SlideShare a Scribd company logo

Pattern-Oriented Memory Forensics

Dmitry Vostokov
Dmitry Vostokov

This lecture introduces a pattern language for memory forensics - investigation of past software behaviour in memory snapshots. It provides a unified language for discussing and communicating detection and analysis results despite the proliferation of operating systems and tools, a base language for checklists, and an aid in accelerated learning. The lecture has a short theoretical part and then illustrates various patterns seen in crash dumps by using WinDbg debugger.

Software
1 of 36
Download to read offline
Memory Forensics Dmitry Vostokov Software Diagnostics InstituteFacebook LinkedIn Twitter Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest www.volgactf.ru
Forensics A discipline studying past structure and behavior. © 2014 Software Diagnostics Institute
Memory Forensics A discipline studying past structure and behavior in acquired computer memory. © 2014 Software Diagnostics Institute
We Have A Problem  Proliferation of computer architectures, operating systems, and tools  Different memory analysis narratives  Need to measure analysis quality © 2014 Software Diagnostics Institute
Solution  Empirical patterns  A pattern language  Pattern orientation © 2014 Software Diagnostics Institute
Forensic Pattern A common recurrent identifiable set of indicators (signs) together with a set of recommendations to apply in a specific context. © 2014 Software Diagnostics Institute
Memory Forensics revised A discipline studying past structure and behavior of software in acquired memory using pattern- oriented analysis methodology. © 2014 Software Diagnostics Institute
Software Forensics Software execution artefacts Memory forensics © 2014 Software Diagnostics Institute
Software Forensics A discipline studying past structure and behavior of software in execution artifacts using systemic and pattern-oriented analysis methodologies. © 2014 Software Diagnostics Institute
Structure and Behavior  Memory snapshots (dumps)  Traces and logs  Source code  Digital data (media) © 2014 Software Diagnostics Institute
Diagnostics and Forensics Diagnostics (present and past) Forensics (past) Prognostics (future) © 2014 Software Diagnostics Institute
Software Diagnostics A discipline studying signs of software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using systemic and pattern-oriented analysis methodologies. © 2014 Software Diagnostics Institute
Forensic Analysis Patterns Software Diagnostics Patterns Software Forensic Analysis Patterns © 2014 Software Diagnostics Institute Memory Forensic Analysis Patterns
A Pattern Language  The same detection and analysis language for different computer architectures, operating systems, and tools  The same memory analysis narratives  Measured analysis quality  Predicting unknown © 2014 Software Diagnostics Institute
Pattern Orientation 1. Pattern-driven  Finding patterns in memory  Using checklists and pattern catalogs 2. Pattern-based  Pattern catalogue evolution  Catalog packaging and delivery © 2014 Software Diagnostics Institute
Structural Memory Patterns … Memory Region Region Boundary Anchor Region Linked List Value References Regular Data String Value Small Value Data Structure … Main Pattern Catalogues Memory Analysis Patterns … Wait Chain Execution Residue Spiking Thread Local Buffer Overflow Shared Buffer Overwrite Dynamic Memory Corruption … © 2014 Software Diagnostics Institute Malware Analysis Patterns … Raw Pointer String Hint Out-of-Module Pointer Hooksware Hidden Process Deviant Module Namespace … Disassembly, Deconstruction, Reversing Patterns Memory Acquisition Patterns
