2010 2013 sandro suffert memory forensics introdutory work shop - public


Published on

Course Objectives:

• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis

• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).

• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2010 2013 sandro suffert memory forensics introdutory work shop - public

  1. 1. Memory Forensics (Windows, Mac and Linux) Sandro Süffert - http://suffert.com CTO, APURA CyberSecurity Intelligence http://apura.com.br | twitter: @suffert 2010->2013
  2. 2. Memory Forensics: Course objectives • Help the student to achieve a broad understanding of the main types of memory forensic data gathering and analysis • Serve as an introduction to low level concepts necessary for a proper understanding of the task of performing memory forensics on Windows, MacOSX and Linux (incl. Android). • Put the student in contact with different memory forensics tools and provide him information on how to use the gathered forensic data to perform a wide range of investigations
  3. 3. Agenda Windows Memory Forensics Theory • • • • • • • • • • • Windows Memory Forensics Demos and Hands-On References Offline Memory Analysis vs Live Response Acquisition / Context / Analysis Order of Volatility Physical Memory, Virtual Memory Paging / Swapping / Hibernation Kernel Modes Memory Mapping Processes / Threads / Services / Jobs Acquisition details Analysis details • • • • • • • • • • • • • Hands-on Bonuses: • • • • • MacOSX memory analysis Linux memory analysis Android memory analysis Stuxnet artifacts analysis More if time permits MoonSols Community Edition FastDump FTKImager Memoryze Volatility Fget Microsoft Windows Debugger LiveKD Pdgmail / pdymail Sysinternals / NirSoft / NTSecurity AccessData FTK 4.x Encase FIM/Enterprise 6.17 HBGary Responder Pro
  4. 4. Supporting Tools for the Practical Labs (Hands-On): • Linux: • • • • Hexadecimal editor (hexedit – CLI / ghex - GUI) Hash calculator (md5sum, sha1sum) Base64 decoder (base64) Win ASCII to Unix ASCII convertor (dos2unix) • Windows Freeware: • Hexadecimal editor: • FRHED - http://frhed.sourceforge.net/ • Time conversions: • TimeLord: http://computerforensics.parsonage.co.uk/timelord/timelord.htm • Dcode: http://www.digital-detective.co.uk/freetools/decode.asp
  5. 5. Memory Forensics - References Books: I - Windows Forensic Analysis v2, Harlan Carvey Chapter 3 – Windows Memory Analysis II - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin Chapter 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps and 9 – Analysis of a Suspect Program III – Computer Evidence Collection & Preservation, Christopher L.T. Brown Chapter 6 – Volatile Data and Chapter 11 – Collecting Volatile Data IV - EnCE – The Official Encase Certified Examiner Study Guide, 2nd Edition, Steve Bunting Chapter 3 – First Response and Chapter 9 – Windows Operating System Artifacts V - Undocumented Windows, chapter 4, Sven B. Schreiber VI - Windows Internals (4st editon) chapter 7, Mark Russinovich and David Salomon.
  6. 6. Memory Forensics - References Papers: Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis CERT: http://www.cert.org/archive/pdf/08tn017.pdf (Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry Rogers) Collecting Evidence from a Running Computer - SEARCH: http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf (Todd Shipley and Henry Reeve) "A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer” Lest We Remember: Cold Boot Attacks on Encryption Keys: http://citp.princeton.edu/pub/coldboot.pdf Eletronic Crime Investigation - NIJ: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf Electronic Evidence – Guide for First Responders – http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
  7. 7. Memory Forensics - References Papers DFRWS - Digital Forensic Research Conference: Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert Peterson. http://dfrws.org/2010/proceedings/2010-306.pdf Extracting Windows Command Line Details from Physical Memory. Richard Stevens and Eoghan Casey. http://dfrws.org/2010/proceedings/2010-307.pdf A Novel Time-Memory Trade-Off Method for Password Recovery. Vrizlynn L. L. Thing and Hwei-Ming Ying. http://dfrws.org/2009/proceedings/p114-thing.pdf Extraction of Forensically Sensitive Information from Windows Physical Memory. Seyed Mahmood Hejazi, Chamseddine Talhi and Mourad Debbabi. http://dfrws.org/2009/proceedings/p121-hedjazi.pdf The Persistence of Memory: Forensic Identification and Extraction of Cryptographic Keys. Carsten Maartmann-Moe, Andre Arnes and Steffen E. Thorkildsen. http://dfrws.org/2009/proceedings/p132-moe.pdf Forensic Analysis of the Windows Registry in Memory. Brendan Dolan-Gavitt. http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
  8. 8. Memory Forensics - References Papers DFRWS - Digital Forensic Research Conference: Recovering Deleted Data From the Windows Registry. Timothy Morgan. http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Forensic Memory Analysis: Files mapped in memory. Ruud van Baar. http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics. Andreas Schuster. http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software. Bradley Schatz. http://www.dfrws.org/2007/proceedings/p126-schatz.pdf The VAD Tree: A Process-Eye View of Physical Memory. Brendan F Dolan-Gavitt. http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf Searching for processes and threads in Microsoft Windows memory dumps. Andreas Schuster. http://www.dfrws.org/2006/proceedings/2-Schuster.pdf
  9. 9. Memory Forensics - Tools 1) Virtual Machines: a) VMWare Workstation, Server or Player: http://www.vmware.com (or Virtualbox) b) Forensic VM DEFT VM: http://www.deftlinux.net/; or SIFT Workstation 2.1: https://computer-forensics2.sans.org/community/siftkit/ c) Lab VM: “ACMEXP01” 2) Free/GPL Tools: 2.01 - MoonSols Community Edition -http://www.moonsols.com/component/jdownloads/view.download/3/2 2.02 - FastDump - https://www.hbgary.com/community/free-tools/#fastdump 2.03 - FTKImager - http://www.accessdata.com/downloads.html#FTKImager 2.04 - Memoryze - http://www.mandiant.com/products/free_software/memoryze/ 2.05 - Volatility - https://www.volatilesystems.com/default/volatility 2.06 - Fget - https://www.hbgary.com/community/free-tools/#fget 2.07 - Microsoft Windows Debugger - http://www.microsoft.com/whdc/devtools/debugging/default.mspx 2.08 - LiveKD - http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx 2.09 - pdgmail/pdymail - http://jeffbryner.com/code/ 2.10 - PTK - http://ptk.dflabs.com/ 2.10 - Sysinternals - http://technet.microsoft.com/en-us/sysinternals/default.aspx 2.11 - NirSoft - http://www.nirsoft.net/ 2.12 - NTSecurity - http://ntsecurity.nu/toolbox/ 3) Commercial Tools: 3.1 – AccessData FTK 4.x / 5.x 3.2 – Encase FIM/Enterprise 6.17 / Encase 7.x 3.3 – HBGary Responder Pro
  10. 10. Memory Analysis vs Live Response * • Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis - CERT Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry Rogers http://www.cert.org/archive/pdf/08tn017.pdf (2008) “Despite the drawbacks associated with volatile memory analysis, it is the authors’ opinion that volatile memory analysis will be integral to the digital investigation process going forward. (…) , the best approach is a hybrid based on situational awareness and a triage mentality. (..) Full memory analysis (and the requisite memory acquisition) should be used to augment and supplement traditional digital forensic examination when greater understanding of the running state of the machine is critical to resolving the case.”
