This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
.Today, criminals are using novel tecnhiques to bypass AV detecions. Manual debugging must be used to unpack malware (a hard work that is needed to reveal the original malware code). Dissecting malware allows us to understand criminals’ modus operandi, and manual analysis is always required to reveal FUD malware.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
On 40 slides i will introduce the main features of the powerful forensic framework Volatility. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
When your whole system is unresponsive, how to investigate on this failure ?
We'll see how to get a memory dump for offline analysis with kdump system.
Then how to analyze it with crash utility.
And finally, how to use crash on a running system to modify the kernel memory (at your own risks !)
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
On 40 slides i will introduce the main features of the powerful forensic framework Volatility. All memory dumps being discussed are snapshots from infected machines with modern malwares and rootkits.
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
n this presentation we will be discussing the evolution of the notorious rootkit TDL (classified by ESET as Win32/Olmarik and Win64/Olmarik) which in its latest incarnation is the first widespread rootkit to target 64-bit versions of Microsoft Windows operating systems. The most striking features of the rootkit are its ability to bypass Microsoft Windows Driver Signature Checking in order to load its malicious driver, and its implementation of its own hidden encrypted file system, in which to store its malicious components. Between its first appearance on the malware scene and the present its architecture has been drastically changed several times to adapt to new systems and respond to countermeasures introduced by antivirus and HIPS software. In the presentation we will cover the the following topics: the evolution of the user-mode and kernel-mode components of the rootkit; techniques it has used to bypass HIPS; modifications to the hidden file system; bootkit functionality; tne recently introduced ability to infect x64 operating systems; and, finally, approaches to removing the rootkit from an infected system. In addition, we will present our free forensic tool for dumping the hidden rootkit file system.
When your whole system is unresponsive, how to investigate on this failure ?
We'll see how to get a memory dump for offline analysis with kdump system.
Then how to analyze it with crash utility.
And finally, how to use crash on a running system to modify the kernel memory (at your own risks !)
In this PowerPoint, learn how a security policy can be your first line of defense. Servers running AIX and other operating systems are frequent targets of cyberattacks, according to the Data Breach Investigations Report. From DoS attacks to malware, attackers have a variety of strategies at their disposal. Having a security policy in place makes it easier to ensure you have appropriate controls in place to protect mission-critical data.
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Обеспечение информационной безопасности в облачных бизнес-приложениях и дата-...SelectedPresentations
VII Уральский форум
Информационная безопасность банков
ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 3
Аутсорсинг ИБ. Облачные сервисы и другие технологии
Шабанов Алексей Алексеевич, эксперт по информационной безопасности SAP
Источник: http://ural.ib-bank.ru/materials_2015
Целевое управление доступом в сети. Техническое решение для финансовых органи...SelectedPresentations
VII Уральский форум
Информационная безопасность банков
ТЕМАТИЧЕСКОЕ ЗАСЕДАНИЕ № 2
Электронное взаимодействие на финансовых рынках
Кушнарев Александр Николаевич, технический консультант по решениям ИБ, Netwell
Источник: http://ural.ib-bank.ru/materials_2015
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Writing Character driver (loadable module) in linuxRajKumar Rampelli
It covers the step by step approach on how to write a simple loadable character device driver in linux. What are Device files in linux detail. How user application interact with character driver using a device file.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
1. Session ID:
Session Classification:
Andrew Case
The Volatility Project
HTA-W22
Advanced
Memory Forensics:
Defeating Disk Encryption,
Skilled Attackers, and
Advanced Malware
2. ► Showcase the power of memory forensics
► Distinguish memory forensics from disk forensics
► Show why live forensics is futile and should be replaced
with offline memory forensics
Purpose of This Presentation
3. ► Memory forensics is the analysis of captures (samples)
of physical memory (RAM) for artifacts relevant to an
investigation
► Requires modeling of the operating system’s data
structures and algorithms offline in order to recreate
state at the time of the capture
What is Memory Forensics?
