Successfully reported this slideshow.
Your SlideShare is downloading. ×

Memory forensic analysis (aashish)

Dec. 08, 2010
3 likes 1,796 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware
Loading in …3
×

Check these out next

PPT FOR IDBSDDS SCHEMES
Sahithi Naraparaju
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
Cyber Security
Gururaj H L
Identity based proxy-oriented data uploading and remote data integrity checki...
Shakas Technologies
Cryptography summary
Ni
Identity based proxy-oriented data uploading and
Kamal Spring
CNIT 121: 11 Analysis Methodology
Sam Bowne
Identity based proxy-oriented data uploading and remote data integrity checki...
Finalyearprojects Toall
1 of 21 Ad

Memory forensic analysis (aashish)

Dec. 08, 2010
3 likes 1,796 views

Download to read offline

Technology
Technology
Advertisement

Recommended

Malware's Most Wanted (MMW): Backoff POS Malware
Cyphort
1.5k views
29 slides
BO2K Byline
Condition Zebra (CONZebra)
188 views
3 slides
Key Management
Gururaj H L
45 views
49 slides
Enterprise Documents Secure and On the Go
Rob Bogue
90 views
41 slides
CNIT 121: 2 IR Management Handbook
Sam Bowne
1.8k views
43 slides
How to secure electronic passports
Riscure
678 views
31 slides
Ppt
Nidhi Bansal
62 views
25 slides
Defcon 18 "Hacking Electronic Door Access Controllers"
shawn_merdinger
924 views
35 slides
Advertisement

More Related Content

Slideshows for you (9)

PPT FOR IDBSDDS SCHEMES
Sahithi Naraparaju
852 views
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
116 views
Cyber Security
Gururaj H L
165 views
Identity based proxy-oriented data uploading and remote data integrity checki...
Shakas Technologies
383 views
Cryptography summary
Ni
150 views
Identity based proxy-oriented data uploading and
Kamal Spring
38 views
CNIT 121: 11 Analysis Methodology
Sam Bowne
964 views
Identity based proxy-oriented data uploading and remote data integrity checki...
Finalyearprojects Toall
929 views
Tokenization on the Node - Data Protection for Security and Compliance
Ulf Mattsson
2k views
PPT FOR IDBSDDS SCHEMES
Sahithi Naraparaju
852 views
42 slides
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
116 views
40 slides
Cyber Security
Gururaj H L
165 views
62 slides
Identity based proxy-oriented data uploading and remote data integrity checki...
Shakas Technologies
383 views
5 slides
Cryptography summary
Ni
150 views
2 slides
Identity based proxy-oriented data uploading and
Kamal Spring
38 views
7 slides

Similar to Memory forensic analysis (aashish) (20)

Introduction to Memory Analysis
Emil Tan
776 views
Basic malware analysis
Cysinfo Cyber Security Community
490 views
Power of logs: practices for network security
Information Technology Society Nepal
390 views
Intro2 malwareanalysisshort
Vincent Ohprecio
633 views
Log Mining: Beyond Log Analysis
Anton Chuvakin
20.6k views
Analysis of digital evidence
rakesh mishra
5.1k views
Open Source Forensics
CTIN
4.3k views
Hunting malware via memory forensics
Sriram Krishnan
82 views
Novetta Cyber Analytics
Novetta
1k views
Finding attacks with these 6 events
Michael Gough
8.8k views
Automated production of predetermined digital evidence
Animesh Lochan
374 views
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
drewz lin
2k views
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
guestc0c304
268 views
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Anton Chuvakin
2.9k views
Key logger,Why? and How to prevent Them?
Bibek Sharma
1.4k views
Latest presentation
Adetunji Adeoje
2.1k views
Bsides Tampa Blue Team’s tool dump.
Alexander Kot
140 views
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
9.5k views
Digital Forensics
Vikas Jain
3.6k views
Anti-Forensic Rootkits
amiable_indian
3.1k views
Introduction to Memory Analysis
Emil Tan
776 views
20 slides
Basic malware analysis
Cysinfo Cyber Security Community
490 views
33 slides
Power of logs: practices for network security
Information Technology Society Nepal
390 views
37 slides
Intro2 malwareanalysisshort
Vincent Ohprecio
633 views
172 slides
Log Mining: Beyond Log Analysis
Anton Chuvakin
20.6k views
41 slides
Analysis of digital evidence
rakesh mishra
5.1k views
30 slides
Advertisement