  11. 11. http://www.cert.org/archive/pdf/08tn017.pdf
  12. 12. Memory Analysis vs Live Response http://www.cert.org/archive/pdf/08tn017.pdf
  13. 13. Live Response • Tool execution to get data from the Windows O.S. While it is running: – netstat/tasklist/arp/hostname .. (native tools) – Sysinternals Tools – NirSoft Tools – FoundStone Tools – Microsoft Cofee – Helix – Etc..
  14. 14. MS Cofee Decaf Computer Online Forensic Evidence Extractor arp.exe ‐a at.exe autorunsc.exe getmac.exe handle.exe ‐a hostname.exe ipconfig.exe /all msinfo32.exe /report nbtstat.exe ‐n nbtstat.exe ‐A nbtstat.exe ‐S nbtstat.exe ‐c net.exe share net.exe use net.exe file net.exe user net.exe accounts net.exe view net.exe start net.exe Session net.exe localgroup administrators /domain net.exe localgroup net.exe localgroup administrators net.exe group netdom.exe query DC netstat.exe ‐ao netstat.exe ‐no openfiles.exe /query/v psfile.exe pslist.exe pslist.exe ‐t psloggedon.exe psservice.exe pstat.exe psuptime.exe quser.exe route.exe print sc.exe query sc.exe queryex sclist.exe showgrps.exe srvcheck tasklist.exe /svc whoami.exe Contaminate MAC Addresses: Spoof MAC addresses of network adapters Kill Processes: Quick shutdown of running processes Shutdown Computer: On the fly machine power down Disable network adapters Disable USB ports Disable Floppy drive Disable CD-ROM Disable Serial/Printer Ports Erase Data: Quick file/folder removal (Basic Windows delete) Clear Event Viewer: Remove logs from the Event Viewer Remove Torrent Clients: Removes Azureus and BitTorrent clients Clear Cache: Remove cookies, cache, and history
  15. 15. Live Response - Limitations http://decafme.org/decaf-software.html
  16. 16. Other Live Response Limitations (when dealing with a technicaly savvy adversary) • These tools can be easily defeated: • Microsoft sigverif.exe. This is a GUI File Signature Verification included with all Windows installations. It will freeze after enumerating files (but before checking their signatures). • • • • signtool.exe. This is a command-line tool included with Visual Studio. signdrv.dll. The WMI provider for Signed Drivers. sigcheck.exe. The popular tool from SysInternals will freeze after printing the version banner, regardless of what options you choose. Mandiant Redline. A tool for streamlining forensic data acquisition and analysis. On live systems, it will attempt to verify driver signatures before capturing memory. Unfortunately it will freeze on step 1 and never actually get to the memory step. • Any other forensic tools or digital signature verification utilities that use the specific APIs in wintrust.dll. “To trigger the bug, all you have to do is create a file. It can be done from an administrator shell as shown below, or you can do it from shell code after an exploit” C:> echo "" > C:WINDOWSsystem32catroot2{111111111111111111111111111111111111} Source: http://mnin.blogspot.com.br/2013/06/how-to-dos-authenticodesignature.html (Michael Ligh)
  17. 17. Lab – Please log into the “ACMEXP1” VM Machine: • user: “Administrator” / password: “password” – Configure your VMWare or Virtualbox to use the “host-only / private network” network configuration – Use built in Windows commands and Freeware tools to get volatile information from the system (from the command prompt – cmd.exe – c:usb) • fport/netstat -ano • Pslist/tasklist
  18. 18. Lab – Please log into the Forensic VM (“SIFT 2.1” / “DEFT”) • user: “sansforensics” • password: “forensics” – Configure your VMWare or Virtualbox to use the “host-only / private network” network configuration – Use a terminal from your Forensic VM: • connect to the 666 port (using nc or telnet) to the “ACMEXP1” machine (keep the connection open) • ie: $ telnet 666
  19. 19. Lab – From the ACMEXP1 machine, probe again for information about the proccesses executing and the sockets that are open with “live response” tools: • fport/netstat –ano • Pslist/tasklist – Comments ?
  20. 20. Memory Forensics – A lot of data, some structure – A lot of internal memory structure is not documented – The first objective is to obtain context from artifacts and evidence found in memory dumps
  21. 21. Memory Forensics – Acquisition * • executing memory • Pagefile • Hibernation file – Context • FInd offsets from the needed structures • extract structures from memory • Isolate processes – Analysis • Interation between different structures • Recovering evidence of activity
  22. 22. “Memory” • • • • • • • • • • • RAM ROM Flash memory (EPROM) Cache (L1, L2) Dynamic RAM (DRAM) Static RAM (SRAM) ThumbDrives Virtual Memory Video Memory BIOS Hard Disk – Permanent Memory
  23. 23. Memory • RAM: a read happens in 0.00000001 seconds (electronic) • HD: a read happens in 0.01 sec (for mecanic disks) diagram: wikipedia.org
  24. 24. CPU registers, cache (10-9 seconds) 2. Kernel Memory e Physical Memory (10-8 seconds) 3. Network Connections (10-3 seconds) 4. Processes (1 second) 5. Discos Rígidos (years) 6. Floppy, Backup Tapes, CD-ROM (years) 7. Printed material (decades) order of volatility 1. http://www.ietf.org/rfc/rfc3227.txt - Guidelines for Evidence Collection and Archiving
  25. 25. Informations that can be found in Memory * • • • • • • • • • • • Processes Drivers Kernel Modules Socket Information Passwords Crypto Passphrases Decrypted files Execution order Execution state Configuration Information Clipboard material • • • • • • • • • • • Logged Users Network Driver Buffers Open Files Unsaved documents Live Registry Vídeo Buffers (screen shots) BIOS Memory VOIP Calls Malicious Code IM Chats Rootkits footprint
  26. 26. Physical Memory – Electronic circuits / RAM chips (random memory access), used to temporarily keep the information on execution time – Contains the current state of the computer – Hardware Perspective
  27. 27. Virtual Memory – Operational System perspective – Maximum space that an process can occupy – Virtual Addresses are mapped into physical addresses
  28. 28. Memory Paging • Page = fixed size block from the memory that is contiguous from the physical and virtual addresses perspectives • Its the Menor quantidade de dados para: – Memory allocation – Transfer between physical memory and swap (pagefile) • Memory Page Sizes varies depending on the architecture of the processor: – x86: 4Kb (2Mb if PAE is used) – IA64: from 4kb up to 256Mb
  29. 29. Paging/Swapping – When a process will be loaded into memory, the pager manager decides which pages will be used and take only the necessary pages into memory, reducing the time and the amount of physical memory required per process. – When there is little RAM, virtual memory moves data from the physical memory space (HD) called a paging file (slows your computer). – In the Windows nomenclature, "Virtual Memory" is the space available for the paging file: – Paging file naming: » Windows 3.x: 386SPART.PAR » Windows 9x: WIN386.SWP » Windows NT: PAGEFILE.SYS