Pattern Classification … Dynamic Memory Corruption Patterns Stack Overflow Patterns Stack Trace Patterns Symbol Patterns Exception Patterns Meta-Memory Dump Patterns Module Patterns Optimization Patterns Thread Patterns Process Patterns … © 2014 Software Diagnostics Institute
Memory Acquisition Patterns http://www.dumpanalysis.org/memory-acquisition-patterns Structural space patterns … Process Memory Dump Kernel memory Dump Physical Memory Dump Fiber Bundle Dump … © 2014 Software Diagnostics Institute Acquisition strategy patterns … External Dump Self Dump Conditional Dump Dump Sequence …
ADDR Patterns http://www.dumpanalysis.org/addr-patterns … Potential Functionality Function Skeleton Function Call Call Path Local Variable Static Variable Pointer Dereference Function Prologue Function Epilogue Variable Initialization © 2014 Software Diagnostics Institute Memory Copy Call Prologue Call Parameter Call Epilogue Call Result Control Path Function Parameter Structure Field Last Call …
Pattern Implementation  By OS vendor (Windows, Mac OS X, Linux, …)  By tool (WinDbg, Volatility, IDA, GDB, LLDB, …)  By CPU architecture (x86, x64, ARM, …)  By digital media (memory, volume, file, blob, …) © 2014 Software Diagnostics Institute
Pattern-Driven Analysis Memory Checklists Patterns Action © 2014 Software Diagnostics Institute  Pattern Pattern Pattern  Pattern  Pattern 1. Tool-specific checklist: http://www.dumpanalysis.org/windows- memory-analysis-checklist 2. Pattern catalogue checklists: http://dumpanalysis.org
Pattern-Based Analysis Memory New Pattern Discovery Pattern Catalog + Usage © 2014 Software Diagnostics Institute
Systems Approach Narratology Trace Analysis Patterns Memory Analysis © 2014 Software Diagnostics Institute
Native Memory Forensics Using native OS debuggers such as WinDbg from Debugging Tools for Windows or GDB (Linux) or GDB/LLDB (Mac OS X). © 2014 Software Diagnostics Institute
Practical Examples WinDbg session… © 2014 Software Diagnostics Institute
Patterns for Example A  Tampered Dump  Exception Stack Trace  Stored Exception  Lateral Damage  Execution Residue  Hidden Exception  NULL Data Pointer © 2014 Software Diagnostics Institute
Patterns for Example B  Heap Corruption  Stack Trace Collection  RIP Stack Trace  Hooksware  Patched Code  Hidden Module  Deviant Module  String Hint  Fake Module  No Component Symbols  Namespace © 2014 Software Diagnostics Institute
Example C Pattern correspondence  Process Dump  Physical (Complete) Dump  Kernel Dump © 2014 Software Diagnostics Institute
Further Reading (Patterns)  The Timeless Way of Building (by Christopher Alexander)  A Pattern Language: Towns, Buildings, Construction (by Christopher Alexander, et al.) © 2014 Software Diagnostics Institute
Further Reading (MDA)  Cloud Memory Dump Analysis  Fundamentals of Physical Memory Analysis  Victimware  Pattern-Oriented Software Forensics  Debugging TV © 2014 Software Diagnostics Institute
Further Reading (SD)  Software Diagnostics Institute  Pattern-Driven Software Diagnostics  Systemic Software Diagnostics  Pattern-Based Software Diagnostics  Philosophy of Software Diagnostics © 2014 Software Diagnostics Institute
Current Reference © 2014 Software Diagnostics Institute Memory Dump Analysis Anthology: 7 volumes + 3 colour volumes Volume 8 is planned for 2015/2016
Forthcoming Transcript © 2014 Software Diagnostics Institute Pattern-Oriented Memory Forensics: A Pattern Language Approach (ISBN: 9781908043764)
Forthcoming Reference © 2014 Software Diagnostics Institute A Pattern Language for Software Diagnostics, Forensics, and Prognostics: Memory, Traces, Deconstruction (10 volumes)
Q&A Please send your feedback using the contact form on DumpAnalysis.org © 2014 Software Diagnostics Institute
Thank you for attendance! Facebook LinkedIn Twitter © 2014 Software Diagnostics Institute

