….Compare with live audit on the system
  11. 11. SIFT Forensic Workstation Download SANS SIFTWorkstation from http://computer- forensics.sans.org/community/downloads
  12. 12. Let’s start  Login "sansforensics"  Password "forensics"  $ sudo su Elevate privileges to root while mounting disk images.
  13. 13. Volatility  Free and open source  Vol.py –f <image> <plugin> -- profile=<profile>  Export VOLATILITY_LOCATION=file://<filepath>  ExportVOLATILITY_PROFILE=<profile>  Vol.py –f <image format 1> imagecopy –o <imageformat1.img>
  14. 14. It’s Show Time  Memory Analysis using Redline  Memory Analysis usingVolatility
  15. 15. What Next…  Volatility RegistryAnalysis  MemoryTimelining
  16. 16. References  Windows Forensic AnalysisToolkit – Harlan Carvey  https://www.mandiant.com/resources/downl oad/redline  https://code.google.com/p/volatility/  https://code.google.com/p/volatility/wiki/Sa mpleMemoryImages  https://http://computer- forensics.sans.org/community
  17. 17. THANK YOU  Kamal Ranjan Incident Response/Forensic Analyst @ FIS

×