Memory Forensic: Investigating Memory Artefact (Workshop)

•Download as PPTX, PDF•

0 likes•88 views

Workshop of memory forensic Atmajaya University Yogyakarta, 2017-04-29 What is memory forensic? How could it be important? How can we use memory forensic in certain case? Should we do memory forensic? This is the workshop side with hands-on material.

Technology

Memory Forensic
Investigating Memory Artefact
http://xathrya.id/ 1
Satria Ady Pradana@ Universitas Atma Jaya Yogyakarta
29 April 2017
Workshop

# Whoami?
• Cyber Security Consultant at Mitra Integrasi
Informatika (MII)
• Researcher at dracOs Dev Team
• Coordinator of Reversing.ID
http://xathrya.id/ 2

Organization
• Divided to some sections related to forensic
stages.
• Each section has objectives
• Has background explanation if necessary
http://xathrya.id/ 3

Overview
• Engage in practical forensic activity
• Acquisition
– Windows Memory Acquisition
• Analysis
– Process & DLLs
– Registry
– Connections
http://xathrya.id/ 4

Assumption
• Have understanding of simple UNIX command
(explained in previous workshop)
http://xathrya.id/ 5

Windows
Brief Introduction to Our Target’s Internal
http://xathrya.id/ 6

Volatility
Tools of the Trade
http://xathrya.id/ 7

Preliminary
$ export VOLATILITY_PROFILE=Win7SP0x86
$ export
VOLATILITY_LOCATION=file:///tmp/image.img
$ vol.py pslist
$ vol.py files
http://xathrya.id/ 10

0x1 Acquisition
Objectives:
• Understanding the memory (RAM) and
volatile data.
• Understanding the acquisition technique for
memory forensic.
• Know how to dump memory on Windows
http://xathrya.id/ 11

• Acquisition can be hardware based or
software based.
• Hardware based, require special hardware and
has capability of DMA.
– Firewire (IEEE 1394)
• But we are talking about software based.
http://xathrya.id/ 12

Tools
• DumpIt & Hibr2Bin
• Winpmem
http://xathrya.id/ 13

Image Format
• Raw
• Crash Dumps
• Hibernate
http://xathrya.id/ 14

Using DumpIt & Hibr2Bin
Producing crash dump
> DumpIt.exe
Converting Hibernate File
> Hibr2Bin.exe
http://xathrya.id/ 15

Using Winpmem
Producing dump in AFF4 compression
> winpmem.exe -o imagedump.aff4
Export to raw from AFF4
> winpmem.exe imagedump.aff4 –export
PhysicalMemory -o memory.img
Producing raw dump
> winpmem.exe imagedump.aff4 –export
PhysicalMemory -o memory.img
http://xathrya.id/ 16

Vmware Memory Dump
• Applied to OS running on top of Vmware
• To generate memory dump, we should
suspend the running VM
– It will generate a .vmem file
http://xathrya.id/ 17

VirtualBox Memory Dump
• Applied to OS running on top of VirtualBox
• Start VM and use Vboxmanage
$ vboxmanage debugvm “GuestVM” dumpguestcore
--filename dump.elf
http://xathrya.id/ 18

CHECKING IMAGE
Information
http://xathrya.id/ 19

• Gain information about memory dump
$ vol.py imageinfo
http://xathrya.id/ 20

PROCESS & DLL
View & Dump
http://xathrya.id/ 21

View
• List all process
$ vol.py pslist
$ vol.py psscan
$ vol.py pstree
$ vol.py psxview
$ vol.py privs
Different?
http://xathrya.id/ 22

View
• List all threads
$ vol.py threads
$ vol.py thrdscan
Different?
http://xathrya.id/ 23

View
• List modules/libraries of process (ex: pid 135)
$ vol.py dlllist –p 135
http://xathrya.id/ 24

Dump
• Dump process
$ vol.py procdump -p 135 --dump-dir
/tmp/procdump
• Dump DLL
$ vol.py dlldump -p 135 –dump-dir
/tmp/dlldump
http://xathrya.id/ 25