  30. 30. 32/64 bit architectures limitations – Maximum virtual memory – available per process*) • 32 bit *: 4 GB = 2^32 = 4.294.967.296 bits • 64 bit: 16 TB = 2^64 = 18.446.744.073.709.551.616 bits * Since “Pentium Pro”, 32bit CPUs are capable of addressing 36 bits of RAM. But they are still limited to a virtual memory addressing of 32 bit (4GB) per proccess. http://www.microsoft.com/whdc/system/platform/server/pae/pae_os.mspx – Size limit of the page file: • 32 bit: 16 TB • 64 bit: 256 TB
  31. 31. Hibernation * – The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is the sum of the physical memory and the swap (pagination) memory – and is compressed. – It contains data that was present at memory from the last time that the system was “hibernated” – The hiberfil.sys file contains a header, free pages, page tables and compressed data – The system can be forced to hibernate
  32. 32. maioria dos endereços de memória são virtuais todos os endereços são virtuais Windows Kernel Mode/User Mode (Virtual) Memory Manager Manages the Virtual Memory, controlling the protection and memory paging between the physical memory and the Hard Disk. Implements generic allocation of physical memory. Implements a PE analyzer (portable executables) that allows an executable file to be mapped or removed from memory in one step Process Manager Responsible for creating processes and threads
  33. 33. Windows Kernel – From the Hierarchical Domain Protection standpoint, the Windows Kernel is in Ring 0 – Important: Kernel components have unrestricted access to all system
  34. 34. Windows Kernel – Windows Executive manages memory, processes, threads, security, objects, I/O, network – Hardware Abstract Layer (HAL) – USER and GUI functionality – drivers provide support to (I/O) from hardware
  35. 35. User mode * • Restrict access to the system (Ring 3) – Can access resources from the system via Windows APIs (kernel32.dll, ntdll.dll) • Contains: – User applications – Support processes (logon) – Service processes – Environment subsystems
  36. 36. Memory Memoria (RAM) Physical Memory Windows P1 P2 P3 P4 P5 Proccess Virtual Memory Each Proccess has a Page Directory (PDE), mapping virtual address to physical address or swap addresses
  37. 37. Total Logical Memory • Sum of all Virtual Memory Physical Memory 2 GB Memory (RAM) OS 4GB 4GB 4GB 4GB 4GB 4GB Virtual Memory 6 x 4GB = 24 GB <= Logical Memory
  38. 38. 2 GB 0 GB Page Directory and Page Tables Physical Memory Process Virtual Memory 0 GB 4 GB 0x00C00000 – 0x00E00000 0x00CE0000 – 0x00E00000 0x00CD0000 – 0x00CDF000 PTE 0010 - 0015 0x00CE0000 – 0x00CF0000 0x00D10000 – 0x00D20000 VAD Tree The reconstruction of theVAD Tree (Virtual Adress Descriptors) allows the reconstruction of t memory space of a process togheter with all files mapped by this processele Disco Rígido HbGary
  39. 39. Virtual Address Descriptors Volatility Modules: vaddump vadinfo vadwalk Dump the Vad sections to files Dump the VAD info Walk the vad tree The reconstruction of the VAD Tree (Virtual Adress Descriptors) allows the reconstruction of the memory space of a process togheter with all files mapped by this process $ python volatility vadwalk -f <path-to-image-dump> ************************************************************************ Pid: 4 Address Parent Left Right Start End Tag Flags 819c1300 00000000 00000000 81948bc0 00010000 00033fff Vad 0x00C00000 – 0x00E00000 81948bc0 819c1300 8185b008 00000000 7c900000 7c9b1fff Vad 8185b008 81948bc0 00000000 817dd0b0 00060000 00060fff Vad 817dd0b0 8185b008 00000000 00000000 00070000 0016ffff Vad ************************************************************************ Pid: 440 0x00CE0000 – 0x00E00000 0x00CD0000 – 0x00CDF000 Address 0010 - 0015 Parent Left Right Start End Tag Flags PTE 8183a210 00000000 8186b670 819806e0 48580000 4858efff Vad 8186b670 8183a210 00000000 81856080 00000000 000fffff VadS 81856080 8186b670 00000000 8184a050 00100000 00100fff VadS 8184a050 81856080 00000000 81849790 00110000 00110fff VadS 0x00CE0000 – 0x00CF0000 0x00D10000 – 0x00D20000 81849790 8184a050 00000000 81845050 00120000 0015ffff VadS 81845050 81849790 00000000 816d3030 00160000 0025ffff VadS 816d3030 81845050 00000000 816d30c0 00260000 0026ffff VadS VAD Tree
  40. 40. Memory Mapping Virtual Addresses Memory Pages Unique pages for this memory block Block sizes Unreferenced Pages
  41. 41. Virtual Memory Layout 4 GB Kernel Memory 2 GB • The first 2GB* of virtual memory are reserved for the Windows Kernel. They are not accessible from the userland processes. * User Memory 0 GB Except when the /3GB option is used on boot.ini [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(2)WINNT="????" /3GB
  42. 42. Virtual Memory - userland 2 GB Windows system specific structures Windows System Libraries (DLLs) Windows DLLs, Application DLLs or Allocated memory DLLs or Allocated Memory Application Binary Stack Heap or allocated memory 0 GB
  43. 43. Processes – Processes are containers for memory address space and threads – Own virtual memory space • Unique ID: Process ID (PID) – At least one execution thread – Security Context
  44. 44. Processes • Processes are units of allocation of resources such as files, I/O, memory, privileges and run in separate address spaces • Processes are also units for scheduling threads they might be ready, waiting or running
  45. 45. Memory Allocation • When the program is running, each process has its own memory address space and operating system controls this use of memory pages in physical memory (RAM) or in "virtual memory" – paging file: (%SYSTEMDRIVE%pagefile.sys) • Problem for Forensics: The mapping is not consistent (*) between versions of Windows (XP, 2000, 2003, Vista, 7) and even windows editions (Home, Pro, Enterprise) and Service Packs (0, 1, 2, 3, …) (*) Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert Peterson. http://dfrws.org/2010/proceedings/2010-306.pdf
  46. 46. Virtual Memory Allocation – Programs can allocate virtual memory dynamically – The Windows Kernel use the Virtual Address Descriptors data structure (VAD Trees) to control virtual memory allocations – Memory analysis tools combine the information contained in VAD Trees with the page tables for each process
  47. 47. Windows Kernel: Memory – Analysis for identification of addresses and memory pages used by processes: • EPROCESS/KPROCESS/ETHREAD – structures accessed only via kernel mode • PEB – Process Environment Block – fixed virtual address for 32bit: 0x7FFDF000 – can be accessed from user mode – Ways to verify it: • Livekd + Microsoft Windows Debugger (online) • volatiliy volshell (offline) <= SIFT 2.0+
  48. 48. Windows Kernel: Memory • EPROCESS – DirectoryTableBase (DTB) – also known as PageDirectoryBase (PDB) – CreateTime – UniqueProcessId – ImageFileName – executable name – InheritedFromUniqueProcessID – Parent Process ID – PEB – Process Environment Block
  49. 49. Windows Kernel: Memory Links allow the separation between processes. ie: when a proccess runs in memory it has aforward link (FLINK) and a backward link (BLINK) for processes that are located on close addresses on the memory.