Recommended

Pattern-Based Software Diagnostics
Pattern-Based Software DiagnosticsPattern-Based Software Diagnostics
Pattern-Based Software DiagnosticsDmitry Vostokov
 
Towards Reusable Research Software
Towards Reusable Research SoftwareTowards Reusable Research Software
Towards Reusable Research Softwaredgarijo
 
Lviv Data Science Club (Sergiy Lunyakin)
Lviv Data Science Club (Sergiy Lunyakin)Lviv Data Science Club (Sergiy Lunyakin)
Lviv Data Science Club (Sergiy Lunyakin)Lviv Startup Club
 
Introduction to Pattern-Driven Software Problem Solving
Introduction to Pattern-Driven Software Problem SolvingIntroduction to Pattern-Driven Software Problem Solving
Introduction to Pattern-Driven Software Problem SolvingDmitry Vostokov
 
Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10
Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10
Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10Shalin Hai-Jew
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg Alexander Serebrenik
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
DeepPavlov 2019
DeepPavlov 2019DeepPavlov 2019
DeepPavlov 2019Mikhail Burtsev
 

Recommended

Pattern-Based Software Diagnostics
Pattern-Based Software DiagnosticsPattern-Based Software Diagnostics
Pattern-Based Software DiagnosticsDmitry Vostokov
 
Towards Reusable Research Software
Towards Reusable Research SoftwareTowards Reusable Research Software
Towards Reusable Research Softwaredgarijo
 
Lviv Data Science Club (Sergiy Lunyakin)
Lviv Data Science Club (Sergiy Lunyakin)Lviv Data Science Club (Sergiy Lunyakin)
Lviv Data Science Club (Sergiy Lunyakin)Lviv Startup Club
 
Introduction to Pattern-Driven Software Problem Solving
Introduction to Pattern-Driven Software Problem SolvingIntroduction to Pattern-Driven Software Problem Solving
Introduction to Pattern-Driven Software Problem SolvingDmitry Vostokov
 
Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10
Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10
Letting the Machine Code Qualitative and Mixed Methods Data in NVivo 10Shalin Hai-Jew
 
My life as a cyborg
My life as a cyborg My life as a cyborg
My life as a cyborg Alexander Serebrenik
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
DeepPavlov 2019
DeepPavlov 2019DeepPavlov 2019
DeepPavlov 2019Mikhail Burtsev
 
PhD Projects in Pattern Recognition Research Ideas
PhD Projects in Pattern Recognition Research IdeasPhD Projects in Pattern Recognition Research Ideas
PhD Projects in Pattern Recognition Research IdeasPhD Services
 
Encom presentation ( Research Group)
Encom presentation ( Research Group)Encom presentation ( Research Group)
Encom presentation ( Research Group)Dr Adnan M. AlBar, CIO at PME Associate Professor
 
Pattern-Driven Software Diagnostics: An Introduction
Pattern-Driven Software Diagnostics: An IntroductionPattern-Driven Software Diagnostics: An Introduction
Pattern-Driven Software Diagnostics: An IntroductionDmitry Vostokov
 
Mindtrek 2015 - Tampere Finland
Mindtrek 2015 - Tampere Finland Mindtrek 2015 - Tampere Finland
Mindtrek 2015 - Tampere Finland Panos Fitsilis
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
Prov4J: A Semantic Web Framework for Generic Provenance Management
Prov4J: A Semantic Web Framework for Generic Provenance Management Prov4J: A Semantic Web Framework for Generic Provenance Management
Prov4J: A Semantic Web Framework for Generic Provenance Management Andre Freitas
 
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...Agile Testing Alliance
 
Intelligent Software Engineering: Synergy between AI and Software Engineering...
Intelligent Software Engineering: Synergy between AI and Software Engineering...Intelligent Software Engineering: Synergy between AI and Software Engineering...
Intelligent Software Engineering: Synergy between AI and Software Engineering...Tao Xie
 
AzureML TechTalk
AzureML TechTalkAzureML TechTalk
AzureML TechTalkUdaya Kumar
 
Co-evolving changes in a data-intensive software system
Co-evolving changes in a data-intensive software systemCo-evolving changes in a data-intensive software system
Co-evolving changes in a data-intensive software systemTom Mens
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesMarkus Scheidgen
 
20180126 microsoft ai on healthcare
20180126 microsoft ai on healthcare20180126 microsoft ai on healthcare
20180126 microsoft ai on healthcareMeng-Ru (Raymond) Tsai
 
"Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"Naomi Dushay
 
Linux Driver and Embedded Developer with Android Course Content & Highlights
Linux Driver and Embedded Developer with Android Course Content & HighlightsLinux Driver and Embedded Developer with Android Course Content & Highlights
Linux Driver and Embedded Developer with Android Course Content & HighlightsVeda Solutions - Embedded Systems & Linux Device Drivers Training
 