More from ClubHack (20)

India legal 31 october 2014
ClubHack
2.9k views
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
1.8k views
Cyber Insurance
ClubHack
1.5k views
Summarising Snowden and Snowden as internal threat
ClubHack
1.4k views
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
2.5k views
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
1.6k views
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
3.4k views
Smart Grid Security by Falgun Rathod
ClubHack
3k views
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
2.3k views
Infrastructure Security by Sivamurthy Hiremath
ClubHack
3.6k views
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
1.3k views
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
3.6k views
Critical Infrastructure Security by Subodh Belgi
ClubHack
1.7k views
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
ClubHack
1.6k views
XSS Shell by Vandan Joshi
ClubHack
3.8k views
Clubhack Magazine Issue February 2012
ClubHack
769 views
ClubHack Magazine issue 26 March 2012
ClubHack
731 views
ClubHack Magazine issue April 2012
ClubHack
9.8k views
ClubHack Magazine Issue May 2012
ClubHack
1.3k views
ClubHack Magazine – December 2011
ClubHack
1.7k views
India legal 31 october 2014
ClubHack
2.9k views
84 slides
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
ClubHack
1.8k views
63 slides
Cyber Insurance
ClubHack
1.5k views
12 slides
Summarising Snowden and Snowden as internal threat
ClubHack
1.4k views
24 slides
Fatcat Automatic Web SQL Injector by Sandeep Kamble
ClubHack
2.5k views
22 slides
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
1.6k views
42 slides

Recently uploaded (20)

Virtual Azure Community Day - Workloads de búsqueda full-text Azure Search.pptx
Luis775803
0 views
suma de pseint
maxifranco1
0 views
Towards Responsible AI - KC.pptx
Luis775803
0 views
Gaseous Control Techniques , Lecture 10, Fuel Technology2, (Week 14).pptx
ShakeelAhmad816993
0 views
GAIB Philippines - Tailoring OpenAI’s GPT-3 to suit your specific needs.pptx
Luis775803
0 views
Inductance Calculation by Rohit Damodaran
Anto Sujesh
0 views
Power BI Summit 2023 - Embedding PowerBI reports in .NET MAUI mobile apps.pptx
Luis775803
0 views
ALTERNATIVE FUELS.pdf
ShakeelAhmad816993
0 views
Fuel Energizer, Lecture 04, Fuel Technology, (Week 08).pptx
ShakeelAhmad816993
0 views
Towards Responsible AI - Global AI Student Conference 2022.pptx
Luis775803
0 views
Fuel Additives, Lecture 02, Fuel Tech-ll.pdf
ShakeelAhmad816993
0 views
Azure Synapse LInk
nnakasone
0 views
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
ssuser1f1964
0 views
Applied Thermo, Lecture-01.pptx
ShakeelAhmad816993
0 views
Untangling the Grid: 201
Kerim Baran
0 views
AI for Accessibility.pptx
Luis775803
0 views
TVL - BPP11 - Q2 - M7.pdf
ArviSuan2
0 views
Fuel Additives, Lecture 02, Fuel Tech-ll.pptx
ShakeelAhmad816993
0 views
Energy from Waste, Lecture 09, Fuel Technology2, (Week 11).pptx
ShakeelAhmad816993
0 views
GAIB Germany - Tailoring OpenAI’s GPT-3 to suit your specific needs.pptx
Luis775803
0 views
Virtual Azure Community Day - Workloads de búsqueda full-text Azure Search.pptx
Luis775803
0 views
34 slides
suma de pseint
maxifranco1
0 views
1 slide
Towards Responsible AI - KC.pptx
Luis775803
0 views
45 slides
Gaseous Control Techniques , Lecture 10, Fuel Technology2, (Week 14).pptx
ShakeelAhmad816993
0 views
17 slides
GAIB Philippines - Tailoring OpenAI’s GPT-3 to suit your specific needs.pptx
Luis775803
0 views
44 slides
Inductance Calculation by Rohit Damodaran
Anto Sujesh
0 views
1 slide
Advertisement