  50. 50. Creation and Ending of Processes * • Process Creation Triggers: • • • • • system startup actions of other processes; user actions manager actions batch jobs • Process Ending Triggers: – – – – – Normal exit Forced error Unforced error Killed by an user Killed by an process
  51. 51. Creation of Processes common internal structures and commands • • • • • CreateProcess Rundll32.exe cmd.exe cmd /c command.com /c • • • • • • • • ShellExec ShellExecute ShellExecuteA WinExec Shell32.DLL exec execve system
  52. 52. Threads – A Thread is a container for execution • • • • • Private storage Thread Local Storage / TLS Unique ID: Thread ID (TID) CPU states (register counters) Execution stack (stack / LIFO) Security Context
  53. 53. Threads States KeInitThread Transition k stack swapped Initialized PspCreateThread KiReadyThread KiInsertDeferredReadyList KiInsertDeferredReadyList KiReadyThread Deferred Ready Ready process swapped KiRetireDpcList/KiSwapThread/ KiExitDispatcher KiProcessDeferredReadyList KiDeferredReadyThread no avail. processor KiSetAffinityThread KiSetpriorityThread Ready KiSelectNextThread KiUnwaitThread KiReadyThread Waiting Idle processor or preemption Standby preemption Affinity ok KiQuantumEnd KiIdleSchedule KiSwapThread KiExitDispatcher NtYieldExecution Affinity not ok Terminated KeTerminateThread Running Kernel Thread Transition Diagram DavePr@Microsoft.com 2003/04/06 v0.4b preemption
  54. 54. Process, Thread, Job * • Process – at least one thread, can be more (multi-threaded applications) – used space in memory and resources controlled by the process • Thread – basic unit of execution – The O.S. Schedules threads for execution • Job – when the execution is controled by programs (userland) – exists on Windows since the 2000 version
  55. 55. Device Drivers – Dynamic modules that are loaded into the Kernel to provide support for I/O or I/O interface with the user – Like all kernel components, drivers have unrestricted access to the system (Ring 0)
  56. 56. Services – Programs (user mode) that provide functions independent of the logged user – Examples: • Task Manager • Print Spooler • Windows Update
  57. 57. Windows Registry – A hierarchical database that contains configuration information • Registry on disk (windowssystem32config) • LIVE Registry (Memory) – Examples: • • • • • • Startup Settings Driver Settings Hardware Configuration Users settings Application settings Current User Settings
  58. 58. Memory Forensics – Collection/Acquisition • Running memory • Page file (pagefile.sys) • Hibernation File (hiberfil.sys) – Contextualization • Isolate processes • Find necessary offsets • Extract memory structures – Analysis • interaction between structures • recovery of evidences
  59. 59. Memory Forensics – Is independent of the operating system (that may be deceived) – Anti-Forensics Tools/Malware/Rootkits – Can detect malicious code that bypass other security tools such as antivirus and HIPS – The goal is to reconstruct the information from the physical layer, checking the system runtime state
  60. 60. Memory Forensics – advantages – Rootkits bypass the usermode and act in kernel mode, tricking the O.S. and applications used in "Live Response" – Password in clear text in memória (ie: mimikatz) – Programs running – Open Documents / Files – Open content of compressed programs (packers) – Network Connections – current and recent – Crypto Keys (BitLocker, PGP Whole Disk Encryption, TrueCrypt, etc...) – Command Line parameters (DOSKEY/cmd.exe)
  61. 61. Memory Forensics: Hacking – Always remember: do not trust on the O.S. – Memory injection attacks do not touch the disk. Hacker tools use these techniques for years: • Metasploit Framework/Meterpreter (www.metasploit.com) • Canvas (www.immunitysec.com) • Core Impact (www.coresecurity.com) – For certain attacks, there is no detection mechanism via software and the acquisition and preservation of physical memory and later offline analysis is the best approach
  62. 62. “Trojan Defense” * – “I did nothing, it was the Trojan horse/backdoor” • “There was a hacker controlling my PC” – Defense used for the first time in the United Kingdom, in 2003 • Plausible deniability because LEO did not generate a physical memory image – “Law Enforcement destroyed 4GB of evidence” • 4GB = more than a million pages of paper • Objective: Analysis to prove that there was no trojan or other malicious software running on the machine to contradict this possible defense claim.
  63. 63. History of process acquisition • • • • Pmdump – Arne Vidstrom Process Dumper – Tobias Klein Userdump – Microsoft Adplus.vbs – Microsoft Debugging Tools – It may be useful to generate a memory dump of a specific process of interest (MSN, GTALK, IE, FF, ...)
  64. 64. Memory Acquisition via Hardware – CPU Suspension and and use of Direct Memory Access (DMA) to copy the physical memory • Tribble (2004). By Brian Carrier e Joe Grand • needs to be installed prior to data acquisition • Similar devices are useful for hardware debugging – Firewire / Thunderbolt • IEEE 1394 - Specification allows direct memory access (DMA) • Memory mapping is done by hardware • References: – Firewire: http://blogs.gnome.org/muelli/2010/04/04/reading-ram-using-firewire/ – Thunderbolt: http://www.breaknenter.org/projects/inception/ » Demo: http://www.youtube.com/watch?v=V1MBrwkB
  65. 65. Memory Acquisition • Crash Dumps • Advantages: – System state is frozen – ensures that no changes are made – Microsoft provides “Microsoft Debugging Tools” and “Kernel Memory Space Analyzer” • Limitations: – Systems with more than 2GB of memory do not generate complete dumps – By default, Windows do not generate crash dumps via commands – Some windows versions do not generate complete dumps Tool: NotmyFault - Sysinternals (Mark Russinovich)
  66. 66. Memory Acquisition • Memparser – Chris Betz – DFRWS 2005 • Just for Windows 2000 • http://sourceforge.net/projects/memparser/ • dd for windows – dd.exe • dd.exe if=.PhysicalMemory of=<…>memorydump.img • http://gmgsystemsinc.com/fau/
  67. 67. Memory Acquisition – Nigilant32 – Agile Risk Management (GUI) – ProDiscover IR (GUI) – Problems/Limitations: (dd.exe/Nigilant32/Prodiscover IR) • Userland access to physical memory (=.PhysicalMemory) was blocked since Windows 2003 SP 1 / Windows XP SP2
  68. 68. Memory Acquisition – KnTDD (George Garner) – free for LE • • • • Runs on 32 & 64 bit machines Capable of generating Microsoft Crash Dumps Local dump (usb/firewire) or remote dump (tcp/ip) Audit registry and integrity checking – MDD (Mantech) • Newer Systems (up to Vista) • Cannot acquire more than 4Gb of memory
  69. 69. Memory Acquisition * • Virtualization Technologies – VMWare • VM Suspension creates .vmem file (similar to raw dump) • SnapShots – VirtualPC – Xen – Qemu