Proof of Concept for Learning Analytics Interoperability
Proof of Concept for Learning Analytics InteroperabilityProof of Concept for Learning Analytics Interoperability
Proof of Concept for Learning Analytics InteroperabilityOpen Cyber University of Korea
 
Software Requirement Patterns (SRP)
Software Requirement Patterns (SRP)Software Requirement Patterns (SRP)
Software Requirement Patterns (SRP)GESSI UPC
 
Guru_poster
Guru_posterGuru_poster
Guru_posterChristopher Clarke
 
Phd
PhdPhd
PhdJean-Paul Calbimonte
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 
Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesDmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 

More Related Content

Similar to Pattern-Oriented Memory Forensics

PhD Projects in Pattern Recognition Research Ideas
PhD Projects in Pattern Recognition Research IdeasPhD Projects in Pattern Recognition Research Ideas
PhD Projects in Pattern Recognition Research IdeasPhD Services
 
Pattern-Driven Software Diagnostics: An Introduction
Pattern-Driven Software Diagnostics: An IntroductionPattern-Driven Software Diagnostics: An Introduction
Pattern-Driven Software Diagnostics: An IntroductionDmitry Vostokov
 
Mindtrek 2015 - Tampere Finland
Mindtrek 2015 - Tampere Finland Mindtrek 2015 - Tampere Finland
Mindtrek 2015 - Tampere Finland Panos Fitsilis
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
Prov4J: A Semantic Web Framework for Generic Provenance Management
Prov4J: A Semantic Web Framework for Generic Provenance Management Prov4J: A Semantic Web Framework for Generic Provenance Management
Prov4J: A Semantic Web Framework for Generic Provenance Management Andre Freitas
 
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...Agile Testing Alliance
 
Intelligent Software Engineering: Synergy between AI and Software Engineering...
Intelligent Software Engineering: Synergy between AI and Software Engineering...Intelligent Software Engineering: Synergy between AI and Software Engineering...
Intelligent Software Engineering: Synergy between AI and Software Engineering...Tao Xie
 
AzureML TechTalk
AzureML TechTalkAzureML TechTalk
AzureML TechTalkUdaya Kumar
 
Co-evolving changes in a data-intensive software system
Co-evolving changes in a data-intensive software systemCo-evolving changes in a data-intensive software system
Co-evolving changes in a data-intensive software systemTom Mens
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesMarkus Scheidgen
 
"Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"Naomi Dushay
 
Proof of Concept for Learning Analytics Interoperability
Proof of Concept for Learning Analytics InteroperabilityProof of Concept for Learning Analytics Interoperability
Proof of Concept for Learning Analytics InteroperabilityOpen Cyber University of Korea
 
Software Requirement Patterns (SRP)
Software Requirement Patterns (SRP)Software Requirement Patterns (SRP)
Software Requirement Patterns (SRP)GESSI UPC
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application TestingHari Pudipeddi
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testingHarinath Pudipeddi
 

Similar to Pattern-Oriented Memory Forensics (20)

PhD Projects in Pattern Recognition Research Ideas
PhD Projects in Pattern Recognition Research IdeasPhD Projects in Pattern Recognition Research Ideas
PhD Projects in Pattern Recognition Research Ideas
 
Encom presentation ( Research Group)
Encom presentation ( Research Group)Encom presentation ( Research Group)
Encom presentation ( Research Group)
 
Pattern-Driven Software Diagnostics: An Introduction
Pattern-Driven Software Diagnostics: An IntroductionPattern-Driven Software Diagnostics: An Introduction
Pattern-Driven Software Diagnostics: An Introduction
 
Mindtrek 2015 - Tampere Finland
Mindtrek 2015 - Tampere Finland Mindtrek 2015 - Tampere Finland
Mindtrek 2015 - Tampere Finland
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
Prov4J: A Semantic Web Framework for Generic Provenance Management
Prov4J: A Semantic Web Framework for Generic Provenance Management Prov4J: A Semantic Web Framework for Generic Provenance Management
Prov4J: A Semantic Web Framework for Generic Provenance Management
 
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
#Interactive Session by Vivek Patle and Jahnavi Umarji, "Empowering Functiona...
 
