Windows Memory  Forensic Analysis  --  Aashish Kunte Club Hack 2010
Security Incident <ul><li>A secured company’s network gets a port 5548 traffic on the  Null (SinkHole) Router  !  </li></u...
Security Incident Response  <ul><li>Set of procedures to examine a computer  security incident .  </li></ul><ul><li>The pr...
Digital Forensics <ul><li>In depth Analysis  & Complex Techniques  </li></ul><ul><li>The goal of computer forensics is to ...
Technique <ul><li>Preparation </li></ul><ul><li>Acquisition </li></ul><ul><li>Enumeration </li></ul><ul><li>Analysis  </li...
Windows Memory <ul><li>live activities from the contents of RAM on a Windows Machine.  </li></ul><ul><li>During a post-mor...
What Information ??? <ul><li>Processes  </li></ul>Open   Files & Registry Handles Network Information Passwords & Cryptogr...
Analysis Sit Back … …  Relax !!
<ul><li>How Volatile Memory Works  ?  </li></ul>
<ul><li>Acquisition of Windows Memory  </li></ul><ul><li>Volatile Memory Organized  ?  </li></ul>
<ul><li>Processes  </li></ul><ul><li>What is Process Memory  ?  </li></ul><ul><li>Process Enumeration  </li></ul>
<ul><li>How to find Suspicious Files  </li></ul><ul><li>and Suspicious Keys  ?  </li></ul><ul><li>Open Files </li></ul><ul...
<ul><li>Network Information  </li></ul><ul><li>Why from Volatile Memory  ?  </li></ul><ul><li>Open Sockets  </li></ul><ul>...
<ul><li>What the heck is VAD Tree ?  </li></ul>
<ul><li>Passwords and Encryption Keys  </li></ul><ul><li>SSDT  </li></ul>Video : To find out Passwords and Encryption Keys...
<ul><li>Anti-Forensic Attack (DKOM)  </li></ul>
<ul><li>Static & Dynamic Analysis </li></ul><ul><li>Reverse Engineering  </li></ul><ul><li>Files of Unknown Origin </li></ul>
Quick Bites <ul><li>Suspicious  Log  Entries </li></ul><ul><li>Suspicious  Processes  and  Services </li></ul><ul><li>Susp...
Tools <ul><li>Basic Tools  </li></ul><ul><li>Memdump, KnTTools </li></ul><ul><li>FATKit </li></ul><ul><li>WMFT </li></ul><...
Questions ??? Club Hack 2010
Upcoming SlideShare
Loading in...5

Memory forensic analysis (aashish)


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Introduction :
  • Here is a story of an incident handled in an Ideal scenario. A Global company has a controlled and secured computing environment. They have adopted many security best practices into their operations. This company has a Null (Sinkhole) Router, which means all the non-routable IP traffic will end up @ this router. After a detailed analysis of the sinkhole router it is observed that there is some suspicious activity going on… the behavioral pattern shows activity from a particular geographical location… several PC’s were trying to access sequentially numbered unused IP addresses…. Traffic looks like source port 0 and destination port 5548. Digging deep and deeper into the logs there was a windows web server who was also generating similar type of traffic. When we went to the SOC team we found that the server running with latest Patches / Antivirus / End Point Protection / HIPS Server logs monitored / reviewed regularly. Server is not showing any of misbehavior or Performance Issues. Server Contains PII’s and SPII’s with Confidential Information stored. (Slide Time Duration 3 Mins)
  • Now this particular situation is an unusual behavior or suspicious event. Any un-usual event within an organization can be serious Incident. As an essential and critical control, Ideal Company will have an Incident Response Plan where the Incident Handling guidelines will be in place with a proper IR Methodology. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. NIST has a detailed guideline for creating and running an incident response team. Business Benefits : Provides on demand security expertise on preparing for and responding to incidents Provides comprehensive risk mitigation support Stops attacks in progress to mini-mize their impact Improves incident response preparedness Performs forensics to find and prose-cute perpetrators Provides access to early-warning security intelligence (Slide Time Duration 2 Mins)
  • We need to apply an in depth analysis using complex techniques. Forensics is the application of a particular science to the law. Digital Forensics is a branch of forensic science on all sides of the recovery and investigation of material found in digital devices, often in relation to computer crime. Investigations often take one of three forms; forensic analysis (where evidence is recovered to support or oppose a hypothesis before a criminal court), eDiscovery (a form of discovery related to civil litigation) or intrusion investigation (which is a specialist investigation into the nature and extent of an unauthorized network intrusion). Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often relating to complex time-lines or hypothesis. Computer forensics is an expansive and fast-moving field. New and evolving technologies such as cellular phones, personal digital assistants (PDAs), as well as new and ever-changing operating systems and file systems all require in-depth analysis to determine how best to extract information pertinent to an investigation. In addition, techniques for performing forensics on both new and existing technologies are constantly in development. Many techniques are complex and time-consuming, requiring training and specialized tools. Distinct areas of research and development have emerged within the overarching theme of forensics. (Slide Time Duration 2/3 Mins)
