De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
- The document discusses analyzing physical memory to recover information from live CDs that normally evades digital forensics investigations.
- It presents research on developing algorithms to enumerate the in-memory file system structure of live CDs like TAILS to recover file metadata and contents directly from RAM.
- The goal is to apply traditional investigative techniques like timeline analysis that are usually impossible for live CDs by reconstructing the complete in-memory file system and contents through memory analysis.
This document provides an overview of the Volatility memory forensics framework. It discusses the Volatility Foundation, which supports development of the open-source Volatility tool. It highlights new features in Volatility 2.4, including improved support for Windows, Linux, MacOS, and analyzing application artifacts from programs like Chrome, Firefox, and Notepad. It outlines the Volatility roadmap and concludes by discussing the 2014 Volatility Plugin Contest winners, whose new plugins will enhance Volatility's capabilities.
Workshop - Linux Memory Analysis with VolatilityAndrew Case
Slides from my 3 hour workshop at Blackhat Vegas 2011. Covers using Volatility to perform Linux memory analysis investigations as well Linux kernel internals.
Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
This document summarizes Linux memory analysis capabilities in the Volatility framework. It discusses general plugins that recover process, network, and system information from Linux memory images. It also describes techniques for detecting rootkits by leveraging kmem_cache structures and recovering hidden processes. Additionally, it covers analyzing live CDs by recovering the in-memory filesystem and analyzing Android memory images at both the kernel and Dalvik virtual machine levels.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
- The document discusses analyzing physical memory to recover information from live CDs that normally evades digital forensics investigations.
- It presents research on developing algorithms to enumerate the in-memory file system structure of live CDs like TAILS to recover file metadata and contents directly from RAM.
- The goal is to apply traditional investigative techniques like timeline analysis that are usually impossible for live CDs by reconstructing the complete in-memory file system and contents through memory analysis.
This document provides an overview of the Volatility memory forensics framework. It discusses the Volatility Foundation, which supports development of the open-source Volatility tool. It highlights new features in Volatility 2.4, including improved support for Windows, Linux, MacOS, and analyzing application artifacts from programs like Chrome, Firefox, and Notepad. It outlines the Volatility roadmap and concludes by discussing the 2014 Volatility Plugin Contest winners, whose new plugins will enhance Volatility's capabilities.
Workshop - Linux Memory Analysis with VolatilityAndrew Case
Slides from my 3 hour workshop at Blackhat Vegas 2011. Covers using Volatility to perform Linux memory analysis investigations as well Linux kernel internals.
Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
This document summarizes Linux memory analysis capabilities in the Volatility framework. It discusses general plugins that recover process, network, and system information from Linux memory images. It also describes techniques for detecting rootkits by leveraging kmem_cache structures and recovering hidden processes. Additionally, it covers analyzing live CDs by recovering the in-memory filesystem and analyzing Android memory images at both the kernel and Dalvik virtual machine levels.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
The document provides an overview of memory forensics and the Rekall memory analysis tool. It discusses why memory forensics is useful, describes how Rekall supports multiple operating systems through profiles, and covers memory imaging, virtual memory concepts, and analyzing live memory. Rekall's interfaces like the command line, console, notebook, and web console are also introduced.
The document discusses kernel exploitation. It begins with an introduction to basic kernel concepts like virtual memory and mitigations like SMAP, SMEP, and KPTI. It then covers topics like basic kernel exploitation through NULL pointer dereferences, dynamic memory management techniques like kmem caches and allocators, and real world exploitation using use-after-free vulnerabilities and doubly linked lists. The presentation uses examples to illustrate concepts at a high level since each topic could be its own full talk.
This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
The document discusses performing memory forensic analysis on Windows systems using EnCase, including acquiring memory images using tools like WinEn and MoonSols Windows Memory Toolkit, and analyzing the images using EnScripts to extract information on processes, modules, and open files through techniques like traversing kernel data structures and searching for object fingerprints. Hands-on examples are provided to demonstrate acquiring memory from a system and analyzing it using EnScripts to identify processes and differences before and after terminating a process.
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
This document discusses acquiring and analyzing volatile memory from Android devices. It provides an overview of traditional Linux memory forensics and the challenges with analyzing Android memory. It introduces the tools LiME and Volatility for acquiring memory from a running Android device and then analyzing that memory image. It demonstrates how to use these tools to extract useful forensic artifacts like processes, network connections, and files.
