Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stop pulling the plug


Published on

Understand how essential it is to do memory analysis in order to find evidences which are rarely found anywhere else. This is not a copyright material and the information included is collected from various sources for educational purposes

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Stop pulling the plug

  1. 1. Stop Pulling The Plug
  2. 2. Incident Response Preparation Identification and Analysis Containment Eradication Recovery Lessons learnt
  3. 3. Why Memory Forensics  Everything in the OS traverses RAM  Best place to identify malicious software activity  Analyze and track recent activity on the system  Collect evidence that cannot be found anywhere else
  4. 4. Artifacts that can be found in Memory Processes Logged Users Drivers Open files Kernel Modules Unsaved documents Socket Information Live registries Passwords Video Buffers (Screenshots) Crypto Passphrases BIOS Memory Decrypted Files VOIP Calls Execution State Malicious Code Clipboard Material IM chats Network Drive buffers Rootkit Footprints
  5. 5. Advantages of Memory Forensics  Password in clear text in memory  Programs running  Open Documents / Files  Open content of compressed programs (packers)  Network Connections – current and recent  Crypto Keys (BitLocker, PGP Whole Disk Encryption, TrueCrypt etc.)  Command Line parameters (DOSKEY/cmd.exe)
  6. 6. The Malware Paradox  Malware may be successful at either hiding or executing, but it is nearly impossible to do both!  Malware can hide, but it has to execute to be effective.
  7. 7. Memory Forensics  Acquisition • Executing Memory • Pagefile • Hibernation file  Context • Find offset from the needed structures • Extract structures from memory • Isolate Processes
  8. 8. Memory Analysis Process 1. Identify Rouge processes 2. Analyze process DLLs and handles 3. Review Network Artifacts 4. Look for evidence of code injection 5. Check for signs of rootkit 6. Dump suspicious processes and drivers
  9. 9. Finding the First Hit Analyzing Processes Image Name Full Path Parent Process Command Line StartTime SIDs
  10. 10. Redline  Free but not open source  Identify Rouge processes  Was the process started at boot?  What user was logged on?  Any other suspicious processes?  Any further clues/string searches  Explore more  What did you collect so far…. Binaries/network connections/compromised user accounts……….Compare with live audit on the system
  11. 11. SIFT Forensic Workstation Download SANS SIFTWorkstation from http://computer-
  12. 12. Let’s start  Login "sansforensics"  Password "forensics"  $ sudo su Elevate privileges to root while mounting disk images.
  13. 13. Volatility  Free and open source  –f <image> <plugin> -- profile=<profile>  Export VOLATILITY_LOCATION=file://<filepath>  ExportVOLATILITY_PROFILE=<profile>  –f <image format 1> imagecopy –o <imageformat1.img>
  14. 14. It’s Show Time  Memory Analysis using Redline  Memory Analysis usingVolatility
  15. 15. What Next…  Volatility RegistryAnalysis  MemoryTimelining
  16. 16. References  Windows Forensic AnalysisToolkit – Harlan Carvey  oad/redline   mpleMemoryImages  https://http://computer-
  17. 17. THANK YOU  Kamal Ranjan Incident Response/Forensic Analyst @ FIS