Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics
It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system
2. Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics
It is designed for the investigator who has digital
forensic experience, and who has intermediate
ability with the Microsoft Windows operating
system
4. Module 1 – Live Memory Basics
Module 2 – Windows Memory Model
Module 3 – Live Memory Acquisition
Module 4 – Introduction to FastDump Pro
Lab 1 – Creating a Memory Dump File using FDPro
Module 5 – Webmail Investigation
Lab 2 – Creating a New Physical Memory Snapshot
Project
Lab 3 – Webmail Investigation
5. What is live memory?
How to recognize it?
How does it work?
How is it organized?
6. What is Live Memory?
Live memory is the random access memory
(99.99999% of the time) used by the CPU to store
data and programs that it manipulates.
There are different types of memory…
7. Types of Memory used?
RAM (random-access memory): This is the main
memory. RAM is volatile memory, which means that
it requires power and refresh to maintain its
contents.
ROM (read-only memory): Systems usually contain
some read-only memory that holds instructions for
booting up the computer. ROM memory cannot be
changed, it is non-volatile.
PROM (programmable read-only memory): A
PROM is essentially a ROM memory chip which you
program out of the factory once. Like ROMs, PROMs
are non-volatile.
8. Types of Memory used?
EPROM (erasable programmable read-only
memory): An EPROM is a special type of PROM that
can be erased by exposing it to ultraviolet light.
EEPROM (electrically erasable programmable read-
only memory): An EEPROM is a special type of
PROM that can be erased by a special electrical
charge.
CMOS (Complimentary Metal Oxide
Semiconductor) CMOS usually refers to the non-
volatile RAM (NVRAM).
9. Random access memory (RAM) memory is
made of a transistor and a capacitor.
A good jury description would be a bucket that
holds water (the charge). However the bucket
has a small hole and constantly loses water. To
keep the bucket full, every so often you have to
keep pouring water into the bucket, this is
called “Refresh”.
10. The faster the memory loses charge, and the
faster it can be recharged, determines the
memory speed.
11.
12. Memory is written one byte at time
Power is applied to the two connections, and
charges the memory cell
0 0 0 0 0 0 0 0
17. The CPU reads and writes to RAM (technically,
the CPU reads and writes to Cache, that then
reads and writes to RAM)
Every memory location has a unique address
This leads us into the murky world of how
Microsoft Windows manages memory (more
on this later…)
19. Physical Memory refers to the hardware view
of memory
Only one view of physical memory
Virtual Memory refers to virtualized OS views
of memory
There can be many different virtual memory spaces
21. Can provide process memory isolation
(security)
Allows more “logical” memory by increasing
the addressable space (each 32-bit process gets
its own 4GB of virtual memory).
When combined with paging, can increase the
total available memory (more on this later).
22. Sum of all virtual memory
2 GB Memory (RAM)
4GB 4GB 4GB 4GB 4GB 4GB
Physical Memory
Virtual Memory
6 x 4GB = 24 GB of Logical Memory
OS
23. The upper 2GB* of
every Virtual Memory
space is reserved for
the Windows Kernel
to use. It is not
accessible to user
mode processes.
* Note: except with the rarely used /3GB
switch
0 GB
4 GB
2 GB
Kernel Memory
User Memory
24. The OS utilizes CPU features to create page
directories and page tables which can be used
to divide physical memory among multiple
virtual memory spaces
25. PhysicalMemory
Virtual Memory for Process A
Virtual Memory for Process B
Virtual Memory for Process C
PageDirectoriesandPageTables
0 GB
2 GB
0 GB 4 GB
0 GB
0 GB
4 GB
4 GB
26. Paging to the hard disk drive (SLOW!)
Pagefile.sys
27. When Physical Memory is getting full, the least
used pages of memory are written to disk
When those pages are needed again, they are
read back into Physical Memory and some
other pages are written to disk. This is called
Swapping.
Swapping reduces system performance.
28.