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
This document discusses Linux memory forensics and provides an overview of tools and techniques for acquiring and analyzing memory. It begins by covering live forensics commands and then discusses memory forensics in more depth. Several open source tools for dumping physical memory are described, including fmem and LiME, as well as tools for analyzing memory images like Foriana and Volatilitux. Commercial memory analysis solutions are also briefly mentioned.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
The document provides information on analyzing Macintosh computers for digital forensics purposes. It discusses the file systems, operating systems, and applications used by Macs and how to acquire disk images and examine key artifacts. Specific topics covered include acquiring memory using Target Disk Mode, disabling disk arbitration, analyzing browser data from Safari, Firefox, Internet Explorer, and AOL, and examining email from applications like Mail, Entourage and AOL. Forensic tools mentioned include dd, dcfldd, Emailchemy, and the Safari Tools browser analyzer.
This document outlines the key components of a Linux character device driver, including modules, major and minor numbers, data structures like struct file and struct file_operations, driver registration, and core functions like open, release, read and write. It provides an introduction to character device drivers in Linux and their basic architecture.
This presentation gives an overview of Linux kernel block I/O susbsystem functionality, importance of I/O schedulers in Block layer. It also describes the different types of I/O Schedulers including the Deadline I/O scheduler, Anticipatory I/O Scheduler, Complete Fair queuing I/O scheduler and Noop I/O scheduler.
The document provides an overview of Unix basics and scripting. It defines what an operating system and Unix are, describes the Unix philosophy and directory structure, and covers shells, commands, writing and executing scripts, variables, loops, and file permissions. The key topics covered include the Unix philosophy of small, modular programs; the hierarchical directory structure with / as the root; common shells like bash and commands like ls, grep, sort; and how to write simple shell scripts using variables, conditionals, and loops.
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
This document summarizes Brendan Dolan-Gavitt's presentation on combining registry analysis and memory forensics. It discusses how the Windows registry contains both stable and volatile data, and how analyzing registry hives extracted from memory images allows accessing both types of data. The document outlines tools like VolReg and VolRip that were created to perform registry analysis on memory, enabling capabilities like extracting password hashes and tracking USB devices. Combining these forensic domains can provide new insights but some challenges remain regarding completeness of data in memory images.
This document provides an overview of different Linux I/O models including blocking I/O, non-blocking I/O, I/O multiplexing using select, poll, epoll, signal-driven I/O and asynchronous I/O. It describes key functions and system calls used for each model and provides examples of how they can be used in drivers and applications.
This document provides an introduction to Python programming for computational genomics and bioinformatics. It discusses the Python environment, integrated development environments (IDEs) like IPython Notebook and PyCharm, and various Python programming concepts including printing and manipulating text, reading and writing files, lists and loops, and writing your own functions. The document is presented as a tutorial with examples and exercises provided to help attendees learn the basics of Python programming.
This document provides an overview of the Linux kernel, including its history, structure, build process, installation, updating, and customization. It discusses getting the kernel source code, configuring and building the kernel, installing modules and the kernel, applying updates via patches, and determining the correct driver for PCI devices by matching the vendor and device IDs. The key steps are to find the PCI IDs, search for the IDs in kernel headers to identify the driver, search the kernel makefiles and configuration to enable that driver for compilation.
The document provides an overview of device driver development in Linux, including character device drivers. It discusses topics such as device driver types, kernel subsystems, compiling and loading kernel modules, the __init and __exit macros, character device registration, and issues around reference counting when removing modules. It also provides sample code for a basic character device driver that prints information to the kernel log.
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
The document provides an overview of memory forensics and the Rekall memory analysis tool. It discusses why memory forensics is useful, describes how Rekall supports multiple operating systems through profiles, and covers memory imaging, virtual memory concepts, and analyzing live memory. Rekall's interfaces like the command line, console, notebook, and web console are also introduced.
The document discusses kernel exploitation. It begins with an introduction to basic kernel concepts like virtual memory and mitigations like SMAP, SMEP, and KPTI. It then covers topics like basic kernel exploitation through NULL pointer dereferences, dynamic memory management techniques like kmem caches and allocators, and real world exploitation using use-after-free vulnerabilities and doubly linked lists. The presentation uses examples to illustrate concepts at a high level since each topic could be its own full talk.
This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
The document discusses performing memory forensic analysis on Windows systems using EnCase, including acquiring memory images using tools like WinEn and MoonSols Windows Memory Toolkit, and analyzing the images using EnScripts to extract information on processes, modules, and open files through techniques like traversing kernel data structures and searching for object fingerprints. Hands-on examples are provided to demonstrate acquiring memory from a system and analyzing it using EnScripts to identify processes and differences before and after terminating a process.
