SlideShare a Scribd company logo

Introduction to Memory Analysis

Emil Tan
Emil Tan

Edgis Sharing Session – Introduction to Memory Analysis at Whitehat Society, Singapore Management University September, 2012

Technology
1 of 20
Download to read offline
EmilTan Team Lead, Co-Founder http://edgis-security.org @EdgisSecurity Introduction to Memory Analysis
Agenda  What can you find in the memory?  Why perform memory analysis?  Tools to perform memory acquisition  Tools to perform memory analysis  Memory analysis demonstration using Mandiant Redline™  Memory analysis for forensics investigation
What can you find in the memory?  The state of the machine  Processes and threads (including hidden processes)  Network connections (sockets, IP addresses, domain names, ports)  Hardware and software configuration  Event logs  Windows registry keys  And many more  Encryption keys, passwords, caches, clipboards, etc.  It’s a rich data source! Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 6
Why perform memory analysis?  It’s a rich data source  Understand the state of the machine  Behavioural analysis of users, attackers, processes  Best place to look for traces of malicious activity  Find malware (including rootkit!)  Difficult to clean trace on memory  Malware needs to be unpacked to be executed  Data not found in hard disk (e.g. memory-only malware, network activities) Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 7
Tools to perform memory acquisition  MoonSols DumpIt (Windows x86 and x64)  MoonSolsWindows MemoryToolkit  Mandiant Redline™  Virtual Machines (Snapshots / Save states)  VMware (.vmem)  Microsoft Hyper-V (.bin)  Parallels (.mem)  VirtualBox (.sav)... Not quite. Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 14, 17
Tools to perform malware analysis  String searching (e.g. grep)  But you can’t inspect memory based on memory structure  Mandiant Redline™  Mandiant Memoryze™  Volatility  Internet Evidence Finder (IEF)  F-Response  HBGary Responder  Volafox  Second Look® Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 22 – 25
Processes  Unidentifiable Processes andThreads  File path  Parent process  Parameters / arguments  SID  Start time  Malware Rating Index  Looking into: Process Objects  DLLs  Handles  Threads  Memory Sections  Sockets Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 49, 51
Network Connections  Sockets  IP addresses  Ports  Processes Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 72
Code injection  Code injection is evil!  DLL Injection  Process hollowing Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 74
Further analysis  Process and Drivers acquisition  Scanning engines  Analysis sandboxes  Static and dynamic malware analysis Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 102
Indicators of Compromise  Experience  OpenIOC  Create signatures
Memory analysis for forensics investigation  Memory acquisition may change the state of evidence, but...  Memory is a rich data source!  Hash acquired memory file during initial acquisition Acquire all kind of evidence even if you do not have the capabilities now.
References  Don’t Pull the Plug:Windows Memory Analysis & Forensics by Rob Lee  FOR 508 – Advanced Computer Forensics Analysis & Incident Response  508.2 MemoryAnalysis for Incident Response by Rob Lee & ChadTilbury  3 Phases of Malware Analysis by Lenny Zeltser
SANS Digital Forensics & Incident Response Curriculum
More Resources  SANS Computer Forensics http://computer-forensics.sans.org/  SANS Memory Forensics Cheat Sheet v1.0 (Pocket Reference Guide)

Recommended

Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
Arpan Raval
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf Hecht
Asaf Hecht
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
Arpan Raval
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
Asaf Hecht
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the Software
Satria Ady Pradana
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 

Recommended

Windows Live Forensics 101
Windows Live Forensics 101Windows Live Forensics 101
Windows Live Forensics 101
Arpan Raval
 
PIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf HechtPIDS research slides from MALCON 2018 conference - Asaf Hecht
PIDS research slides from MALCON 2018 conference - Asaf Hecht
Asaf Hecht
 
Persistence in windows
Persistence in windowsPersistence in windows
Persistence in windows
Arpan Raval
 
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf HechtThe Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
The Hacker's Guide to the Passwordless Galaxy - Webinar 23.6.21 by Asaf Hecht
Asaf Hecht
 
Reverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the SoftwareReverse Engineering - Protecting and Breaking the Software
Reverse Engineering - Protecting and Breaking the Software
Satria Ady Pradana
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
Vincent Ohprecio
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
Novetta
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
PROIDEA
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
Satria Ady Pradana
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
Alexander Barabanov
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
Damir Delija
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
Priyanka Aash
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
FFRI, Inc.
 
