This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.

1. Session ID:
Session Classification:
Andrew Case
The Volatility Project
HTA-W22
Advanced
Memory Forensics:
Defeating Disk Encryption,
Skilled Attackers, and
Advanced Malware

2. ► Showcase the power of memory forensics
► Distinguish memory forensics from disk forensics
► Show why live forensics is futile and should be replaced
with offline memory forensics
Purpose of This Presentation

3. ► Memory forensics is the analysis of captures (samples)
of physical memory (RAM) for artifacts relevant to an
investigation
► Requires modeling of the operating system’s data
structures and algorithms offline in order to recreate
state at the time of the capture
What is Memory Forensics?

4. ► Traditional forensics only looks at disk images
► This misses information never written to disk
► Network connections, memory allocations, running processes,
open file lists, and much more
► Skilled attackers know to avoid the disk and securely
clean up any on-disk artifacts
Why We *Need* Memory Forensics

5. ► Malware can trivially defeat live analysis
► Live analysis is running tools built into the OS to gather volatile
data (the general sysadmin/IR response)
► Malware can lie to any and all userland and even in-kernel tools
► Advanced malware only operates in memory
► Never touches the disk, all network traffic encrypted
► Good luck without memory forensics!
Why Cont.

6. Volatility

7. ► Most popular memory analysis framework
► Open source, written in Python
► Supports Windows {XP, Vista, 7, 2003, 2008} x86/x64
► Supports Linux on Intel and ARM (Android)
► Supports Mac 10.5.x-10.8.x x86/x64
► Allows for analysis plugins to be easily written
► Used daily in real forensics investigations
Volatility

8. ► A profile is set of vtypes and (optionally) symbol
addresses that are used to model a particular OS
version
► This is what allows Volatility plugins to be generic to all
the different versions of Windows, Linux, Mac, etc
Volatility Terminology - Profiles

9. ► Address spaces are used to translate virtual addresses
into physical offsets
► Intel x86, x86 PAE, x86-64
► ARM
► They also prevent the need to convert all memory
captures to a linear format
► Crash dumps
► Hibernation files
► VMware vmss
► Lime
► Mac Memory Reader
► More…
Volatility Terminology – Address Spaces

10. ► List and recover processes, network connections,
drivers, file systems, and much more
► Detect malware in both userland and the kernel
► We will be using Volatility to recover artifacts throughout
the presentation
Volatility Capabilities

11. Investigating
Advanced
Malware

12. ► Determine system effects
► Uncover processes, network connections, drivers, etc
that are “hidden” by malware
► Acquire the unpacked/unencrypted malware in memory
Malware Analysis Capabilities

13. ► A running system builds a process list by using APIs that
eventually traverse the PsActiveProcessHead list
► This logic is performed by the pslist plugin
► Rootkits break processes from this list to hide themselves
► Pool scanning for EPROCESS structures can find these
hidden processes
► This is performed in the psscan plugin
► POC rootkits exist to defeat this by pool header tampering
Finding (Hidden) Processes

14. ► Volatility’s psxview plugin can detect all known process
hiding techniques by enumerating from many sources
► A number of these sources are not documented except for in
Volatility
Finding (Hidden) Processes Cont.

15. $ python vol.py -f ds_fuzz_hidden_proc.img psxview
Volatile Systems Volatility Framework 2.3_alpha
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss session deskthrd
---------- ---------------- ------ ------ ------ -------- ------- ----- ------- -------
0x01a2b100 winlogon.exe 620 True True True True True True True
0x01a3d360 svchost.exe 932 True True True True True True True
0x018a13c0 VMwareService.e 1756 True True True True True True True
0x018e75e8 spoolsv.exe 1648 True True True True True True True
0x019dbc30 lsass.exe 684 True True True True True True True
0x0184e3a8 wscntfy.exe 560 True True True True True True True
0x018af860 VMwareTray.exe 1896 True True True True True True True
0x01a4bc20 network_listene 1696 False False True True True True True
0x01843b28 wuauclt.exe 1372 True True True True True True True
0x01a59d70 svchost.exe 844 True True True True True True True
[snip]
psxview Output