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
This document discusses acquiring and analyzing volatile memory from Android devices. It provides an overview of traditional Linux memory forensics and the challenges with analyzing Android memory. It introduces the tools LiME and Volatility for acquiring memory from a running Android device and then analyzing that memory image. It demonstrates how to use these tools to extract useful forensic artifacts like processes, network connections, and files.
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
This document discusses Linux memory forensics and provides an overview of tools and techniques for acquiring and analyzing memory. It begins by covering live forensics commands and then discusses memory forensics in more depth. Several open source tools for dumping physical memory are described, including fmem and LiME, as well as tools for analyzing memory images like Foriana and Volatilitux. Commercial memory analysis solutions are also briefly mentioned.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
The document provides information on analyzing Macintosh computers for digital forensics purposes. It discusses the file systems, operating systems, and applications used by Macs and how to acquire disk images and examine key artifacts. Specific topics covered include acquiring memory using Target Disk Mode, disabling disk arbitration, analyzing browser data from Safari, Firefox, Internet Explorer, and AOL, and examining email from applications like Mail, Entourage and AOL. Forensic tools mentioned include dd, dcfldd, Emailchemy, and the Safari Tools browser analyzer.
This document outlines the key components of a Linux character device driver, including modules, major and minor numbers, data structures like struct file and struct file_operations, driver registration, and core functions like open, release, read and write. It provides an introduction to character device drivers in Linux and their basic architecture.
This presentation gives an overview of Linux kernel block I/O susbsystem functionality, importance of I/O schedulers in Block layer. It also describes the different types of I/O Schedulers including the Deadline I/O scheduler, Anticipatory I/O Scheduler, Complete Fair queuing I/O scheduler and Noop I/O scheduler.
The document provides an overview of Unix basics and scripting. It defines what an operating system and Unix are, describes the Unix philosophy and directory structure, and covers shells, commands, writing and executing scripts, variables, loops, and file permissions. The key topics covered include the Unix philosophy of small, modular programs; the hierarchical directory structure with / as the root; common shells like bash and commands like ls, grep, sort; and how to write simple shell scripts using variables, conditionals, and loops.
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
This document summarizes Brendan Dolan-Gavitt's presentation on combining registry analysis and memory forensics. It discusses how the Windows registry contains both stable and volatile data, and how analyzing registry hives extracted from memory images allows accessing both types of data. The document outlines tools like VolReg and VolRip that were created to perform registry analysis on memory, enabling capabilities like extracting password hashes and tracking USB devices. Combining these forensic domains can provide new insights but some challenges remain regarding completeness of data in memory images.
This document provides an overview of different Linux I/O models including blocking I/O, non-blocking I/O, I/O multiplexing using select, poll, epoll, signal-driven I/O and asynchronous I/O. It describes key functions and system calls used for each model and provides examples of how they can be used in drivers and applications.
This document provides an introduction to Python programming for computational genomics and bioinformatics. It discusses the Python environment, integrated development environments (IDEs) like IPython Notebook and PyCharm, and various Python programming concepts including printing and manipulating text, reading and writing files, lists and loops, and writing your own functions. The document is presented as a tutorial with examples and exercises provided to help attendees learn the basics of Python programming.
This document provides an overview of the Linux kernel, including its history, structure, build process, installation, updating, and customization. It discusses getting the kernel source code, configuring and building the kernel, installing modules and the kernel, applying updates via patches, and determining the correct driver for PCI devices by matching the vendor and device IDs. The key steps are to find the PCI IDs, search for the IDs in kernel headers to identify the driver, search the kernel makefiles and configuration to enable that driver for compilation.
The document provides an overview of device driver development in Linux, including character device drivers. It discusses topics such as device driver types, kernel subsystems, compiling and loading kernel modules, the __init and __exit macros, character device registration, and issues around reference counting when removing modules. It also provides sample code for a basic character device driver that prints information to the kernel log.
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
This document discusses Amazon Web Services (AWS) security configuration and tools. It provides AWS configuration options like Amazon S3, EC2, VPC, IAM, RDS and Elastic Beanstalk. It also discusses security groups, users, credentials and accessing AWS resources. The document shares links to AWS security documentation and best practices. It includes a demonstration of using forensic tools like Volatility on a Linux EC2 instance memory capture to analyze processes, network configuration and loaded kernel modules.