UEBA
UEBAUEBA
UEBA
Christophe M. Anciaux ☁
 
CMIT 321 FINAL EXAM
CMIT 321 FINAL EXAMCMIT 321 FINAL EXAM
CMIT 321 FINAL EXAM
HamesKellor
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015
Malachi Jones
 
Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
Emil Tan
 
Linuxday 2014 Amato - Shellshock
Linuxday 2014 Amato - ShellshockLinuxday 2014 Amato - Shellshock
Linuxday 2014 Amato - Shellshock
Gianni Amato
 

More Related Content

What's hot

Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
Novetta
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
Alexander Barabanov
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
Priyanka Aash
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015
Malachi Jones
 

What's hot (20)

Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
 
Silabus Training Reverse Engineering
Silabus Training Reverse EngineeringSilabus Training Reverse Engineering
Silabus Training Reverse Engineering
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
WednesdayBarabanovSecureSoftwareDevelopmentInTheRussianITSecurityCertificatio...
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
UEBA
UEBAUEBA
UEBA
 
CMIT 321 FINAL EXAM
CMIT 321 FINAL EXAMCMIT 321 FINAL EXAM
CMIT 321 FINAL EXAM
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015
 

Viewers also liked

Linuxday 2013-amato
Linuxday 2013-amatoLinuxday 2013-amato
Linuxday 2013-amato
Gianni Amato
 
Hashbot.com - Acquisizione e Validazione
Hashbot.com - Acquisizione e ValidazioneHashbot.com - Acquisizione e Validazione
Hashbot.com - Acquisizione e Validazione
Gianni Amato
 
Network forensics: un approccio laterale
Network forensics: un approccio lateraleNetwork forensics: un approccio laterale
Network forensics: un approccio laterale
Davide Paltrinieri
 
Crimini Informatici 2012
Crimini Informatici 2012Crimini Informatici 2012
Crimini Informatici 2012
Gianni Amato
 

Viewers also liked (20)

Introduction to Honeypots
Introduction to HoneypotsIntroduction to Honeypots
Introduction to Honeypots
 
Linuxday 2014 Amato - Shellshock
Linuxday 2014 Amato - ShellshockLinuxday 2014 Amato - Shellshock
Linuxday 2014 Amato - Shellshock
 
Web 2.0 e dintorni
Web 2.0 e dintorniWeb 2.0 e dintorni
Web 2.0 e dintorni
 
Amato HackInBo 2013
Amato HackInBo 2013Amato HackInBo 2013
Amato HackInBo 2013
 
Linuxday 2013-amato
Linuxday 2013-amatoLinuxday 2013-amato
Linuxday 2013-amato
 
Hashbot.com - Acquisizione e Validazione
Hashbot.com - Acquisizione e ValidazioneHashbot.com - Acquisizione e Validazione
Hashbot.com - Acquisizione e Validazione
 
Firma Digitale
Firma DigitaleFirma Digitale
Firma Digitale
 
ARM 7: ThaiCERT Operations and Priorities
ARM 7: ThaiCERT Operations and PrioritiesARM 7: ThaiCERT Operations and Priorities
ARM 7: ThaiCERT Operations and Priorities
 
Network forensics: un approccio laterale
Network forensics: un approccio lateraleNetwork forensics: un approccio laterale
Network forensics: un approccio laterale
 
Securing Mobile & Online Identity in the Cyber World
Securing Mobile & Online Identity in the Cyber WorldSecuring Mobile & Online Identity in the Cyber World
Securing Mobile & Online Identity in the Cyber World
 
Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016Il Ransomware nelle Aziende - Eset Security Days 2016
Il Ransomware nelle Aziende - Eset Security Days 2016
 
Crimini Informatici 2012
Crimini Informatici 2012Crimini Informatici 2012
Crimini Informatici 2012
 
Botnet e nuove forme di malware
Botnet e nuove forme di malwareBotnet e nuove forme di malware
Botnet e nuove forme di malware
 
Reati Informatici e Investigazioni Digitali
Reati Informatici e Investigazioni DigitaliReati Informatici e Investigazioni Digitali
Reati Informatici e Investigazioni Digitali
 
ATP
ATPATP
ATP
 
Stalking in the Cyberspace
Stalking in the CyberspaceStalking in the Cyberspace
Stalking in the Cyberspace
 