16. ► Each process has three lists that track its loaded DLLs
► Process explorer and other live tools focus on one of the
lists (load order)
► Malware commonly breaks this list to avoid detection
► Flame is a popular and high-profile example [2]
► ldrmodules cross references the three lists with VAD
information for mapped files
Hiding Loaded DLLs

17. $ python vol.py -f flame.raw -p 912 ldrmodules
Volatile Systems Volatility Framework 2.1_alpha
Pid Process Base InLoad InInit InMem MappedPath
-------- -------------------- ---------- ------ ------ ----- ----------
912 services.exe 0x7c900000 True True True WINDOWSsystem32ntdll.dll
912 services.exe 0x7c9c0000 False False False WINDOWSsystem32shell32.dll
[snip]
ldrmodules Detecting Flame

18. ► malfind looks for pages with suspicious protection bits
set (e.g. RWX)
► The following code injection/hiding techniques are all
detected by malfind:
► Remote Library Injection
► Remote Shellcode Injection
► Reflective DLL loading
Detecting Common Code Hiding Techniques

19. $ python vol.py -f stuxnet.vmem malfind
Process: lsass.exe Pid: 868 Address: 0x80000
Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE
Flags: Protection: 6
0x00080000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................
Malfind Detecting Stuxnet

20. Metasploit’s Reflective VNC Loader

21. ► Technique:
► Overwrite the beginning of API functions in order to redirect
control flow
► Allows the malware to hide virtually any data from userland tools
and even some in-kernel monitors
► The apihooks plugin detects API hooks
► Performs static analysis on the beginning instructions of
functions
API Hooking

22. Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1176 (lsass.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9af000)
Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0
Hook address: 0x980a02
Hooking module: <unknown>
Disassembly(0):
0x7c90d8b0 b8020a9800 MOV EAX, 0x980a02
0x7c90d8b5 ffe0 JMP EAX
0x7c90d8b7 03fe ADD EDI, ESI
0x7c90d8b9 7fff JG 0x7c90d8ba
0x7c90d8bb 12c2 ADC AL, DL
0x7c90d8bd 1400 ADC AL, 0x0
0x7c90d8bf 90 NOP
0x7c90d8c0 b8a8000000 MOV EAX, 0xa8
0x7c90d8c5 ba DB 0xba
0x7c90d8c6 0003 ADD [EBX], AL
apihooks - Duqu

23. ► The binaries (.exe, .dll, .sys, etc) involved with malicious
processes and drivers can be dumped to disk for
analysis
► Volatility can also be used to acquire the unpacked
version of malware samples from memory
► Run sample, take memory capture, acquire executable
Dumping Processes to Disk

24. ► Instead of actively hooking functions in the kernel to
determine when certain events occur, there is a much
safer, passive option
► You can "register" a function to be called by the system
► Every time the event occurs, your function is called
Kernel Callbacks

25. ► Process related
► Activated on process/thread creation, executable loading, etc
► Used to inject DLL into processes on startup and to stop
processes from starting
► Used by Mebroot, BlackEnergy, Rustock, TDL
► File system
► Activated on new file system registration
► TDL3 infects MBR and uses callback to know when FS is
mounted
► Stuxnet uses to attach to device stack to hide its files
Malware Targeted Callbacks

26. ► Bugcheck
► Activated when machine is crashing (BSOD, crash dumping
being written)
► Rustock.C cleans itself from memory before a crash dump is
written
► Sinowal ensures the MBR is still infected before shutting down
after a BSOD
► Registry
► Activated on modifications to the registry, the callback can
monitor, block, or modify the operation
► Malware uses to prevent persistence methods inside the registry
(run keys, etc) from being modified/deleted
Targeted Callbacks Cont.