The document provides a timeline and overview of the major versions of the Mac OS operating system from 1984 to 2016. It began as System 1, the first GUI-based OS, and progressed through various System and Mac OS versions that introduced features like multitasking, networking, and the modern OS X platform based on Unix. Key versions included OS X in 2001, which was the first Unix-based release, as well as subsequent versions that focused on performance, integration with iOS, and security updates.
Operating Systems and Memory Managementguest1415ae65
The document discusses operating systems and how they manage hardware, software, memory and processes. It defines key concepts like physical memory, virtual memory, paging, swapping and buffers. It also categorizes different types of operating systems like real-time OS, single-user OS, multi-user OS and discusses how they schedule processes and allocate system resources.
Mac OS X Mavericks is the latest version of the Mac operating system. It provides many new features and improvements such as iCloud integration across devices, enhanced notifications, Finder tabs, and better power management. Mavericks is a free download from the Mac App Store and works on Macs from 2007 onward with 2GB of RAM and 8GB of storage. It continues Apple's goal of providing an intuitive and powerful desktop operating system.
A ppt on Mac Operating System by Apple. I've made this presentation simpler by changing the words in it to a simpler English which everyone can understand and explain it easily. For getting customized projects on Information Technology, contact at https://quvor.com
The document discusses Mac OS, including its history, versions, memory management, process management, and pros and cons. It provides an overview of Mac OS from its introduction in 1984 through various versions such as Mac OS X, OS Cheetah, Puma, Jaguar, Panther, Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, and Ventura. It describes the kernel, multitasking, hierarchical file system, memory management using pages and page lists, and process scheduling. The document also outlines the different layers of Mac OS including the core services layer.
The document provides an overview of computer system organization based on the Von Neumann architecture. It describes the key components of a computer system, including memory, I/O, the ALU, and control unit. It explains how these components work together in the fetch-decode-execute cycle. The document also discusses limitations of the Von Neumann model and introduces parallel processing as an alternative architectural approach.
The document provides an overview of operating systems, including processes, threads, interprocess communication, deadlocks, and scheduling. It discusses the evolution of operating systems from first to fourth generation. Key concepts covered include processes, files, system calls, command interpreters, and signals. Operating system structures like monolithic, layered, and client-server models are summarized. Common interprocess communication problems like the bounded buffer, readers-writers, and dining philosophers problems are also briefly outlined. Finally, it discusses process scheduling algorithms, deadlock conditions and strategies to handle deadlocks.
Windows XP is a 32-bit, preemptive multitasking operating system that was the most widely used OS at the time. It has a layered architecture with a microkernel at its core providing basic services, and various user-mode subsystems that emulate other operating systems. Its design focuses on extensibility, portability, reliability, compatibility, and performance. It uses a file system called NTFS that supports advanced features like security and recovery through transaction logging.
The document provides an overview of operating systems, including:
1. An operating system acts as a virtual machine that hides complex hardware details and provides services through system calls. It manages resources like time and memory allocation.
2. Core OS functions include process management, I/O device control, resource access control, error handling, and accounting. The kernel contains frequently used functions and privileges.
3. Early systems used serial processing but evolved to batch processing, multiprocessing, time-sharing, and today's graphical user interfaces across networks.
This document provides an overview of the Linux kernel internals and device drivers. It discusses topics like memory management, process creation, inter-process communication using shared memory, and device drivers. The key aspects covered are virtual memory mapping, demand paging, steps in program execution, different types of device drivers, and how the kernel interacts with hardware through device drivers in the userspace.
The document discusses Linux kernel internals and provides an overview of key concepts such as memory management, process creation, device drivers, and file systems. It describes how the kernel handles tasks like compiling programs, managing memory and processes, and facilitating communication between software and hardware. The document also outlines common Linux system calls and functions related to program execution.
This document provides an overview of embedded Linux for an embedded systems design course. It discusses various commercial and open source embedded Linux distributions and their characteristics. It also covers important topics for embedded Linux including tool chains, the Linux kernel, debugging, driver development, memory management, and synchronization techniques. Example code snippets are provided for common Linux system programming tasks like file I/O, processes, threads, IPC, signals, and sockets. Cross-compiling for embedded targets is also briefly explained.
The document provides an overview of the Linux kernel internals including:
1) The Linux kernel architecture adopts a monolithic design that provides stability, safety, and high performance while maintaining advantages of both monolithic and microkernel approaches.
2) Key kernel components include processes and threads management, memory management using paging and segmentation, file systems, networking, and device drivers.
3) The kernel uses inodes and blocks to organize file system data on disk and supports various file systems like Ext2 through a virtual file system interface.