A Multidisciplinary Perspective on Cybersecurity
A Multidisciplinary Perspective on CybersecurityA Multidisciplinary Perspective on Cybersecurity
A Multidisciplinary Perspective on Cybersecurity
 
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
Operazioni mirate e malware di Stato nell'era della guerra cibernetica e del ...
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 

Similar to Introduction to Memory Analysis

Memory forensic analysis (aashish)
Memory forensic analysis (aashish)Memory forensic analysis (aashish)
Memory forensic analysis (aashish)
ClubHack
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
Area41
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 

Similar to Introduction to Memory Analysis (20)

Memory forensic analysis (aashish)
Memory forensic analysis (aashish)Memory forensic analysis (aashish)
Memory forensic analysis (aashish)
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
Hunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memoryHunting rootkit from dark corners of memory
Hunting rootkit from dark corners of memory
 
Hunting malware via memory forensics
Hunting malware via memory forensicsHunting malware via memory forensics
Hunting malware via memory forensics
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
endpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdfendpoint-detection-and-response-datasheet.pdf
endpoint-detection-and-response-datasheet.pdf
 
Stop pulling the plug
Stop pulling the plugStop pulling the plug
Stop pulling the plug
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Introduction to Memory Analysis

  • 2. Agenda  What can you find in the memory?  Why perform memory analysis?  Tools to perform memory acquisition  Tools to perform memory analysis  Memory analysis demonstration using Mandiant Redline™  Memory analysis for forensics investigation
  • 3. What can you find in the memory?  The state of the machine  Processes and threads (including hidden processes)  Network connections (sockets, IP addresses, domain names, ports)  Hardware and software configuration  Event logs  Windows registry keys  And many more  Encryption keys, passwords, caches, clipboards, etc.  It’s a rich data source! Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 6
  • 4. Why perform memory analysis?  It’s a rich data source  Understand the state of the machine  Behavioural analysis of users, attackers, processes  Best place to look for traces of malicious activity  Find malware (including rootkit!)  Difficult to clean trace on memory  Malware needs to be unpacked to be executed  Data not found in hard disk (e.g. memory-only malware, network activities) Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 7
  • 5. Tools to perform memory acquisition  MoonSols DumpIt (Windows x86 and x64)  MoonSolsWindows MemoryToolkit  Mandiant Redline™  Virtual Machines (Snapshots / Save states)  VMware (.vmem)  Microsoft Hyper-V (.bin)  Parallels (.mem)  VirtualBox (.sav)... Not quite. Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 14, 17
  • 6. Tools to perform malware analysis  String searching (e.g. grep)  But you can’t inspect memory based on memory structure  Mandiant Redline™  Mandiant Memoryze™  Volatility  Internet Evidence Finder (IEF)  F-Response  HBGary Responder  Volafox  Second Look® Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 22 – 25
  • 7. Processes  Unidentifiable Processes andThreads  File path  Parent process  Parameters / arguments  SID  Start time  Malware Rating Index  Looking into: Process Objects  DLLs  Handles  Threads  Memory Sections  Sockets Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 49, 51
  • 8.
  • 9.
  • 10.
  • 11. Network Connections  Sockets  IP addresses  Ports  Processes Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 72
  • 12.
  • 13. Code injection  Code injection is evil!  DLL Injection  Process hollowing Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 74
  • 14.
  • 15. Further analysis  Process and Drivers acquisition  Scanning engines  Analysis sandboxes  Static and dynamic malware analysis Referenced: SANS FOR 508:Advanced Computer Forensics Analysis & Incident Response Content FOR 508.2: Incident Response & Memory Analysis – Slide 102
  • 16. Indicators of Compromise  Experience  OpenIOC  Create signatures
  • 17. Memory analysis for forensics investigation  Memory acquisition may change the state of evidence, but...  Memory is a rich data source!  Hash acquired memory file during initial acquisition Acquire all kind of evidence even if you do not have the capabilities now.
  • 18. References  Don’t Pull the Plug:Windows Memory Analysis & Forensics by Rob Lee  FOR 508 – Advanced Computer Forensics Analysis & Incident Response  508.2 MemoryAnalysis for Incident Response by Rob Lee & ChadTilbury  3 Phases of Malware Analysis by Lenny Zeltser
  • 19. SANS Digital Forensics & Incident Response Curriculum
  • 20. More Resources  SANS Computer Forensics http://computer-forensics.sans.org/  SANS Memory Forensics Cheat Sheet v1.0 (Pocket Reference Guide)