4. ► Traditional forensics only looks at disk images
► This misses information never written to disk
► Network connections, memory allocations, running processes,
open file lists, and much more
► Skilled attackers know to avoid the disk and securely
clean up any on-disk artifacts
Why We *Need* Memory Forensics
5. ► Malware can trivially defeat live analysis
► Live analysis is running tools built into the OS to gather volatile
data (the general sysadmin/IR response)
► Malware can lie to any and all userland and even in-kernel tools
► Advanced malware only operates in memory
► Never touches the disk, all network traffic encrypted
► Good luck without memory forensics!
Why Cont.
7. ► Most popular memory analysis framework
► Open source, written in Python
► Supports Windows {XP, Vista, 7, 2003, 2008} x86/x64
► Supports Linux on Intel and ARM (Android)
► Supports Mac 10.5.x-10.8.x x86/x64
► Allows for analysis plugins to be easily written
► Used daily in real forensics investigations
Volatility
8. ► A profile is set of vtypes and (optionally) symbol
addresses that are used to model a particular OS
version
► This is what allows Volatility plugins to be generic to all
the different versions of Windows, Linux, Mac, etc
Volatility Terminology - Profiles
9. ► Address spaces are used to translate virtual addresses
into physical offsets
► Intel x86, x86 PAE, x86-64
► ARM
► They also prevent the need to convert all memory
captures to a linear format
► Crash dumps
► Hibernation files
► VMware vmss
► Lime
► Mac Memory Reader
► More…
Volatility Terminology – Address Spaces
10. ► List and recover processes, network connections,
drivers, file systems, and much more
► Detect malware in both userland and the kernel
► We will be using Volatility to recover artifacts throughout
the presentation
Volatility Capabilities
12. ► Determine system effects
► Uncover processes, network connections, drivers, etc
that are “hidden” by malware
► Acquire the unpacked/unencrypted malware in memory
Malware Analysis Capabilities
13. ► A running system builds a process list by using APIs that
eventually traverse the PsActiveProcessHead list
► This logic is performed by the pslist plugin
► Rootkits break processes from this list to hide themselves
► Pool scanning for EPROCESS structures can find these
hidden processes
► This is performed in the psscan plugin
► POC rootkits exist to defeat this by pool header tampering
Finding (Hidden) Processes
14. ► Volatility’s psxview plugin can detect all known process
hiding techniques by enumerating from many sources
► A number of these sources are not documented except for in
Volatility
Finding (Hidden) Processes Cont.
16. ► Each process has three lists that track its loaded DLLs
► Process explorer and other live tools focus on one of the
lists (load order)
► Malware commonly breaks this list to avoid detection
► Flame is a popular and high-profile example [2]
► ldrmodules cross references the three lists with VAD
information for mapped files
Hiding Loaded DLLs
18. ► malfind looks for pages with suspicious protection bits
set (e.g. RWX)
► The following code injection/hiding techniques are all
detected by malfind:
► Remote Library Injection
► Remote Shellcode Injection
► Reflective DLL loading
Detecting Common Code Hiding Techniques
21. ► Technique:
► Overwrite the beginning of API functions in order to redirect
control flow
► Allows the malware to hide virtually any data from userland tools
and even some in-kernel monitors
► The apihooks plugin detects API hooks
► Performs static analysis on the beginning instructions of
functions
API Hooking
23. ► The binaries (.exe, .dll, .sys, etc) involved with malicious
processes and drivers can be dumped to disk for
analysis
► Volatility can also be used to acquire the unpacked
version of malware samples from memory
► Run sample, take memory capture, acquire executable
Dumping Processes to Disk
24. ► Instead of actively hooking functions in the kernel to
determine when certain events occur, there is a much
safer, passive option
► You can "register" a function to be called by the system
► Every time the event occurs, your function is called
Kernel Callbacks
25. ► Process related
► Activated on process/thread creation, executable loading, etc
► Used to inject DLL into processes on startup and to stop
processes from starting
► Used by Mebroot, BlackEnergy, Rustock, TDL
► File system
► Activated on new file system registration
► TDL3 infects MBR and uses callback to know when FS is
mounted
► Stuxnet uses to attach to device stack to hide its files
Malware Targeted Callbacks
26. ► Bugcheck
► Activated when machine is crashing (BSOD, crash dumping
being written)
► Rustock.C cleans itself from memory before a crash dump is
written
► Sinowal ensures the MBR is still infected before shutting down
after a BSOD
► Registry
► Activated on modifications to the registry, the callback can
monitor, block, or modify the operation
► Malware uses to prevent persistence methods inside the registry
(run keys, etc) from being modified/deleted
Targeted Callbacks Cont.