This document contains teaching material on distributed systems operating systems from the book "Distributed Systems: Concepts and Design". It discusses key concepts around processes, threads, communication, and operating system architecture to support distributed applications and middleware. The material is made available for teaching purposes and cannot be used without permission.
The document discusses operating system concepts including:
1. The operating system controls computer resources and provides an interface between applications and hardware.
2. It hides hardware complexity and manages resources like processors, memory, and devices.
3. Key OS components include processes, files, pipes, and system calls that allow programs to request services from the OS kernel.
The document provides an overview of operating systems and UNIX/Linux specifically. It discusses how operating systems manage resources and tasks. It then covers the history and development of UNIX, its multi-user and multi-tasking capabilities, and common flavors including Linux. The rest of the document details key aspects of UNIX including processes and process management, memory management, file management, and starting processes.
Mca i-fundamental of computer-u-3-functions operating systemsRai University
The document discusses operating systems and their functions. It describes how operating systems manage hardware resources like the CPU, RAM, and storage devices. It also explains how operating systems provide security, a system interface, and an interface for application software. Common operating system types include batch processing, real-time processing, and time-sharing systems. Key operating system functions are also summarized like multi-tasking, multi-programming, buffering, and spooling.
Bca i-fundamental of computer-u-3-functions operating systemsRai University
The document discusses operating systems and their functions. It defines an operating system as software that manages computer hardware resources and provides interfaces. The key functions of an operating system include managing the CPU, RAM and hardware; providing security; and providing interfaces for users and application software. Common operating system types include batch processing, real-time processing, time-sharing, and examples of Windows, Linux/Unix, and mobile operating systems.
The document provides an outline on operating systems memory storage and management. It discusses how the OS must manage memory to ensure each process has enough space to execute without interfering with other processes. It describes different types of memory like cache, RAM, and disk and how the OS uses these properly. Specific topics covered include cache memory, RAM, virtual memory using swap files, the kernel, kernel types, shells, types of shells, shell scripting, and the four freedoms of open source software.
The document provides an overview of the Linux operating system, including:
- An introduction to Linux and its history as an open-source clone of UNIX.
- Descriptions of Linux's core functionality like multi-user support and virtual memory.
- Discussions of key Linux components like kernels, distributions, packages, and updates.
- Explanations of enterprise-level Linux features around performance, scalability, and reliability.
The document discusses operating systems and their functions. It defines an operating system as software that manages computer hardware resources and provides interfaces. The key functions of an operating system include managing the CPU, RAM and hardware; providing security; and providing interfaces for users and application software. Common operating systems are described as well as different types like batch processing, real-time processing and time-sharing systems.
The document discusses operating systems and their functions. It defines an operating system as software that manages computer hardware resources and provides interfaces. The key functions of an operating system include managing the CPU, RAM and hardware; providing security; and providing interfaces for users and application software. Common operating systems are described as well as different types like batch processing, real-time processing and time-sharing systems.
Similar to Mac Memory Analysis with Volatility (20)
Proactive Measures to Defeat Insider ThreatAndrew Case
This presentation was delivered at RSA 2016 and discussed measures to defeat insider threat. It focused on real investigations that I have performed and how the victim companies could have prevented the associated harm.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
This document discusses analyzing Linux rootkits using Volatility, an open source memory forensics framework. It analyzes several Linux rootkits including Average Coder, KBeast, and Jynx/Jynx 2. For each rootkit, it describes the rootkit's techniques for hiding processes, files, network connections and how Volatility plugins like linux_check_fop, linux_check_modules, linux_check_syscall, and linux_check_afinfo can detect the rootkit by validating file operations structures, the kernel module list, system call tables, and network operations structures. It also shows how Volatility can recover hidden files, processes, network connections, and shared libraries loaded by the root
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
This is the slides from keynote presentation at BSidesTampa 2015. A recording of the talk can be found at: https://www.youtube.com/watch?v=751bkSD2Nn8&t=1m35s
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
The document summarizes research on analyzing the memory of the Dalvik virtual machine used in Android. It describes acquiring memory from Android devices, locating key data structures in memory like loaded classes and their fields, and analyzing specific Android applications to recover data like call histories, text messages, and location information. The goal is to develop forensics capabilities for investigating Android devices through memory analysis.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Mac Memory Analysis with Volatility