29. To get a complete collection of memory you
need to collect two pieces:
Physical Memory
The on-disk pagefile
30. Programs can allocate virtual memory
dynamically
The size can range from a single byte to several
GBs (or 8192 GBs in x64 OS versions)
31. The Windows kernel uses a data structure
known as Virtual Address Descriptors (VADs)
to track virtual memory allocations
Responder™ combines this information with
page table data for each process, and displays it
in the Memory Map detail panel
34. Goal – Be minimally invasive to suspect machine
1. DO NOT acquire RAM to the local system hard drive
Invasive – possibly destroy important data
2. Use external thumb drive – (USB Mass Storage Device)
3. Image the RAM to sterile media
Freshly wiped drive preferably with all zeros.
Reformat the drive to NTFS
FAT32 file system has 2GB file size limitation
FDPro cannot split up the file into chunks
Generate MD-5 hash at time of collection – save with memory
image
Used to verify integrity of file to that point in time.
35. Software creates a “smear” image
Not a “true” duplicate image
This process is not reproducible
In order to create a “true” image
Hardware is required
Virtualization can “pause” the processor
Crash Dump
Hibernation file (hiberfil.sys)
36. Software used to dump physical RAM
HBGary FastDump™ and FastDump™ Pro
Fastdump (free)
Windows 2000 – 2008 Server, Windows 7
32-bit
6GB maximum file size
FastDump™ Pro
Windows 2000 – 2008 Server, Windows 7
32- and 64-bit
64GB+ tested maximum file size
37. When collecting the tools to image live
memory, you need to anticipate the likely
possibilities of what you will encounter on the
source end.
1. Will your imaging tool run on the source computer
(the computer where you want to image the live
memory)?
2. Will the destination storage device be recognized by
the source computer? Can you save the image on a
storage device?
38. Is there a way to run FastDump Pro?
USB 1.1, 2.0 or 3.0 port
Place FastDump Pro on a USB storage device such as a
thumb drive, or external USB hard drive.
CD/DVD-ROM drive
Place FastDump Pro on a CD/DVD-ROM. It does not
have to be bootable.
40. Does it have a way to attach a storage device for
memory dumping?
The amount of storage should be 10-15% larger than
the biggest amount of memory you expect the
computer to have.
In today’s world (the year 2012) 8GBs is safe.
Keep in mind you should have something that has
more than 8GBs to call on when needed.
Speed can also be an issue
Thumb drives can be slow
41. Windows does not create files larger than 4GBs on
Windows 2000 or Windows XP operating systems
using FAT32.
FAT32 has a limit of 4GBs for a single file
Format your destination drive with NTFS if possible.
Carry a second drive with FAT32 formatting
42. Buy a moderately fast USB 4-8GB thumb drive. It
should conform to the USB Mass Storage
specification.
Format it with NTFS and place FDPro.exe on it.
44. FastDump Pro™ (FDPro™) is a command-line
based memory dumping utility that comes
packaged with both the Responder™
Professional and the Responder™ Field
products. A copy of FDPro.exe is located in the
FastDump folder in the directory where
Responder™ is installed on the local hard
drive.
45. FDPro™ supports:
all versions of the Windows™ operating systems
and service packs (2000, XP, 2003, Vista, 2008 Server,
7) 32- and 64-bit, including systems with more than
4GBs of RAM (up to 64GBs of RAM).
acquisition of the Windows™ pagefile included with
the acquisition of RAM.
a variety of memory probing features that can assist
with malware analysis.
46. To peform a RAM dump:
Command: fdpro.exe c:memdump.bin
Action: FDPro.exe acquires the local system physical
memory to the file c:memdump.bin in
literal/standard .bin format using the default 1MB
read/write sizes.
Command: fdpro.exe c:memdump.bin –
strict
Action: FDPro.exe acquires the local system physical
memory to the file c:memdump.bin in
literal/standard .bin format using the strict 4kb
read/write sizes.