Memory forensic analysis (aashish)

  1. 1. Windows Memory Forensic Analysis -- Aashish Kunte Club Hack 2010
  2. 2. Security Incident <ul><li>A secured company’s network gets a port 5548 traffic on the Null (SinkHole) Router ! </li></ul><ul><li>The activity seems to be a suspicious Service Scan ! </li></ul><ul><li>Source Computer is a Windows Web Server …. </li></ul>
  3. 3. Security Incident Response <ul><li>Set of procedures to examine a computer security incident . </li></ul><ul><li>The process involves figuring out what was happened </li></ul><ul><li>Helps mitigate security risk through proactive measures and world-class defensive tactics </li></ul>
  4. 4. Digital Forensics <ul><li>In depth Analysis & Complex Techniques </li></ul><ul><li>The goal of computer forensics is to explain the current state of a digital artifact </li></ul><ul><li>The scope of a forensic analysis can vary from simple information retrieval to reconstructing a series of events. </li></ul>
  5. 5. Technique <ul><li>Preparation </li></ul><ul><li>Acquisition </li></ul><ul><li>Enumeration </li></ul><ul><li>Analysis </li></ul><ul><li>Recovery </li></ul><ul><li>Presentation </li></ul>
  6. 6. Windows Memory <ul><li>live activities from the contents of RAM on a Windows Machine. </li></ul><ul><li>During a post-mortem analysis: specifically encrypted, compressed or hidden processes. </li></ul><ul><li>RAM constituted &quot;electronically stored information&quot; under rule 34(a) of the Federal Rules of Civil Procedure. </li></ul>
  7. 7. What Information ??? <ul><li>Processes </li></ul>Open Files & Registry Handles Network Information Passwords & Cryptographic Keys Unencrypted Content Hidden Data Malicious Code DLL’s
  8. 8. Analysis Sit Back … … Relax !!
  9. 9. <ul><li>How Volatile Memory Works ? </li></ul>
  10. 10. <ul><li>Acquisition of Windows Memory </li></ul><ul><li>Volatile Memory Organized ? </li></ul>
  11. 11. <ul><li>Processes </li></ul><ul><li>What is Process Memory ? </li></ul><ul><li>Process Enumeration </li></ul>
  12. 12. <ul><li>How to find Suspicious Files </li></ul><ul><li>and Suspicious Keys ? </li></ul><ul><li>Open Files </li></ul><ul><li>Windows Registry </li></ul><ul><li>Loaded DLL’s </li></ul>Video : HBGary Responder Pro & Digital DNA -identifying malware
  13. 13. <ul><li>Network Information </li></ul><ul><li>Why from Volatile Memory ? </li></ul><ul><li>Open Sockets </li></ul><ul><li>Open Ports </li></ul><ul><li>Open TCP Connections </li></ul>
  14. 14. <ul><li>What the heck is VAD Tree ? </li></ul>
  15. 15. <ul><li>Passwords and Encryption Keys </li></ul><ul><li>SSDT </li></ul>Video : To find out Passwords and Encryption Keys from Windows Memory Video : To Analyze SSDT using : Python and Volatility Framework
  16. 16. <ul><li>Anti-Forensic Attack (DKOM) </li></ul>
  17. 17. <ul><li>Static & Dynamic Analysis </li></ul><ul><li>Reverse Engineering </li></ul><ul><li>Files of Unknown Origin </li></ul>
  18. 18. Quick Bites <ul><li>Suspicious Log Entries </li></ul><ul><li>Suspicious Processes and Services </li></ul><ul><li>Suspicious Files and Registry Keys </li></ul><ul><li>Suspicious Network Usage </li></ul><ul><li>Suspicious Scheduled Tasks </li></ul><ul><li>Suspicious Accounts </li></ul>
  19. 19. Tools <ul><li>Basic Tools </li></ul><ul><li>Memdump, KnTTools </li></ul><ul><li>FATKit </li></ul><ul><li>WMFT </li></ul><ul><li>Procenum </li></ul><ul><li>Idetect </li></ul><ul><li>The Volatility Framework </li></ul><ul><li>VAD Tools </li></ul><ul><li>Commercial Tools </li></ul><ul><li>Memoryze </li></ul>
  20. 20. Future
  21. 21. Questions ??? Club Hack 2010