Intelligent Software Engineering: Synergy between AI and Software Engineering...
Intelligent Software Engineering: Synergy between AI and Software Engineering...Intelligent Software Engineering: Synergy between AI and Software Engineering...
Intelligent Software Engineering: Synergy between AI and Software Engineering...
 
AzureML TechTalk
AzureML TechTalkAzureML TechTalk
AzureML TechTalk
 
Co-evolving changes in a data-intensive software system
Co-evolving changes in a data-intensive software systemCo-evolving changes in a data-intensive software system
Co-evolving changes in a data-intensive software system
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software Repositories
 
20180126 microsoft ai on healthcare
20180126 microsoft ai on healthcare20180126 microsoft ai on healthcare
20180126 microsoft ai on healthcare
 
"Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs""Hands Off! Best Practices for Code Hand Offs"
"Hands Off! Best Practices for Code Hand Offs"
 
Linux Driver and Embedded Developer with Android Course Content & Highlights
Linux Driver and Embedded Developer with Android Course Content & HighlightsLinux Driver and Embedded Developer with Android Course Content & Highlights
Linux Driver and Embedded Developer with Android Course Content & Highlights
 
Proof of Concept for Learning Analytics Interoperability
Proof of Concept for Learning Analytics InteroperabilityProof of Concept for Learning Analytics Interoperability
Proof of Concept for Learning Analytics Interoperability
 
Software Requirement Patterns (SRP)
Software Requirement Patterns (SRP)Software Requirement Patterns (SRP)
Software Requirement Patterns (SRP)
 
Guru_poster
Guru_posterGuru_poster
Guru_poster
 
Phd
PhdPhd
Phd
 
Cost Effective Web Application Testing
Cost Effective Web Application TestingCost Effective Web Application Testing
Cost Effective Web Application Testing
 
Cost effective web application testing
Cost effective web application testingCost effective web application testing
Cost effective web application testing
 

More from Dmitry Vostokov

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesDmitry Vostokov
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
 

More from Dmitry Vostokov (20)

Accelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slidesAccelerated Windows Debugging 3 training public slides
Accelerated Windows Debugging 3 training public slides
 
Accelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slidesAccelerated .NET Memory Dump Analysis training public slides
Accelerated .NET Memory Dump Analysis training public slides
 
Debugging TV Frame 0x1C
Debugging TV Frame 0x1CDebugging TV Frame 0x1C
Debugging TV Frame 0x1C
 
Debugging TV Frame 0x1A
Debugging TV Frame 0x1ADebugging TV Frame 0x1A
Debugging TV Frame 0x1A
 
Debugging TV Frame 0x34
Debugging TV Frame 0x34Debugging TV Frame 0x34
Debugging TV Frame 0x34
 
Debugging TV Frame 0x33
Debugging TV Frame 0x33Debugging TV Frame 0x33
Debugging TV Frame 0x33
 
Debugging TV Frame 0x31
Debugging TV Frame 0x31Debugging TV Frame 0x31
Debugging TV Frame 0x31
 
Debugging TV Frame 0x25
Debugging TV Frame 0x25Debugging TV Frame 0x25
Debugging TV Frame 0x25
 
Debugging TV Frame 0x24
Debugging TV Frame 0x24Debugging TV Frame 0x24
Debugging TV Frame 0x24
 
Debugging TV Frame 0x21
Debugging TV Frame 0x21Debugging TV Frame 0x21
Debugging TV Frame 0x21
 
Debugging TV Frame 0x20
Debugging TV Frame 0x20Debugging TV Frame 0x20
Debugging TV Frame 0x20
 
Debugging TV Frame 0x19
Debugging TV Frame 0x19Debugging TV Frame 0x19
Debugging TV Frame 0x19
 
Debugging TV Frame 0x18
Debugging TV Frame 0x18Debugging TV Frame 0x18
Debugging TV Frame 0x18
 
Debugging TV Frame 0x17
Debugging TV Frame 0x17Debugging TV Frame 0x17
Debugging TV Frame 0x17
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
 