47. To perform a RAM and Pagefile dump:
Command: fdpro.exe c:memdump.hpak
Action: FDPro.exe acquires the local system memory
into the HPAK archive file c:memdump.hpak using
the default 1MB read/write sizes
Command: fdpro.exe c:memdump.hpak –
strict
Action: FDPro.exe acquires the local system memory
into the HPAK archive file c:memdump.hpak using
the strict 4kb read/write sizes
48. The goal of Process Probe is to force all executable code
into RAM for one or all processes on the system.
This includes code that is swapped out to the
Pagefile.sys, and code still contained in the executable
on disk but not in use. This code is called into RAM
prior to the acquisition of physical memory.
49. Because Process Probe provides the
investigator with a more accurate and complete
picture of the executable code and the data.
The process probe feature allows the
investigator to control what memory is “paged-
in” to RAM from SWAP and the File System
before FDPro performs RAM acquisition.
The Probe feature even forces code from the file
system into RAM for a specific process.
50. User Process Probe
during any LIVE
network intrusion
investigation,
malware analysis
case, or computer
forensic investigation
where the running
applications on the
computer could play a
role
. Applications include:
Instant messengers
IP telephony
Internet browsers
Malware
Encryption applications
Databases
Media players
Encrypted data
Passwords
Unencrypted chat sessions
Documents
Emails
Internet searches
Internet postings
Password protected websites
51. When using the –probe smart feature,
FDPro.exe walks the entire process list and
makes sure all code is called into RAM,
resulting in the ability to recover almost 100%
of the user-land process memory by causing
these pages to be activated and paged-in on the
fly.
52. Forensic best practices dictate that an
investigator or analyst should always acquire
RAM and Pagefile without running the -Probe
Feature.
After freezing the current state of RAM, the
investigator/analyst should run FDPro again
using the -probe Feature. Even when
grabbing the pagefile, the -probe feature
forces unused code from the file system into
RAM.
53. Example steps:
1. Arrive at server or workstation suspected in the
computer incident or forensic investigation
2. Collect RAM to “freeze the runtime state of the
machine”. This is a full RAM image with Pagefile
If you’re doing any sort of malware analysis,
Reverse Engineering, or know for a fact that you
will never have to use the RAM acquisition in
litigation, then you can go ahead and probe –
smart on your very first image to save you time.
Note: This technique instruments a larger footprint in RAM
than only performing a memory acquisition.
54. To probe processes into memory and RAM:
Command: fdpro.exe c:memdump.bin –probe all
Action: fdpro.exe probes all processes into memory before
acquiring the local system memory into the file
c:memdump.bin
Command: fdpro.exe c:memdump.bin –probe smart
Action: fdpro.exe probes only user processes into memory
before acquiring the local system memory into the file
c:memdump.bin
Command: fdpro.exe c:memdump.bin –probe pid 123
Action: fdpro.exe probes process with PID 123 into memory
before acquiring the local system memory into the file
c:memdump.bin
55. Take a snapshot to the local hard drive
C:fdpro.exe c:RAMdump.bin
Copy (using drag-and-drop) from VMware
Field option – take snapshot to USB drive
Add USB controller via Hardware Panel if needed
No perturbation of the local hard drive
58. Goal: Identify artifacts that lead you to other
pieces of information
Finding bread crumbs, then following the bread
crumbs…
59. Try to find objects and artifacts that tell you:
Who, What, Where, When, Why, How
60. Who?
• Names of People
•Email addresses
What?
•Project Names
•Filenames
•File format(s)
•Usernames
•Passwords
When?
• Dates
• Times
Where?
• Domains
• URLs
How?
Carefully
create a
search term
list
Spending time
up front can
save lots of time
on the back end
61. Approach:
Knowledge is helpful…
Google: “skype”
What is it?
How is it used? How does it work?
Why is my suspect using it?
Is there data in memory that might not be available by
performing disk based forensics?
62. • Create a list of things you know
Names involved in the investigation
Domain names
Project names
Filenames
Websites
Applications in question
Office applications
Internet browser
Encryption
Chat
63. Start with the browsers…
Internet Explorer
Firefox
Opera
Google Chrome
64. Then go to browser artifacts
Web sites visited
Files downloaded
Dates and timestamps
65. Things to consider
Web server applications act differently
Gmail stores passwords differently than hushmail.