  • The Forensic Incident Response Methodology… (Slide Time Duration 2 Mins)
  • Value of Windows Memory Forensic Analysis : Applying a straightforward analysis, she noted the advisory committee comment that the rule applies to information &amp;quot;that is fixed in a tangible form and to information that is stored in a medium from which it can be retrieved and examined,&amp;quot; and that the rule &amp;quot;is expansive and includes any type of information that is stored electronically,&amp;quot; and &amp;quot;is intended to be broad enough to cover all current types of computer-based information.&amp;quot; RAM and FRCP 34 Lock Horns (Slide Time Duration 3 Mins)
  • Information Treasure available In Memory. (Slide Time Duration 4 Mins)
  • (Slide Time Duration 1 Mins)
  • Memory Basics. Ok. Let me add a small diagram here … and let me grow a little bit here … so that its visible to everyone … I picked up some of these pictures from one of the very interesting and presentation on windows memory forensics with volatility framework, written by a German computer forensic geek Mr. Andreas Schuster. Physical memory is divided into so called “pages”. Allocated virtual memory is mapped onto physical memory page by page. The same page of physical memory can appear at different locations within the same address space or in different address spaces. Data can be moved from physical memory into a page file to clear some space. Alright, now moving on to the important kernel structures, Mr. Mariusz Burdach who owns the has explained this portion in detail, I have picked up only few here however I suggest you go thru his papers and Black Hat Presentations to understand the concepts better. Here the EPROCESS BLOCK that is the executive process block is very interesting and important kernel structure that contains mainly the KPROCESS BLOCK or kernel process block, ETHREAD or executive thread block, ACCESS_TOKEN &amp; SIDs the Process Environment Block, The VAD or Virtual Address descriptor… One interesting thing about VAD Walking is… it can reveal a wealth of information! We are going to discuss this VAD tree in detail. Handle Table, Creation Time … This is another important kernel structure. Then there is Data Section Control Area that includes Page Frames. And Finally the PFN Database this has the page frame numbers stored. Now lets look @ the relations between structures… this picture explains EPROCESS Block and the relations between other kernel objects. We can clearly derive a one way connection between EPROCESS / ETHREAD and SSDT. Bi-Directional connection between Page Frame Numbers and Page Tables … We are going to discuss in detail the importance of this PFN and the Page Tables towards end of Analysis Phase. Let me allow you to have a closer look @ the diagram.
  • Acquisition in detail
  • Process Enumeration and Analysis in detail.
  • Detailed Analysis for Open Files and Windows Registry. Video : HBGary Responder Pro &amp; Digital DNA -identifying malware Duration : 4 Mins
  • Detailed Description on Network Information from Memory This information is similar to NETSTAT output … but that can be trojanized to give false or modified output … however pulling the Network Information directly from Live Memory dump using the data structures themselves, it becomes much harder for an attacker to hide their listening backdoor or connection to their home server from which they have a control …
  • VAD is nothing but a Virtual Address Descriptor... Processes are stored in Windows in a VAD Tree. This tree describes memory ranges used by currently-running processes, and allows a process’s virtual address space to be reconstructed. Let me try and grow this Image a bit… you will observe the starting point as VAD ROOT That connects VAD Node / Control Area and the Object table that contains File Object. One of the structures in the VAD tree is called an object table, which lists the private objects that are in use by a process – these can be files, registry keys, and events. The memory-mapped files associated with each process can be recovered by walking the VAD tree and pulling out the objects of interest – in this case files, but potentially other objects as well. There is also an area of memory called the “Control Area” that maintains links between file names and the file data stored in the pages; if this area is still present the file name can often be recovered as well. In-depth coverage of this topic you can start with the very interesting paper named Forensic Memory Analysis : Files mapped in memory by Van Baar and a book named Windows Internals. VAD Tree becomes useful for many reasons – most information associated with a process can be found by walking the VAD Tree. In particular, it is possible to recover all the memory-mapped files associated with specific processes using VAD Tree.