Debugging TV Frame 0x15
Debugging TV Frame 0x15Debugging TV Frame 0x15
Debugging TV Frame 0x15
 
Debugging TV Frame 0x14
Debugging TV Frame 0x14Debugging TV Frame 0x14
Debugging TV Frame 0x14
 
Debugging TV Frame 0x13
Debugging TV Frame 0x13Debugging TV Frame 0x13
Debugging TV Frame 0x13
 
Debugging TV Frame 0x12
Debugging TV Frame 0x12Debugging TV Frame 0x12
Debugging TV Frame 0x12
 
Debugging TV Frame 0x11
Debugging TV Frame 0x11Debugging TV Frame 0x11
Debugging TV Frame 0x11
 

Recently uploaded

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2WSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfryanfarris8
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 

Recently uploaded (20)

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 

Pattern-Oriented Memory Forensics

  • 1. Memory Forensics Dmitry Vostokov Software Diagnostics InstituteFacebook LinkedIn Twitter Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest www.volgactf.ru
  • 2. Forensics A discipline studying past structure and behavior. © 2014 Software Diagnostics Institute
  • 3. Memory Forensics A discipline studying past structure and behavior in acquired computer memory. © 2014 Software Diagnostics Institute
  • 4. We Have A Problem  Proliferation of computer architectures, operating systems, and tools  Different memory analysis narratives  Need to measure analysis quality © 2014 Software Diagnostics Institute
  • 5. Solution  Empirical patterns  A pattern language  Pattern orientation © 2014 Software Diagnostics Institute
  • 6. Forensic Pattern A common recurrent identifiable set of indicators (signs) together with a set of recommendations to apply in a specific context. © 2014 Software Diagnostics Institute
  • 7. Memory Forensics revised A discipline studying past structure and behavior of software in acquired memory using pattern- oriented analysis methodology. © 2014 Software Diagnostics Institute
  • 8. Software Forensics Software execution artefacts Memory forensics © 2014 Software Diagnostics Institute
  • 9. Software Forensics A discipline studying past structure and behavior of software in execution artifacts using systemic and pattern-oriented analysis methodologies. © 2014 Software Diagnostics Institute
  • 10. Structure and Behavior  Memory snapshots (dumps)  Traces and logs  Source code  Digital data (media) © 2014 Software Diagnostics Institute
  • 11. Diagnostics and Forensics Diagnostics (present and past) Forensics (past) Prognostics (future) © 2014 Software Diagnostics Institute
  • 12. Software Diagnostics A discipline studying signs of software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using systemic and pattern-oriented analysis methodologies. © 2014 Software Diagnostics Institute
  • 13. Forensic Analysis Patterns Software Diagnostics Patterns Software Forensic Analysis Patterns © 2014 Software Diagnostics Institute Memory Forensic Analysis Patterns
  • 14. A Pattern Language  The same detection and analysis language for different computer architectures, operating systems, and tools  The same memory analysis narratives  Measured analysis quality  Predicting unknown © 2014 Software Diagnostics Institute
  • 15. Pattern Orientation 1. Pattern-driven  Finding patterns in memory  Using checklists and pattern catalogs 2. Pattern-based  Pattern catalogue evolution  Catalog packaging and delivery © 2014 Software Diagnostics Institute
  • 16. Structural Memory Patterns … Memory Region Region Boundary Anchor Region Linked List Value References Regular Data String Value Small Value Data Structure … Main Pattern Catalogues Memory Analysis Patterns … Wait Chain Execution Residue Spiking Thread Local Buffer Overflow Shared Buffer Overwrite Dynamic Memory Corruption … © 2014 Software Diagnostics Institute Malware Analysis Patterns … Raw Pointer String Hint Out-of-Module Pointer Hooksware Hidden Process Deviant Module Namespace … Disassembly, Deconstruction, Reversing Patterns Memory Acquisition Patterns