1. Mac Memory Analysis with Volatility
Andrew Case / @attrc
Digital Forensics Researcher
Terremark
2. Who Am I?
• Digital Forensics Researcher @ Terremark
• Volatility Developer & Registry Decoder Co-
Developer
• Former Blackhat, SOURCE, DFRWS, BSides,
and SANS @Night speaker
• GIAC Certified Forensics Analyst (GCFA)
3. Motivation for this Research
• There is a good tool for acquisition of memory
from Mac machines [1], but no tools for deep
analysis of the captured memory
• Matthieu Suiche did initial research but no tool
[16]
• Only one public tool, Volafox [7], supports Mac
analysis, but not as robustly or as thoroughly as
we would like
• To fix this, we added full Mac support to Volatility
4. Agenda
• Introduction to Memory Analysis
• Overview of the Volatility architecture
• Mac Memory Acquisition
• Analysis with Volatility
• Conclusions/Q&A
6. Introduction
• Memory analysis is the process of taking a
memory capture (a sample of RAM) and
producing higher-level objects that are useful
for an investigation
• A memory capture has the entire state of the
operating system as well as running
applications
– Including all the related data structures, variables,
etc
6
7. The Goal of Memory Analysis
• The higher level objects we are interested in
are in-memory representations of C
structures, custom data structures, and other
variables used by the operating system
• With these we can recover processes listings,
filesystem information, networking data, etc
• This is what we will be talking about
throughout this presentation
7
8. Volatility
• Most popular memory analysis framework
– Written in Python
– Open Source
– Supports Windows {XP, Vista, 7, 2003, 2008}
– Supports Linux on Intel and ARM
– And now supports Mac!
• Allows for analysis plugins to be easily written
• Used daily in real forensics investigations
8
9. Volatility Terminology - Vtypes
• A representation of structures used in the OS, such
as size, names, members, types, and offsets
• Example:
'_IMAGE_EXPORT_DIRECTORY': [ 0x28, {
'Base': [ 0x10, ['unsigned int']],
'NumberOfFunctions': [ 0x14, ['unsigned int']],
'NumberOfNames': [ 0x18, ['unsigned int']],
'AddressOfFunctions': [ 0x1C, ['unsigned int']],
10. Volatility Terminology - Profiles
• A profile is set of vtypes and (optionally)
symbol addresses that are used to model a
particular OS version
• This is what allows Volatility plugins to be
generic to all the different versions of
Windows, Linux, Mac, etc
11. Volatility Terminology – Address Spaces
• Address spaces are used to translate virtual
addresses into physical offsets
• They also prevent the need to convert all
memory captures to a linear format
12. Current Address Spaces
• Memory Management Address Spaces
– x86 / x64
– Arm (Android)
• Interface (File) Address Spaces
– Firewire
– Windows Hibernation Files
– Crash Dumps
– EWF Files
– Lime
– And a new one for this talk!
12
13. Mac Profiles
• Mac profiles are built in two steps:
• The addresses of symbols are gathered from
the system’s mach_kernel
• The types are gathered by running dwarfdump
on the debug mach_kernel
― This is contained in the KernelDebugKit
― This output is then converted into a proper vtype
15. No Native Software Support
• Modern versions of Mac do not support /dev/
mem or /dev/kmem
• This means that 3rd party software must be
used to access physical memory
16. Mac Memory Reader [1]
• Main memory acquistion tool
– Free, but not open source
• Supports capture from 32 and 64 bit systems
running on native hardware as well as from
Parallels and VirtualBox guests
– Does not work with VMware Fusion guests
• Loads a driver to recreate /dev/mem and
captures from it
17. The Capture File
• Mac Memory Reader creates a mach-o file of
captured memory
– Mach-o is the standard Mac exe format
• RAM is not contiguous in physical memory so
a linear capture would be much bigger than
actual RAM size
– Too big to deal with on 64 bit
18. Mach-O Address Space
• To handle Mac Memory Reader captures, a
mach-o address space was developed
• Supports 32 and 64 bit captures
• It parses mach-o files and for each segment
gathers:
– The offset into the file
– The size of the segment
– Its mapped address, which is its physical address
20. Runtime Information
• This rest of this session is focused on orderly
recovery of data that was active at the time of
the memory capture
• We will be discussing how to find key pieces
of information and then use Volatility to
recover them
20
21. Information to be Recovered
• Processes
• Memory Maps
• Open Files
• Network Connections
• Network Data
• Loaded Kernel Modules
• Rootkit Detection
21
22. Mach Overview
• No split address space
• (Almost?) Micro-kernel
– Only the components that need hardware access
run in ring 0
– Everything else runs as a userland process