Editor's Notes

  • Introduction :
  • Here is a story of an incident handled in an Ideal scenario. A Global company has a controlled and secured computing environment. They have adopted many security best practices into their operations. This company has a Null (Sinkhole) Router, which means all the non-routable IP traffic will end up @ this router. After a detailed analysis of the sinkhole router it is observed that there is some suspicious activity going on… the behavioral pattern shows activity from a particular geographical location… several PC’s were trying to access sequentially numbered unused IP addresses…. Traffic looks like source port 0 and destination port 5548. Digging deep and deeper into the logs there was a windows web server who was also generating similar type of traffic. When we went to the SOC team we found that the server running with latest Patches / Antivirus / End Point Protection / HIPS Server logs monitored / reviewed regularly. Server is not showing any of misbehavior or Performance Issues. Server Contains PII’s and SPII’s with Confidential Information stored. (Slide Time Duration 3 Mins)
  • Now this particular situation is an unusual behavior or suspicious event. Any un-usual event within an organization can be serious Incident. As an essential and critical control, Ideal Company will have an Incident Response Plan where the Incident Handling guidelines will be in place with a proper IR Methodology. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. NIST has a detailed guideline for creating and running an incident response team. Business Benefits : Provides on demand security expertise on preparing for and responding to incidents Provides comprehensive risk mitigation support Stops attacks in progress to mini-mize their impact Improves incident response preparedness Performs forensics to find and prose-cute perpetrators Provides access to early-warning security intelligence (Slide Time Duration 2 Mins)
  • We need to apply an in depth analysis using complex techniques. Forensics is the application of a particular science to the law. Digital Forensics is a branch of forensic science on all sides of the recovery and investigation of material found in digital devices, often in relation to computer crime. Investigations often take one of three forms; forensic analysis (where evidence is recovered to support or oppose a hypothesis before a criminal court), eDiscovery (a form of discovery related to civil litigation) or intrusion investigation (which is a specialist investigation into the nature and extent of an unauthorized network intrusion). Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often relating to complex time-lines or hypothesis. Computer forensics is an expansive and fast-moving field. New and evolving technologies such as cellular phones, personal digital assistants (PDAs), as well as new and ever-changing operating systems and file systems all require in-depth analysis to determine how best to extract information pertinent to an investigation. In addition, techniques for performing forensics on both new and existing technologies are constantly in development. Many techniques are complex and time-consuming, requiring training and specialized tools. Distinct areas of research and development have emerged within the overarching theme of forensics. (Slide Time Duration 2/3 Mins)
  • The Forensic Incident Response Methodology… (Slide Time Duration 2 Mins)
  • Value of Windows Memory Forensic Analysis : Applying a straightforward analysis, she noted the advisory committee comment that the rule applies to information &amp;quot;that is fixed in a tangible form and to information that is stored in a medium from which it can be retrieved and examined,&amp;quot; and that the rule &amp;quot;is expansive and includes any type of information that is stored electronically,&amp;quot; and &amp;quot;is intended to be broad enough to cover all current types of computer-based information.&amp;quot; RAM and FRCP 34 Lock Horns http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1182848788454 (Slide Time Duration 3 Mins)
  • Information Treasure available In Memory. (Slide Time Duration 4 Mins)
  • (Slide Time Duration 1 Mins)