  • 17. Pattern Classification … Dynamic Memory Corruption Patterns Stack Overflow Patterns Stack Trace Patterns Symbol Patterns Exception Patterns Meta-Memory Dump Patterns Module Patterns Optimization Patterns Thread Patterns Process Patterns … © 2014 Software Diagnostics Institute
  • 18. Memory Acquisition Patterns http://www.dumpanalysis.org/memory-acquisition-patterns Structural space patterns … Process Memory Dump Kernel memory Dump Physical Memory Dump Fiber Bundle Dump … © 2014 Software Diagnostics Institute Acquisition strategy patterns … External Dump Self Dump Conditional Dump Dump Sequence …
  • 19. ADDR Patterns http://www.dumpanalysis.org/addr-patterns … Potential Functionality Function Skeleton Function Call Call Path Local Variable Static Variable Pointer Dereference Function Prologue Function Epilogue Variable Initialization © 2014 Software Diagnostics Institute Memory Copy Call Prologue Call Parameter Call Epilogue Call Result Control Path Function Parameter Structure Field Last Call …
  • 20. Pattern Implementation  By OS vendor (Windows, Mac OS X, Linux, …)  By tool (WinDbg, Volatility, IDA, GDB, LLDB, …)  By CPU architecture (x86, x64, ARM, …)  By digital media (memory, volume, file, blob, …) © 2014 Software Diagnostics Institute
  • 21. Pattern-Driven Analysis Memory Checklists Patterns Action © 2014 Software Diagnostics Institute  Pattern Pattern Pattern  Pattern  Pattern 1. Tool-specific checklist: http://www.dumpanalysis.org/windows- memory-analysis-checklist 2. Pattern catalogue checklists: http://dumpanalysis.org
  • 22. Pattern-Based Analysis Memory New Pattern Discovery Pattern Catalog + Usage © 2014 Software Diagnostics Institute
  • 24. Native Memory Forensics Using native OS debuggers such as WinDbg from Debugging Tools for Windows or GDB (Linux) or GDB/LLDB (Mac OS X). © 2014 Software Diagnostics Institute
  • 25. Practical Examples WinDbg session… © 2014 Software Diagnostics Institute
  • 26. Patterns for Example A  Tampered Dump  Exception Stack Trace  Stored Exception  Lateral Damage  Execution Residue  Hidden Exception  NULL Data Pointer © 2014 Software Diagnostics Institute
  • 27. Patterns for Example B  Heap Corruption  Stack Trace Collection  RIP Stack Trace  Hooksware  Patched Code  Hidden Module  Deviant Module  String Hint  Fake Module  No Component Symbols  Namespace © 2014 Software Diagnostics Institute
  • 28. Example C Pattern correspondence  Process Dump  Physical (Complete) Dump  Kernel Dump © 2014 Software Diagnostics Institute
  • 29. Further Reading (Patterns)  The Timeless Way of Building (by Christopher Alexander)  A Pattern Language: Towns, Buildings, Construction (by Christopher Alexander, et al.) © 2014 Software Diagnostics Institute
  • 30. Further Reading (MDA)  Cloud Memory Dump Analysis  Fundamentals of Physical Memory Analysis  Victimware  Pattern-Oriented Software Forensics  Debugging TV © 2014 Software Diagnostics Institute
  • 31. Further Reading (SD)  Software Diagnostics Institute  Pattern-Driven Software Diagnostics  Systemic Software Diagnostics  Pattern-Based Software Diagnostics  Philosophy of Software Diagnostics © 2014 Software Diagnostics Institute
  • 32. Current Reference © 2014 Software Diagnostics Institute Memory Dump Analysis Anthology: 7 volumes + 3 colour volumes Volume 8 is planned for 2015/2016
  • 33. Forthcoming Transcript © 2014 Software Diagnostics Institute Pattern-Oriented Memory Forensics: A Pattern Language Approach (ISBN: 9781908043764)
  • 34. Forthcoming Reference © 2014 Software Diagnostics Institute A Pattern Language for Software Diagnostics, Forensics, and Prognostics: Memory, Traces, Deconstruction (10 volumes)
  • 35. Q&A Please send your feedback using the contact form on DumpAnalysis.org © 2014 Software Diagnostics Institute
  • 36. Thank you for attendance! Facebook LinkedIn Twitter © 2014 Software Diagnostics Institute