– Mach is the only mainstream kernel like this
– The mechanisms needed to make this work tend
to be annoying as a memory analysis researcher
23. Mach Processes & Tasks
• A process (proc) represents a BSD process
– Its threads are called uthreads
• A task (task) represents a Mach task
– Its threads are called “Mach Threads” and
represented by the thread structure
24. Recovering Processes
• The list of processes is stored in the allproc list
• Each element of the list is of type struct proc
– The p_comm member stores the ASCII name of
the binary that was executed
– The p_pid member stores the process ID
– Other members you would expect:
• p_uid, p_gid, p_ppid
• The mac_pslist plugin enumerates this list and
prints out the per-process information
25. Recovering Command Line Arguments
• mac_pslist only recovers the name of the
binary that was executed
• mac_psaux recovers the command line args
(**argv) and optionally the env variables
• The CR3 value for each process is stored in:
– <proc_structure>.task.map.pmap.pm_cr3
• user_stack and p_argslen are used to recover
where the args and environment arrays are
26. Recovering Memory Maps
• The mac_proc_maps plugin recovers per-task
memory maps
– Mimics vmmap or Linux’s /proc/<pid>/map
• For each mapping, it lists:
– Starting and ending address
– The mapped file (if any)
• Makes spotting shared library injection easy
• A starting point to malware/unknown binary
analysis
28. Dumping Memory Maps
• The mac_dump_map plugin is able to dump
the contents of memory mappings inside of
particular processes
• Common usages:
– Check against virus DBs
– Binary Analysis
– Further forensics analysis (strings, file carving, etc)
29. Open Files
• The mac_lsof plugin lists the files that are
opened for each process
– Similar to /proc/<pid>/fd on Linux
• Walks the proc.p_fd.fd_ofiles array
• Checks the vnode type, if DTYPE_VNODE, then
it’s a regular file and reported
• Useful to determine file system activity, log
files, etc
30. Mount Points
• The mac_mount plugin recovers all mounted
devices and their mount points
• Mimics the mount command
• Very useful when integrating disk and memory
analysis during an investigation
• The mount flags can are also good artifacts
(read only, no exec, no atime, etc)
31. Dmesg
• mac_dmesg recovers the kernel’s debug
buffer
• Contains a wide range of useful information
• Viewed on the live machine with the dmesg
binary that reads /var/log/kernel.log
• The contents are very easy to manipulate on
disk – not so in memory
32. Network Connections
• mac_netstat emulates the netstat command
• Lists each connection along with relevant
information (src/dst IP address & port, state,
etc)
• Also walks the list of open files and acts on
DTYPE_SOCKET entries
• Obviously useful when investigating network
traffic and connections
33. Ifconfig
• mac_ifconfig emulates the ifconfig command
• Walks the dlil_ifnet_head list in memory to
get each interface, which are represented by
ifnet structures
• For each interface it recovers:
– The interface name (en0, en1, etc)
– Any IP addresses
– MAC Address
34. ARP Table
• Found in the llinfo_arp list
• Recovers the ARP table out of memory
• Useful in IR scenarios to determine which
networked devices the investigated machine
recently contacted
35. Routing Cache
• When researching the routing table, I noticed
that Mac has a very interesting routing cache
• Keeps track of connections made to remote IP
addresses
• Statistics about these connections are kept as
well including the start time and total packets &
bytes
36. Entry Expiry
• Entries in the cache expire based on the value
in net.inet.ip.rtexpire for IPv4 and
net.inet6.ip6.rtexpire for IPv6
• This time is in seconds
• The countdown timer starts when there is no
more references to the connection
– So if the memory capture fits in this window, we
can recover it
37. What are the expiry times?
• I asked Mac users for their sysctl value & OS
version on twitter and G+
• Got about 20 responses, but wasn’t conclusive
• For IPv4:
– People with the same exact OS version had widely
different values
– Range was from 10 seconds (bad!) up to an hour
• IPv6 was always 3600 (one hour)
38. Uses of the Routing Cache
• Malware Analysis & Data Exfil Investgations
– You know when the current session started
– You know how much data was sent
• Beating Rootkits
– How many rootkits hide from netstat/lsof and
other tools using easily detectable techniques?
– vs how many manipulate the kernel’s routing
cache?
• Hint: 0
39. Loaded Kernel Modules
• The mac_lsmod plugin lists all of the loaded
kernel modules (extensions) active on the
system
• This replicates the output of the kextstat
command
• This can lead to further investigation by
dumping the executable in memory [14]
40.