  • Memory Basics. Ok. Let me add a small diagram here … and let me grow a little bit here … so that its visible to everyone … I picked up some of these pictures from one of the very interesting and presentation on windows memory forensics with volatility framework, written by a German computer forensic geek Mr. Andreas Schuster. Physical memory is divided into so called “pages”. Allocated virtual memory is mapped onto physical memory page by page. The same page of physical memory can appear at different locations within the same address space or in different address spaces. Data can be moved from physical memory into a page file to clear some space. Alright, now moving on to the important kernel structures, Mr. Mariusz Burdach who owns the secure.net has explained this portion in detail, I have picked up only few here however I suggest you go thru his papers and Black Hat Presentations to understand the concepts better. Here the EPROCESS BLOCK that is the executive process block is very interesting and important kernel structure that contains mainly the KPROCESS BLOCK or kernel process block, ETHREAD or executive thread block, ACCESS_TOKEN &amp; SIDs the Process Environment Block, The VAD or Virtual Address descriptor… One interesting thing about VAD Walking is… it can reveal a wealth of information! We are going to discuss this VAD tree in detail. Handle Table, Creation Time … This is another important kernel structure. Then there is Data Section Control Area that includes Page Frames. And Finally the PFN Database this has the page frame numbers stored. Now lets look @ the relations between structures… this picture explains EPROCESS Block and the relations between other kernel objects. We can clearly derive a one way connection between EPROCESS / ETHREAD and SSDT. Bi-Directional connection between Page Frame Numbers and Page Tables … We are going to discuss in detail the importance of this PFN and the Page Tables towards end of Analysis Phase. Let me allow you to have a closer look @ the diagram.
  • Acquisition in detail
  • Process Enumeration and Analysis in detail.
  • Detailed Analysis for Open Files and Windows Registry. Video : HBGary Responder Pro &amp; Digital DNA -identifying malware http://www.youtube.com/watch?v=zKX8HUkLDtM Duration : 4 Mins
  • Detailed Description on Network Information from Memory This information is similar to NETSTAT output … but that can be trojanized to give false or modified output … however pulling the Network Information directly from Live Memory dump using the data structures themselves, it becomes much harder for an attacker to hide their listening backdoor or connection to their home server from which they have a control …
  • VAD is nothing but a Virtual Address Descriptor... Processes are stored in Windows in a VAD Tree. This tree describes memory ranges used by currently-running processes, and allows a process’s virtual address space to be reconstructed. Let me try and grow this Image a bit… you will observe the starting point as VAD ROOT That connects VAD Node / Control Area and the Object table that contains File Object. One of the structures in the VAD tree is called an object table, which lists the private objects that are in use by a process – these can be files, registry keys, and events. The memory-mapped files associated with each process can be recovered by walking the VAD tree and pulling out the objects of interest – in this case files, but potentially other objects as well. There is also an area of memory called the “Control Area” that maintains links between file names and the file data stored in the pages; if this area is still present the file name can often be recovered as well. In-depth coverage of this topic you can start with the very interesting paper named Forensic Memory Analysis : Files mapped in memory by Van Baar et.al. and a book named Windows Internals. VAD Tree becomes useful for many reasons – most information associated with a process can be found by walking the VAD Tree. In particular, it is possible to recover all the memory-mapped files associated with specific processes using VAD Tree.
  • Video : To find out Passwords and Encryption Keys from Windows Memory Duration: 2 Mins Video : To understand SSDT and Analyse SSDT using Python and Volatility Framework Duration : 2 Mins
  • Detailed Description
  • Advanced Forensic Techniques
  • Quick information on Incident Detection / Verification (Slide Time Duration 3 Mins)
  • Elaborated Discussion on Each Tool and Specialty of the tool as appropriate results. (Slide Time Duration 3 Mins)
  • Digital Forensics / Security Incident Response is going to play a significant role in India with more maturity and advanced techniques such as Cloud Forensics/Mobile Device Forensics and to cope up with Anti-Forensic attack by adopting innovative techniques with latest technology updates &amp;quot; The Future can be Clouds... but we need to keep our feet on ground with Facts and some common sense&amp;quot; (Slide Time Duration 1 Mins)
  • (Slide Time Duration 10 Mins)

×