27. Skilled Attackers

28. ► Besides malware, we also want to recover actions
performed directly by attackers
► Most of the artifacts used to recover this data are not written to
disk
► Volatility has many capabilities for this purpose that span
across its supported operating systems
► We will discuss capabilities not covered in the malware
section
Skilled Attackers

29. ► cmdscan/consoles
► Plugins that can recover both the input and output of cmd.exe
sessions
► bash_history/bash_hash
► Plugins that can recover commands entered on a system and
when they were entered as well as the number of times each
binary was executed
Attacker Keyboard Input/Interaction

30. ► List files/handles opened by each process on a system
► Determine which files, processes, registry keys, IPC
data, etc were being interacted with by a process
► On Linux socket handles are just file descriptors
Opened Handles/Files

31. ► Can recover loaded kernel drivers
► Can uncover “hidden” drivers through a combination of
memory scanning and cross-referencing
► Windows
► modules & modscan
► Linux
► linux_lsmod & linux_check_modules
Kernel Drivers/Modules

32. ► Can list both active connections (e.g. recreate netstat
output) as well locate previously terminated network
connection structures
► On Linux we can also recover previously sent and
received packets and trace them to their owning process
Network Connections

33. ► Volatility can recover filesystem information from
memory including both metadata and file contents
► Windows - mftparser
► Recovers and parses the MFT for every active NTFS file system
► Output includes metadata for all files and contents for resident
files
► Linux – linux_find_file
► Parses any standard (non-stacked) file system from memory and
dumps the file system to disk
► tmpfs (/dev/shm) lives only in memory!
File systems in Memory

34. ► Volatility can recover privileges assigned to a process
► Help determine what level of access the attacker and/or
malware gained on your system
Process Privileges

35. Grrcon: What type of
access did the attacker
gain?

36. Android Malware
in Memory

37. ► Nearly all Android malware involves userland Android
applications
► These are powered by Dalvik, the Android application
virtual machine
► Memory analysis of Dalvik leads to recovery of deep
application state information
Android Malware in Memory

38. ► Volatility has the ability to locate, parse, and report all
information from Dalvik instances:
► Native types
► Collections
► Classes
► Static and instance members (types and values)
► Methods
Dalvik Memory Analysis

39. ► Dalvik analysis is much simpler…
► All variables and methods must be tracked by Dalvik
► Direct analysis of Dalvik bypasses malware’s
obfuscation attempts
► No malware has been found that modifies Dalvik internals
► Technically possibly from native code, but extremely difficult to
do anything complex
Dalvik vs Native Analysis

40. Software-Based
Encryption

41. ► All major software encryption systems store encryption
keys in memory
► The key is used to decrypt file data being read and
encrypt file data being written
► Memory forensics can recover these keys
Software-Based Encryption

42. ► The following have tools and techniques published to
recover keys from memory:
► Truecrypt
► BitLocker
► FileVault2 (Mac)
► Luks & dm-crypt (Linux, Android)
Volume Encryption

43. ► The following have tools and techniques published to
recover keys from memory:
► PGP
► Truecrypt Containers
► <<A number of enterprise/commercial tools>>
File-Based Encryption

44. ► The protected media must be currently or very recently
accessed/mounted for the key to be in memory
► Closed-source projects require reversing both of the in-
memory key-storage and on-disk format
► Already done for Bitlocker and FileVault2
Limitations of Key Recovery

45. ► Memory forensics recovers a wealth of evidence that is
never stored to disk and is essential to many
investigations
► Live forensics processes are outdated and trivially
defeated/lied to by malware
► Modern malware avoids disk completely
► Will never find it if you pull the plug!
► The pain of encryption can be eased with memory
forensics
Conclusion

46. ► Contact:
► andrew@memoryanalysis.net
► @attrc
► Volatility:
► http://volatility-labs.blogspot.com/
► @volatility
Questions/Comments?

47. [1] http://code.google.com/p/volatility/
[2] http://mnin.blogspot.com/2012/06/quickpost-flame-volatility.html
References