41. I/O Kit [3]
• I/O Kit is the framework that allows for
development of device drivers as well as the
OS’es tracking and handling of hardware
devices
• Provides the ability for programmers to hook
into a wide range of hardware events and
actions
42. The I/O Registry [2]
• The I/O registry tracks devices that are
attached to the computer as well as the
classes that represent them
• The ioreg binary can list all of the registry
contents
• The mac_ioreg plugin provides similar
functionality to ioreg
43. Rootkit Detection
• Most rootkit discussions, whether offensive
or defensive, make a distinction between
userland (unprivileged) and kernel (fully
privileged) rootkits
• Mac blurs this line with its micro-kernel design
• When referring to “kernel” rootkit detection, I
mean core parts of the OS and not individual
userland applications or services
44. Types of Rootkits
• Static
– Alters data that is set at compile-time and never
changes
– Examples: modifying system call table entries,
code (.text) instructions, global data structure
function pointers
– These are generally boring from a research
perspective and already covered by other projects
(Volafox [7], Phrack article [8], etc)
45. Types of Rootkits Cont.
• Dynamic
– Alters data that is only created and referenced at
runtime
– Generally includes manipulating live data
structures (lists, hash tables, trees) used by the
operating system for accounting or for core
operations
– Much more interesting from a research
perspective
46. Logkext [4]
• Logkext is a rootkit that uses the I/O Kit
framework to log keystrokes
• It accomplishes this by adding a
'gIOPublishNotification' callback that filters on
the 'IOHIKeyboard' service.
• This effectively gives the rootkit control
everytime a key is pressed.
47. Detecting logkext
• Enumerate the gNotifications hash table
– Keyed by the type of notification: (gIOPublishNotification,
gIOFirstPublishNotification, gIOMatchedNotification,
gIOFirstMatchNotification, gIOTerminatedNotification)
– Each element is a IOServiceNotifier
• The handler member of IOServiceNotifier points to the
callback function
• We verify that each callback is either:
1. In the kernel
2. In a known kernel module
48. IP Filters [8]
• Part of the Network Kernel Extension
framework
• Allows for kernel extension programmers to
easily hook incoming and/or outgoing
network packets
• These hooks have built-in support for
modifying packets in-place!
– Done with ipf_inject_input and ipf_inject_output
49. IP Filter Rootkits [9]
• The potential for abuse of these filters is
pretty obvious and existing rootkits take
advantage of it in different ways
• We can detect these rootkits by verifying that
every IP hook is in a known location
– Implemented in mac_ip_filter
50. Detecting IP Filter Rootkits
• We walk the ipv4_filters & ipv6_filters lists
• These lists are of type ipfilter_list whose
elements are ipfilter structures
• ipfilter structures hold the name of the filter
(might be empty) as well as pointers to the
input, output, and detach functions
• All three of these functions need to be in the
kernel or in a known module if set
51. TrustedBSD [17, 18]
• The TrustedBSD framework provides hooks
into a large number of functions in the kernel
related to processes, memory, networking,
and much more
• These hooks are meant to be used to enforce
security polices & access control
• From my testing, it seems all Macs have
“SandBox”, “Quarantine”, and “TMSafetyNet”
loaded by default
52. Abusing TrustedBSD
• As you can imagine, having an “official” way to
hook the kernel is an attractive feature for
rootkits
• The author of the http://reverse.put.as blog was
the first to think of this method and implemented
a POC rootkit named rex that does it [10, 11]
• Works by adding malicious “trusted” policies that
allow userland processes to call into the policies
in order to gain root privileges
53. Detecting Rex
• All policies are stored in the global
mac_policy_list
• Each element is of type mac_policy_list_element
• Name of the policy - <element>.mpc.mpc_name
• Function pointers - <element>.mpc.mpc_ops
• We verify that every function pointer is either in
the kernel, a known kernel module, or NULL
– This finds Rex as well as any other malicious policies
54.
55. Volafox Comparison
• Based on Volatility, but does not use the
profile/object system
– So it only supports a small number of OS versions
and adding support for a new version is difficult
• Only a few plugins:
– Process list, netstat, lsof, mount
– Only rootkit detection is syscall hooking (static)
• SVN version supports 32 bit Mac Memory
Reader but no 64 bit support
56. Conclusion
• Volatility now has proper Mac support
• Everything talked about today exists in the
open source repository
– Instructions on how to access can be found at [15]
• Much more new functionality will be added
over the next couple months
– Check [12 & 13] for updates