  70. 70. Memory Acquisition: Hibernation * • The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is the sum of the physical memory and the swap memory (or paging) - compressed. • Matthieu Suiche decoded the Windows hibernation file format (BH 2008 – “SandMan project”) – Moonsols Community Edition – hibr2bin.exe for XP, 2003, 2008 and Vista 32bits (comercial version: for 32 e 64 bit up to Windows 7)
  71. 71. Forcing the Hibernation • 1) configuration Windows XP,2000,2003 » powercfg.exe /HIBERNATE on Windows Vista, 7, 2008 » powercfg.exe –h on • 2) rundll32.exe powrprof.dll,SetSuspendState Hibernate » Or you can use the GUI » or c:> psshutdown.exe –h (sysinternals binary) • <%SYSTEMDRIVE%>/hiberfil.sys is generated (overwrites previous hiberfil.sys)
  72. 72. Memory Acquisition • Princeton – Cold Boot (True hibernation) – Lest We Remember: Cold Boot Attacks on Encryption Keys (2006) – http://citp.princeton.edu/pub/coldboot.pdf • DRAM submerged in liquid nitrogen ( -196 degrees Celsius) - loss of only 0.17% of the data after 60 min off the computer
  73. 73. Memory Acquisition • Memoryze (Jamie Butler e Peter Silberman) – The Memoryze tool provides a batch script for the acquisition of physical memory. – cd %SystemVolume%%ProgramFiles%MandiantMemoryze” • Execute “MemoryDD.bat –output <directory_name>” – Advantage: colects at the same time the pagefile and the physical memory – To install it on a pendrive: • msiexec /a MemoryzeSetup.msi /qb TARGETDIR=<pendrive>:Memoryze
  74. 74. Memory Acquisition – winen / winen64 – Guidance Software (http://www.guidancesoftware.com) – Expert Witness Format (EWF/E01)
  75. 75. FTK Imager • AccessData – http://www.accessdata.com – GUI or CLI – raw format / converts from E01 to raw
  76. 76. Memory Acquisition • FastDump / FastDump Pro (Greg Hoghlund) – HBGary (http://www.hbgary.com) • Includes the page file on the dump (pagefile.sys)
  77. 77. Memory Acquisition • MoonSols / win32dd, win64dd, Dumpit (Matthieu Suiche) – Free (community edition) – All windows 32-64bit – Open Source – Can create windbg crash dumps – Remote acquisition using tcp sockets – Generates cryptographic Hashes (MD5/SHA1/SHA-256)
  78. 78. Moonsools community edition: http://moonsols.com | http://msuiche.net README: - win32dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits Edition. - win64dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 64-bits (x64) hibr2dmp and hibr2bin only works with Microsoft Windows XP, 2003, 2008, Vista 32-bits Edition Microsoft Windows hibernation files, including corrupted hibernation files. - dmp2bin only works with Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits Edition of Microsoft full memory crash dump files. - bin2dmp works with Microsoft Windows XP, 2003, 2008, Vista 32-bits Edition raw memory snapshots (windd, VMWare -- Can also work with Live VMWare Virtual Machine but only in the Professional Edition).).
  79. 79. DUMPIT.EXE
  80. 80. Local Imaging Software Company/Dev eloper FastDump Community FastDump Pro WinEn MDD Memoryze Win32DD/Dumpit HBGary HBGary Guidance Software Mantech Mandiant Matthieu Suiche www.encase. com www. www.mandiant.co www.win32dd.msu Mantech.com m iche.net Web Site www.hbgary.com Licence Type Free Commercial Commercial Free Free Free 64 BIT No Yes Yes Yes Not tested Yes 4GB Limit No Yes Yes Not tested Not tested Yes  Windows 7 No Yes Yes Yes Not tested Yes Windows Server 2008 No Not tested Not tested Yes Yes Yes Windows Vista No Yes Yes Yes Yes Yes Windows XP Yes Yes Yess Yes Yes Yes source: Jon Evans
  81. 81. Remote Imaging EnCase Enterprise EnCase FIM Edition Edition Web Site www.encase.com Pro-Disccover Agile Risk Management Software Company/Developer Guidance Software F-Response Tech Pathways www.fresponse.com www.techpathways.com Connectivity One to many connections One to one One to one or one One to one or one to to many many Imaging Option Yes Yes No Yes 64 BIT Yes Yes Yes No  Yes Yes Yes No Windows 7 Yes Yes Yes Yes Windows Server 2008 Yes Yes Yes Yes Windows Vista Yes Yes Yes Yes Windows XP Yes Yes Yes Yes 4GB Limit
  82. 82. Memory Analysis – “old-school” – strings & grep/findstr on a memory dump to lookup for ASCII and UNICODE strings (manual carving) • Can be useful to include as a target for search indexing and/or names (documents, programs, passwords ...) • Restricted functionality by inability to differentiate the mailings and memory pages used by each process • Produces large amounts of data without contextualization
  83. 83. Analysis of Physical Memory • Some artifacts that might exist in memory – Running processes – Open files – Network connections and listening ports – Open registry keys – Application information – Passwords in clear text 5-
  84. 84. Analysis of Physical Memory – – – – – – – – – – – Unencrypted data Instant messenger chat sessions Document data Web based email Malware Rootkits & Trojans Internet History MFT Records Pictures Image data and time BIOS details 5-
  85. 85. Linking Memory Image to Computer • Forensically speaking it is important to be able to produce repeatable processes • Therefore linking a particular memory image to a computer could be an important aspect of any analysis • This can be achieved by using a GREP expression to extract the BIOS information of the host computer from the memory dump • EnCase, SMART, FTK can all be used to carryout the search 5-
  86. 86. Locating BIOS Information • The BIOS information may include; – Make – Model – Serial number • Richard McQuown (http://forensiczone.blogspot.com/search?q=bio s) posted the GREP expression on his blog to locate the BIOS details; x00x14x00x00x01x02..x03 5-
  87. 87. Using GREP to locate BIOS Information • Use GREP tool GUI or Command line capable of searching binary files • Use term; x00x14x00x00x01x02..x03
  88. 88. FTK Imager Searching for BIOS Information
  89. 89. FTK Imager Searching for BIOS Information Results
  90. 90. Memory Analysis • Pattern Matching based on regular expressions (regex) searches on process or physical memory dumps: root@SIFT-Workstation:/usr/local/src/ram-analysis# find . -iname '*.py' -ls 1728861 12 -rwxr-xr-x 1 root root 8497 Mar 16 00:05 ./pdgmail.py 1728862 16 -rwxr-xr-x 1 root root 12645 Mar 16 00:05 ./pdymail.py 82129 16 -rwxr-xr-x 1 root root 16288 Mar 16 00:14 ./pdfbook.py 82133 4 -rwxr-xr-x 1 root root 3014 Mar 8 11:38 ./skypeex/skypeex26.py
  91. 91. Memory Analysis – pdgmail.py
  92. 92. Analysis of memory structures • Recent (since 2003) – First Tools: DFRWS 2005, Kornblum, Carvey, .. (page 95 WFA2) – Open source and academic projects • • • • Perl scripts Hex editors macros Volatility framework – http://www.volatilesystems.com Memoryze – http://www.mandiant.com
  93. 93. Volatility The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