66. Search terms that can be used
gmail.com
@hotmail.com
@yahoo.com
@hushmail.com
Attachment
&passwd=
&login=
messageID=
67. More…
Mail applications
Chat Applications
Names of Webmail Services
Email addresses
Passwords
Content of emails
Dates & Time Stamps
Web Sites Visited – History
Attachments
68. First Steps - Browse and collect
Browse the list of processes and applications
running…
Do I see internet browsers? Yes.
Do I see any instant messenger applications?
Do I see any other applications that might be useful for
my investigation?
Add Artifacts to your Report
Export to excel
Right click send to report
69. Focus: Intellectual Property Investigation
Type: Private data sent via Email
Description: Search for indications of files,
email addresses, and other related info to the
data theft.
70. Beginning a search based on suspicion
Press release from competitor having similar data
Searching for private content
What do we search for?
Understanding search hits
Process name/module/unidentified
Adding webmail data/artifacts to the report
71. Beginning a search based on suspicion
Press release from competitor having similar data
FIRST - Search for content we know
We know we are looking for “Pluripotent”
Searching for email addresses to corroborate
suspicion
Search terms (@gmail.com, gmailchat=
Understanding search hits
Process name/module/unidentified
SECOND - Search for content we learn
Adding webmail data/artifacts to the report
Memory is fast, hd is slow. Volatile location to store and cache data so it doesn’t have to be read/written to the disk. The running state of the computer. If no RAM, it would run as fast a computer from 1982…
RAM – main memory – operating state
ROM – BIOS set at factory and can’t be changed. Instructions make video card run…
PROM – older tech… only write to it once. Very difficult to erase
EPROM most common – very intense ultraviolet light. Long time to erase.
EEPROM – put current thru it to erase. BIOS initializes the system. Turn pc on booting window says dell, gateway, etc… activating components of the system. Malware puts themselves in BIOS.
CMOS – requires a battery. Need electric charge, or it loses its state. Keeps setting the motherboard uses.
Constantly fill it with a charge. Overclocking site… faster you refresh, the faster it runs the memory
Can get errors in memory if overclocking it
Grid of information that gets electrically set
Cache is even faster, but much more expensive. Small amount of cache close on CPU.
Phys mem – limited amount of memory on chip. System can’t run on low amount of phys mem
Each process has it’s own vm space. Crashes… 1 program can bring down whole machine.
Not all 4GB range used. Some
Kernel is global to all processes and doesn’t need to change in virtual memory
Each process is allocated 2GB of vm
This process has all of these pages.
Windows tracks least used pages…
2 operations on hard drive when read from disk
Only tool that allows you to collect pagefile. Memory is highly volatile…
32-bit user-mode apps allocate 2GBs
Unidentified – allocated memory we don’t have a name
1. The USB drive needs to be as large as the memory you are saving. If you are going to save the Swap cache or hiperbin file you will need more storage. Figure 4-8 Gigs for live memory and 10-20 for the other files. This may be a little overkill but better safe than sorry.
2. Use your favorite CD ROM software to create a CD-ROM (or DVD-ROM). Do not use CD or DVD Read/Write disks (CD-RW or DVD-RW) Also with DVD use a DVD-R and not DVD+R disks. The DVD-R are way more compatible and work best for digiutal data.
3. A 1.44 Megabyte floppy will work in 2.88MByte floppy drives and in 120MByte SuperFloppy drives BUT NOT in older 720 which you should not ever see today.
4. SATA can be used on some systems but this causes a larger footprint in memory. So if you have to you can use a SATA drive formatted with FAT32 with FDPro on it. The FAT32 partition will use less memory than a NTFS formatted drive would.
1. Just for sake of that “rare but can happen incident”, try to use a external USB drive that has both USB2 and FireWire (and throw in SATA if you want) connections
2. There are any number of Cardbus adapters for Compac Flash Memory to Cardbus slots available. Then use a Compac Flash Memory of 2-4 Gigs
Have more free space on the storage drive than the memory size.