28. ► Besides malware, we also want to recover actions
performed directly by attackers
► Most of the artifacts used to recover this data are not written to
disk
► Volatility has many capabilities for this purpose that span
across its supported operating systems
► We will discuss capabilities not covered in the malware
section
Skilled Attackers
29. ► cmdscan/consoles
► Plugins that can recover both the input and output of cmd.exe
sessions
► bash_history/bash_hash
► Plugins that can recover commands entered on a system and
when they were entered as well as the number of times each
binary was executed
Attacker Keyboard Input/Interaction
30. ► List files/handles opened by each process on a system
► Determine which files, processes, registry keys, IPC
data, etc were being interacted with by a process
► On Linux socket handles are just file descriptors
Opened Handles/Files
31. ► Can recover loaded kernel drivers
► Can uncover “hidden” drivers through a combination of
memory scanning and cross-referencing
► Windows
► modules & modscan
► Linux
► linux_lsmod & linux_check_modules
Kernel Drivers/Modules
32. ► Can list both active connections (e.g. recreate netstat
output) as well locate previously terminated network
connection structures
► On Linux we can also recover previously sent and
received packets and trace them to their owning process
Network Connections
33. ► Volatility can recover filesystem information from
memory including both metadata and file contents
► Windows - mftparser
► Recovers and parses the MFT for every active NTFS file system
► Output includes metadata for all files and contents for resident
files
► Linux – linux_find_file
► Parses any standard (non-stacked) file system from memory and
dumps the file system to disk
► tmpfs (/dev/shm) lives only in memory!
File systems in Memory
34. ► Volatility can recover privileges assigned to a process
► Help determine what level of access the attacker and/or
malware gained on your system
Process Privileges
37. ► Nearly all Android malware involves userland Android
applications
► These are powered by Dalvik, the Android application
virtual machine
► Memory analysis of Dalvik leads to recovery of deep
application state information
Android Malware in Memory
38. ► Volatility has the ability to locate, parse, and report all
information from Dalvik instances:
► Native types
► Collections
► Classes
► Static and instance members (types and values)
► Methods
Dalvik Memory Analysis
39. ► Dalvik analysis is much simpler…
► All variables and methods must be tracked by Dalvik
► Direct analysis of Dalvik bypasses malware’s
obfuscation attempts
► No malware has been found that modifies Dalvik internals
► Technically possibly from native code, but extremely difficult to
do anything complex
Dalvik vs Native Analysis
41. ► All major software encryption systems store encryption
keys in memory
► The key is used to decrypt file data being read and
encrypt file data being written
► Memory forensics can recover these keys
Software-Based Encryption
42. ► The following have tools and techniques published to
recover keys from memory:
► Truecrypt
► BitLocker
► FileVault2 (Mac)
► Luks & dm-crypt (Linux, Android)
Volume Encryption
43. ► The following have tools and techniques published to
recover keys from memory:
► PGP
► Truecrypt Containers
► <<A number of enterprise/commercial tools>>
File-Based Encryption
44. ► The protected media must be currently or very recently
accessed/mounted for the key to be in memory
► Closed-source projects require reversing both of the in-
memory key-storage and on-disk format
► Already done for Bitlocker and FileVault2
Limitations of Key Recovery
45. ► Memory forensics recovers a wealth of evidence that is
never stored to disk and is essential to many
investigations
► Live forensics processes are outdated and trivially
defeated/lied to by malware
► Modern malware avoids disk completely
► Will never find it if you pull the plug!
► The pain of encryption can be eased with memory
forensics
Conclusion