  94. 94. Volatility Capabilities The Volatility Framework currently provides the following extraction capabilities for memory samples • • • • • • • • • • • • • • Image information (date, time, CPU count) Running processes Process SIDs and environment variables Open network sockets Open network connections DLLs loaded for each process Open handles to all kernel/executive objects (files, keys, mutexes) OS kernel modules Dump any process, DLL, or module to disk Mapping physical offsets to virtual addresses Virtual Address Descriptor information Addressable memory for each process Memory maps for each process Extract executable samples • • • • • • • • • • • • Scanning examples: processes, threads, sockets, connectio modules Command histories (cmd.exe) and console input/output b Imported and exported API functions PE version information System call tables (IDT, GDT, SSDT) API hooks in user- and kernel-mode (inline, IAT, EAT, NT sys winsock) Explore cached registry hives Dump LM/NTLM hashes and LSA secrets User assist and shimcache exploration Scan for byte patterns, regular expressions, or strings in m Analyze kernel timers and callback functions Report on windows services
  95. 95. Volatility Usually you run “vol.py” to execute volatility, but on the Linux VM we have 3 versions of volatility installed (* 1.3, 2.2 and 2.3) For this reason, to execute each version please type: $ “volatility” for 1.3 $ volatility-2.2 for 2.2 $ volatility-2.3 for 2.3
  96. 96. Volatility Commands $ volatility-2.3 --info Volatile Systems Volatility Framework 2.3_beta Profiles -------LinuxEvo4GARM - A Profile for Linux Evo4G ARM MacLion_10_7_5_AMDx64 - A Profile for Mac Lion_10.7.5_AMD x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x86 - A Profile for Windows 7 SP1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86
  97. 97. Volatility Roadmap • Volatility 2.1 (Official x64 Support) • RC1: July 8, 2012 Release: August 3, 2012 • • • • • • • • • • • • • • • • * New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64) * Majority of Existing Plugins Updated with x64 Support * Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21) * WindowsHiberFileSpace32 Overhaul (also includes x64 Support) * Now supports the following profiles: o Windows XP SP1, SP2 and SP3 x86 o Windows XP SP1 and SP2 x64 (there is no SP3 x64) o Windows Server 2003 SP0, SP1, and SP2 x86 o Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64) o Windows Vista SP0, SP1, and SP2 x86 o Windows Vista SP0, SP1, and SP2 x64 o Windows Server 2008 SP1 and SP2 x86 (there is no SP0) o Windows Server 2008 SP1 and SP2 x64 (there is no SP0) o Windows Server 2008 R2 SP0 and SP1 x64 o Windows 7 SP0 and SP1 x86 o Windows 7 SP0 and SP1 x64 • • • • • * Plugin Additions o Printing Process Environment Variables (envvars) o Inspecting the Shim Cache (shimcache) o Profiling Command History and Console Usage (cmdscan, consoles) o Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
  98. 98. Volatility Roadmap • Volatility 2.2 (Official Linux Support) • RC1: Sept 10, 2012 Release: Oct 2, 2012 • • • • • • * Linux Support (Intel x86, x64) kernels 2.6.11 - 3.x * Over 25+ Linux plugins * Windows win32k suite (14+ plugins, classes, algorithms and APIs for analyzing GUI memory) * New or Updated Plugins o eventlogs o getservicesids • Volatility 2.3 (Official Mac/Android/ARM Support) • RC1: N/A Release: June 2013 • • • • • • • • • • • • • • • • • • * Mac Support (x86, x64) * Android/Arm Support * New Address Spaces (VMWareSnapshotFile, VirtualBoxCoreDumpElf64, HpakAddressSpace, MachOAddressSpace) * New or Updated Plugins o shellbags o mbr/vbr parser o mftparser o dumpfiles o iehistory * Plugin Enhancements o Verbose details for kdbgscan and kpcrscan o idt/gdt/timers plugins cycle automatically for each CPU o apihooks detects LSP/winsock procedure tables * New Output Formatting Support (Table Rendering) * New Mechanism for Profile Modifications * New Registry API Support * New Volshell Commands * Updated Documentation and Command Reference
  99. 99. • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Volatility Roadmap Volatility 3.0 (Official Tech Preview Merge) - RC1: Late 2013 Release: Late 2013 * A refactor and clean up of the vtype language/profiles/object system * Plugin management and the session object * Interactive IPython shell * Unified Plugin Output Format (+ JSON renderers) * Updated Registry Hive and PE File Address Spaces * Performance Profiling and Regression Testing Framework * Updates to Config System * Improved Framework Support (Use as a Library) * Application Profiles and WOW64 * Addition of Windows 8/Server 2012 Support/Testing * New or Updated Plugins o privileges o pktscan o cachedump o dnscache o stack, heaps * x64 Updates to Malware Plugins (timers, callbacks, idt/gdt, apihooks) * Pool Scanner Updates * Unicode improvements * KDBG/DTB Improvements * Profile Selection Enhancements Volatility Future * Update to Python 3.0 * Updates to PDBParse * PyVmiAddressSpace * Pagefile.sys * support single process dumps * Multiprocessing module * Performance profiling (C modules for some functions?)
  100. 100. Volatility stable / Internal Commands
  101. 101. Volatility Plugins
  102. 102. SANS SIFT 2.x > PTK > Memory
  103. 103. LAB – Live vs Offline Memory Analysis: Vmware – VM “AcmeXP1” User: “Administrator”, Password: “password” Live Response: fport /foundstone:
  104. 104. Lab Live Response: pstools / sysinternals-microsoft:
  105. 105. Lab Volatility – SIFT Workstation 2.0: ident (volatility 1.3) imageinfo (volatility 2.x)
  106. 106. Lab * Volatility – SIFT Workstation 2.0: pslist / pstree
  107. 107. Lab * python volatility connscan –f <memory-image.bin>
  108. 108. Lab python volatility sockscan –f <memory-image.bin>
  109. 109. Lab * python volatility procdump –f <memory-image.bin> -p <pid>
  110. 110. Lab – procdump (1.3) / procexedump & procmemdump (2.3) “..changes between the in-memory representation of the file and the disk representation the file” “Visualizing Recovered Executables from Memory Images” http://jessekornblum.livejournal.com/294997.html
  111. 111. Lab – malfind2 * Detect hidden and injected code
  112. 112. Lab : Conclusion * • Offline memory analysis generates identical or better information and is less invasive than "live response“ • Process and established connections review through the memory dump analysis enables more data recovery • This is true even when the machine has usermode and kernel mode rootkits installed
  113. 113. Lab : Hash Dump Goal: to Transform the hibernation file on a memory dump and recover user passwords Obtaining the hibernation file: With the machine off: traditional disk Forensics: Boot with usb or CD / linux Live (helix/caine/deft/etc..) or extract hiberfil.sys from a .DD or .E01 image (ftkimager/encase/etc..) With the machine on : FGET.exe HBGARY Convert the hibernation file to a memory dump (raw): using Volatility: python volatility hibinfo –f <path-to-hiberfil.sys> -d <hiberfil.memory.img> using Moonsols: hibr2bin.exe <path-to-hiberfil.sys> -d <hiberfil.memory.img>