  • Video : To find out Passwords and Encryption Keys from Windows Memory Duration: 2 Mins Video : To understand SSDT and Analyse SSDT using Python and Volatility Framework Duration : 2 Mins
  • Detailed Description
  • Advanced Forensic Techniques
  • Quick information on Incident Detection / Verification (Slide Time Duration 3 Mins)
  • Elaborated Discussion on Each Tool and Specialty of the tool as appropriate results. (Slide Time Duration 3 Mins)
  • Digital Forensics / Security Incident Response is going to play a significant role in India with more maturity and advanced techniques such as Cloud Forensics/Mobile Device Forensics and to cope up with Anti-Forensic attack by adopting innovative techniques with latest technology updates &amp;quot; The Future can be Clouds... but we need to keep our feet on ground with Facts and some common sense&amp;quot; (Slide Time Duration 1 Mins)
  • (Slide Time Duration 10 Mins)
  • Memory forensic analysis (aashish)

    1. 1. Windows Memory Forensic Analysis -- Aashish Kunte Club Hack 2010
    2. 2. Security Incident <ul><li>A secured company’s network gets a port 5548 traffic on the Null (SinkHole) Router ! </li></ul><ul><li>The activity seems to be a suspicious Service Scan ! </li></ul><ul><li>Source Computer is a Windows Web Server …. </li></ul>
    3. 3. Security Incident Response <ul><li>Set of procedures to examine a computer security incident . </li></ul><ul><li>The process involves figuring out what was happened </li></ul><ul><li>Helps mitigate security risk through proactive measures and world-class defensive tactics </li></ul>
    4. 4. Digital Forensics <ul><li>In depth Analysis & Complex Techniques </li></ul><ul><li>The goal of computer forensics is to explain the current state of a digital artifact </li></ul><ul><li>The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. </li></ul>
    5. 5. Technique <ul><li>Preparation </li></ul><ul><li>Acquisition </li></ul><ul><li>Enumeration </li></ul><ul><li>Analysis </li></ul><ul><li>Recovery </li></ul><ul><li>Presentation </li></ul>
    6. 6. Windows Memory <ul><li>live activities from the contents of RAM on a Windows Machine. </li></ul><ul><li>During a post-mortem analysis: specifically encrypted, compressed or hidden processes. </li></ul><ul><li>RAM constituted &quot;electronically stored information&quot; under rule 34(a) of the Federal Rules of Civil Procedure. </li></ul>
    7. 7. What Information ??? <ul><li>Processes </li></ul>Open Files & Registry Handles Network Information Passwords & Cryptographic Keys Unencrypted Content Hidden Data Malicious Code DLL’s
    8. 8. Analysis Sit Back … … Relax !!
    9. 9. <ul><li>How Volatile Memory Works ? </li></ul>
    10. 10. <ul><li>Acquisition of Windows Memory </li></ul><ul><li>Volatile Memory Organized ? </li></ul>
    11. 11. <ul><li>Processes </li></ul><ul><li>What is Process Memory ? </li></ul><ul><li>Process Enumeration </li></ul>
    12. 12. <ul><li>How to find Suspicious Files </li></ul><ul><li>and Suspicious Keys ? </li></ul><ul><li>Open Files </li></ul><ul><li>Windows Registry </li></ul><ul><li>Loaded DLL’s </li></ul>Video : HBGary Responder Pro & Digital DNA -identifying malware
    13. 13. <ul><li>Network Information </li></ul><ul><li>Why from Volatile Memory ? </li></ul><ul><li>Open Sockets </li></ul><ul><li>Open Ports </li></ul><ul><li>Open TCP Connections </li></ul>
    14. 14. <ul><li>What the heck is VAD Tree ? </li></ul>
    15. 15. <ul><li>Passwords and Encryption Keys </li></ul><ul><li>SSDT </li></ul>Video : To find out Passwords and Encryption Keys from Windows Memory Video : To Analyze SSDT using : Python and Volatility Framework
    16. 16. <ul><li>Anti-Forensic Attack (DKOM) </li></ul>
    17. 17. <ul><li>Static & Dynamic Analysis </li></ul><ul><li>Reverse Engineering </li></ul><ul><li>Files of Unknown Origin </li></ul>
    18. 18. Quick Bites <ul><li>Suspicious Log Entries </li></ul><ul><li>Suspicious Processes and Services </li></ul><ul><li>Suspicious Files and Registry Keys </li></ul><ul><li>Suspicious Network Usage </li></ul><ul><li>Suspicious Scheduled Tasks </li></ul><ul><li>Suspicious Accounts </li></ul>
    19. 19. Tools <ul><li>Basic Tools </li></ul><ul><li>Memdump, KnTTools </li></ul><ul><li>FATKit </li></ul><ul><li>WMFT </li></ul><ul><li>Procenum </li></ul><ul><li>Idetect </li></ul><ul><li>The Volatility Framework </li></ul><ul><li>VAD Tools </li></ul><ul><li>Commercial Tools </li></ul><ul><li>Memoryze </li></ul>
    20. 20. Future
    21. 21. Questions ??? Club Hack 2010
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.