  114. 114. Lab – Volatility & RegRipper – Steps: • Find the registry hive locations on memory • find and dump the SAM e SYSTEM hives • crack the users passwords – Volatility modules used: • hivescan, hivelist, hashdump
  115. 115. Lab – Finding the registry hives in memory (Volatility Hivescan) root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hivescan -f fdpro_dump/20100817_fdpro_acmexp_dump.bin Offset (hex) 34267144 0x20ae008 34289480 0x20b3748 38249752 0x247a518 76358936 0x48d2518
  116. 116. Lab Identifying which hives are present on this memory addresses: root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hivelist -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -o 0x20ae008 Address Name 0xe107b7b0 Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat 0xe1069b60 Documents and SettingsAdministratorNTUSER.DAT 0xe198c720 Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat 0xe14ab008 WINDOWSsystem32configsoftware 0xe18086b8 WINDOWSsystem32configdefault 0xe17c9888 WINDOWSsystem32configSAM 0xe1808b60 WINDOWSsystem32configSECURITY 0xe139c518 [no name] 0xe1019748 WINDOWSsystem32configsystem 0xe1013008 [no name]
  117. 117. Lab • Dumping the hashes usig the SYSTEM e SAM offsets root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hashdump -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -y 0xe1019748 -s 0xe17c9888 Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:b4d242a1cdc59680a8d465842d29c2a2:84ee8679c50437e502ae9b1c8e5f4285::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
  118. 118. Lab (with volatility 2.3) $ volatility-2.3 hivelist -f ACMEXP1-20130822-045704.raw Volatile Systems Volatility Framework 2.3_beta Virtual Physical Name ---------- ---------- ---(…) 0xe17c6008 0x07547008 DeviceHarddiskVolume1WINDOWSsystem32configSAM 0xe101a848 0x020d6848 DeviceHarddiskVolume1WINDOWSsystem32configsystem (...) $ volatility-2.3 hashdump -f ACMEXP1-20130822-045704.raw -y 0xe101a848 -s 0xe17c6008 Volatile Systems Volatility Framework 2.3_beta Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:b4d242a1cdc59680a8d465842d29c2a2:84ee8679c50437e502ae9b1c8e5f4285::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c::: SUPPORT_388945a1:1005:d687124ff5986a06aad3b435b51404ee:76090b810398cfb9d5ec00d7aae43e4c:::
  119. 119. Lab: all steps... # /usr/bin/python /usr/local/bin/volatility hivescan -f fdpro_dump/20100817_fdpro_acmexp_dump.bin Offset 34267144 76358936 (hex) 0x20ae008 (…) # /usr/bin/python /usr/local/bin/volatility hivelist -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -o 0x20ae008 Address (...) 0xe17c9888 0xe1808b60 0xe1019748 (...) Name WINDOWSsystem32configSAM WINDOWSsystem32configSECURITY WINDOWSsystem32configsystem # /usr/bin/python /usr/local/bin/volatility hashdump -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -y 0xe1019748 -s 0xe17c9888 Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: (…) SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
  120. 120. Lab * • Cracking the hashes using RainbowTables • Offline – OphCrack / rcrack / PRTK-DNA / EDPR / Passware • Online: – http://www.onlinehashcrack.com – http://www.objectif-securite.ch/en/products.php?hash=<hash>#Demo The volatility plugins used on this lab were developed by Brendan Dolan-Gavitt: http://moyix.blogspot.com
  121. 121. Lab: OnlineHashCrack results:
  122. 122. Lab - Conclusion Administrator: SUPPORT_388945a0:
  123. 123. Lab: Live Registry root@SIFT-Workstation:/usr/local/src/volatility# perl rip.pl -r /media/usb/fdpro_dump/20100817_fdpro_acmexp_dump.bin@0xe17c9888 -f sam Parsed Plugins file. Launching samparse v.20080415 User Information ------------------------Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Last Login Date : Fri Aug 13 21:47:26 2010 Z Pwd Reset Date : Wed Jun 27 22:54:58 2007 Z Pwd Fail Date : Fri Aug 13 00:59:01 2010 Z Login Count : 55 --> Password does not expire (...)
  124. 124. Lab: Photorec with mounted memory image • PhotoRec Is an open source file recovery (aka carving) program • Recovers video, photos, documents, archive files and EXE files from volumes and physical disks • A memory image needs to be mounted as a physical device (ie FTK Imager) to perform a search • Can also be run against running memory using F-Response Site: http://www.cgsecurity.org/wiki/PhotoRec
  125. 125. Memoryze/AuditViewer
  126. 126. Memoryze / AuditViewer
  127. 127. Lab: RedLine/Memoryze
  128. 128. Encase FIM
  129. 129. Encase FIM
  130. 130. Lab: FTK 4.x (5.x) Remote (Mem)
  131. 131. Bonus – Volatility consoles root@SIFT-Workstation:/cases/01/MEMORYDUMP# volatility2 -f ACMEXP1-20130815-051322.raw consoles Volatile Systems Volatility Framework 2.2 ************************************************** ConsoleProcess: csrss.exe Pid: 496 Console: 0x4e2820 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: C:usbDumpIt.exe Title: C:usbDumpIt.exe AttachedProcess: DumpIt.exe Pid: 1692 Handle: 0x3f4 ---CommandHistory: 0x4e4fd8 Application: DumpIt.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x3f4 ---Screen 0x1307750 X:80 Y:300 Dump: DumpIt - v1.3.2.20110401 - One click memory memory dumper Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net> Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com> Address space size: 268435456 bytes ( 256 Mb) Free space size: 6060228608 bytes ( 5779 Mb) * Destination = ??C:usbACMEXP1-20130815-051322.raw --> Are you sure you want to continue? [y/n] y + Processing...
  132. 132. Bonus - Stuxnet analysis with Volatility How To: http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html Or Stuxnet Memory Dump: /cases/01/MEMORYDUMP/stuxnet.vmem SHA256: 5f19ff1333fc3901fbf3fafb50d2adb0c495cf6d33789e5a959499a92aeefe77 Commands: volatility (1.3) and volatility2 (2.2)
  133. 133. Bonus - SilentBanker (IE Dll injection) Analysis • http://www.youtube.com/watch?v=ejvqjXv9n wM
  134. 134. Bonus – MacOSX, Linux and Android memory Analysis 1.1: The OSX profiles can be found here: https://code.google.com/p/volatility/downloads/detail?name=MacProfilesAll.zip. We used to have a 10.8.3 x64 sample online, but it seems to have been misplaced (link is 404). Give me a day or two to ping some people and see if they have a copy and if so I'll re-upload it and let you know. 1.2: I believe you'll have to contact osxreverser for the sample, its not available publicly to the best of my knowledge. 2.1: The avgcoder sample can be downloaded from http://secondlookforensics.com/linux-memory-images/centos-6.3-x86_64-LiveDVD-avgcoder.mem.bz2. The profile to work with the sample is http://code.google.com/p/volatility/downloads/detail?name=CentOS63.zip. 2.2. The android sample can be downloaded from http://dfrws.org/2012/Rodeo2012.tgz. The Volatility profile is also inside. Just copy Evo4G.zip into your volatility/plugins/overlays/linux directory.
  135. 135. Bonus - Linux https://code.google.com/p/volatility/wiki/LinuxMemoryForensics Bash History: $ volatility2 -f centos-6.3-x86_64-LiveDVDavgcoder.mem --profile=LinuxCentOS63x64 linux_bash -H 0x6e0950 linux_arp - Print the ARP table linux_bash - Recover bash history from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_find_file - Recovers tmpfs filesystems from memory linux_ifconfig - Gathers active interfaces linux_iomem - Provides output similar to /proc/iomem linux_lsmod - Gather loaded kernel modules linux_lsof - Lists open files linux_memmap - Dumps the memory map for linux tasks linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_proc_maps - Gathers process maps for linux linux_psaux - Gathers processes along with full command line and start time linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_tmpfs - Recovers tmpfs filesystems from memory linux_vma_cache - Gather VMAs from the vm_area_struct cache
  136. 136. Bonus - MacOSX RootKit $ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_psxview $ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_lsmod $ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_check_syscalls |grep HOOKED Volatile Systems Volatility Framework 2.3_beta SyscallTable 222 0xffffff7f807ff41d HOOKED SyscallTable 344 0xffffff7f807ff2ee HOOKED SyscallTable 397 0xffffff7f807ffa7e HOOKED calls: (getdirentriesattr) (getdirentries64) (write_nocancel) http://volatility-labs.blogspot.com.br/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html
  137. 137. Bonus - MacOSX password dumper • https://github.com/juuso/keychaindump Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files. $ sudo ./keychaindump [*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000 (..) [*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000 [*] Found 17 master key candidates [*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain (…) [*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a [+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a [+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7 xxxxxxx: xxxxxxx@gmail.com:login.facebook.com:xxxxxxx xxxxxxx@gmail.com:smtp.google.com:xxxxxxx xxxxxxx@gmail.com:imap.google.com:xxxxxxx xxxxxxx:twitter.com:xxxxxxx xxxxxxx@gmail.com:www.google.com:xxxxxxx
  138. 138. Bonus - Android Memory Forensics • Acquisition – LiME () • Analysis: – List all the executed processes: • $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_pslist_cache – List opened / mapped files: • $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_dentry_cache – List mount points: • $ volatility-2.3q --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_mount_cache • TIP: adding the “–u” option to the command and you get the previous executed processes, previous opened files and mount points that previously existed on the Android system.
  139. 139. Bonus - Zeus Banking Trojan Analysis http://malwarereversing.wordpress.com/2011/0 9/23/zeus-analysis-in-volatility-2-0/
  140. 140. Bonus - Recovering Twitter and Facebook artifacts from the Memory Jeff Bryner with the Facebook and Twitter artifact extraction Description: This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished by scanning the address space for the json/html structures that are used by the social media applications. Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc. Download Link: www.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip Related Links: https://github.com/jeffbryner/volatilityPlugins http://www.youtube.com/watch?v=K_gBpdK936o Author's Twitter: @0x7eff
  141. 141. Bonus - Lab: Twitter $ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw twitter –p 2536 Volatile Systems Volatility Framework 2.3_beta searching for browser processes... found browser pid: 3684, chrome.exe examining 35917410 bytes twitter cookie found for userid:1690220420 found browser pid: 2536, chrome.exe examining 45819060 bytes 11 s (Thu Aug 22 06:42:41 2013) @suffert Sandro Sffert DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway. 1 m (Thu Aug 22 06:40:19 2013) Sent AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: Hi Suffert, how are you my friend? 1 m (Thu Aug 22 06:41:04 2013) Received AuthorImage: https://twimg0-a.akamaihd.net/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you? agora (Thu Aug 22 06:42:14 2013) Sent AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right? 2 m (Thu Aug 22 06:40:19 2013) Sent AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: Hi Suffert, how are you my friend? 1 m (Thu Aug 22 06:41:04 2013) Received AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you? 39 s (Thu Aug 22 06:42:14 2013) Sent AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right? 12 s (Thu Aug 22 06:42:41 2013) Received AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway. 195.831911087 seconds How to Convert “User_id” to username => https://twitter.com/intent/user?user_id=1690220420
  142. 142. Bonus - Facebook $ volatility-2.3 fb-ACMEXP1-20130822-064258.raw facebook –p 2536
  143. 143. Bonus - Linux RootKit $ volatility_2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_find_file -F /var/run/utmp Volatile Systems Volatility Framework 2.2 Inode Number Inode ---------------- -----------------130564 0x88007a85acc0 $ volatility-2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop -i 0x88007a85acc0 (...) $ volatility-2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop (...) http://volatility-labs.blogspot.com.br/2012/09/movp-14-average-coder-rootkit-bash.html
  144. 144. Bonus - Extracting network packets from memory $ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw ethscan Volatile Systems Volatility Framework 2.3_beta Checking next buffer 0xe774 Packets Found: 1 Ethernet: Src: (00:50:56:e0:09:13) Dst: (00:0c:29:ec:42:16) Type: IPv4 (0x0800) IPv4: Src: Dst: Protocol: TCP (6) Packet Size: (657) Bytes 0x00000000 00 0c 29 ec 42 16 00 50 56 e0 09 13 08 00 45 00 ..).B..PV.....E. 0x00000010 02 83 93 1f 00 00 80 06 12 0b c7 3b 95 e6 c0 a8 ...........;.... 0x00000020 75 80 01 bb 04 d4 7e 39 7e a5 79 b8 8c 5b 50 18 u.....~9~.y..[P. 0x00000030 fa f0 56 92 00 00 17 03 01 01 ba 1f 6d d0 25 8a ..V.........m.%. 0x00000040 49 83 5d 39 82 77 b6 31 52 a1 f2 a4 62 9d bf cd I.]9.w.1R...b... 0x00000050 19 ff 7a 0c 2b bf df 2e 84 b4 36 69 35 e2 db 39 ..z.+.....6i5..9 0x00000060 b2 71 ab 11 a1 21 45 7f 58 40 a5 d0 f1 6c 36 a6 .q...!E.X@...l6. 0x00000070 f0 f5 10 7b 30 45 0f 10 4c 6b 42 62 61 90 79 8e ...{0E..LkBba.y. 0x00000080 c9 94 46 92 b2 49 8d 1c f9 f6 5f d0 3d 7b ed cb ..F..I...._.={.. 0x00000090 bf 5b 4d 04 fe 35 60 ac 9a 44 13 51 35 d2 31 f5 .[M..5`..D.Q5.1.
  145. 145. Bonus - Memdump.bin $ volatility connscan -f memdump.bin root@SIFT-Workstation:/cases/01/MEMORYDUMP/memdump# ^C root@SIFT-Workstation:/cases/01/MEMORYDUMP/memdump# volatility connscan -f memdump.bin Local Address Remote Address Pid ------------------------- ------------------------- ----- 320 1072 1184 1072 http://blog.handlerdiaries.com/?p=12
  146. 146. Bonus - Volatility: volshell.py • http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/omfw-notes.txt
  147. 147. Advanced Malware Analysis and Memory Forensics Training • • • • 5 days of intense hands-on training by the Volatility Development Team 1200+ slides, 150+ page lab guide, exclusive plugins and tools Amsterdam 9/2013 [sold out], Reston VA 11/2013 [available] Keep an eye on http://volatility-labs.blogspot.com and @volatility for 2014 events (including one in Brazil! ;) • Email voltraining@memoryanalysis.net for a detailed course outline • Discounts for full-time students, law enforcement, and government employees • See http://volatility-labs.blogspot.com/2013/06/the-perfect-combinationof-ir-malware.html for student feedback • (http://volatility-labs.blogspot.fr/2013/08/results-are-in-for-1stannual.html)
  148. 148. Other alternatives to Live Respose and Memory Forensics: HotPlug by WiebieTech: https://www.youtube.com/watch?v=eraq4TO_a3z8
  149. 149. Thank you Sandro Süffert - http://suffert.com CTO, APURA CyberSecurity Intelligence http://apura.com.br/en | twitter: @suffert