CONNECTIONS
IP, Port, Sockets
http://xathrya.id/ 26

• List connections made
$ vol.py connscan
$ vol.py netscan
• List opened sockets
$ vol.py sockets
$ vol.py sockscan
http://xathrya.id/ 27

View
$ vol.py hivelist
$ vol.py hivescan
http://xathrya.id/ 29

• Scan opened files in memory
$ vol.py files
• Dump files
$ vol.py dumpfiles
http://xathrya.id/ 31

CHALLENGE: ANALYZE
COMPROMISED HOST
http://xathrya.id/ 32

Similar to Memory Forensic: Investigating Memory Artefact (Workshop)

Getting ready for a Capture The Flag Hacking Competition

Joe McCray

Super Easy Memory Forensics

IIJ

BriMor Labs Live Response Collection

BriMorLabs

Volatility101

April Mardock CISSP

DEF CON 27 - workshop - RICHARD GOLD - mind the gap

Felipe Prado

EMBA - From Firmware to Exploit - BHEU22

MichaelM85042

OpenStack Backup, Restore, DR (Freezer)

Saad Zaher

In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.

TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)

FFRI, Inc.

HKG15-407: EME implementation in Chromium: Linaro Clear Key

Linaro

BriMor Labs Live Response Collection - OSDFCON

BriMorLabs

Reversing & malware analysis training part 12 rootkit analysis

Abdulrahman Bassam

Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.

Breadcrumbs to Loaves: BSides Austin '17

Brandon Arvanaghi

CSF18 - BitLocker Deep Dive - Sami Laiho

NCCOMMS

DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive

Felipe Prado

Presentation at DerbyCon 2014 - Family Rootz Talk Title: Step On In, The Waters Fine! – An Introduction To Security Testing Within A Virtualized Environment Abstract: Often when I meet individuals who are contemplating a career in the InfoSec field, they have several reservations. Most of them have had many questions about how to be able to learn to perform testing in an ethical manner. These individuals often feel that obtaining an environment in which to perform security testing is out of their reach. This talk is focused on providing direction to those that find themselves in this situation by providing resources and walkthroughs that can be leveraged to get them afloat in their learning process.

Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...

Tom Moore

Detection Rules Coverage

Sunny Neo

2020 FRSecure CISSP Mentor Program - Class 4

FRSecure

With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this? This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.

Breach and attack simulation tools

Bangladesh Network Operators Group

Android forensics an Custom Recovery Image

Mohamed Khaled

This talk covers use cases and installation of the Aegir hosting system, a hosting system that facilitates installation, platform maintenance, security updates, upgrades and deployments for Drupal-based sites. Presented at Drupal Camp Western Mass 2013 (drupalcampma.com/why-you-should-be-using-aegir) by Seth Viebrock, owner of Origin Eight (http://www.origineight.net), a full-service Drupal company. Contact us at http://www.origineight.net/contact with any questions or inquiries, and/or follow us at http://twitter.com/origineight.net .

Why you should be using Aegir: The Drupal-oriented hosting system

Seth Viebrock

Similar to Memory Forensic: Investigating Memory Artefact (Workshop) (20)

Getting ready for a Capture The Flag Hacking Competition

Super Easy Memory Forensics

BriMor Labs Live Response Collection

Volatility101

DEF CON 27 - workshop - RICHARD GOLD - mind the gap

EMBA - From Firmware to Exploit - BHEU22

OpenStack Backup, Restore, DR (Freezer)

TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)

HKG15-407: EME implementation in Chromium: Linaro Clear Key

BriMor Labs Live Response Collection - OSDFCON

Reversing & malware analysis training part 12 rootkit analysis

Breadcrumbs to Loaves: BSides Austin '17

CSF18 - BitLocker Deep Dive - Sami Laiho

DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive

Step On In, The Water's Fine! - An Introduction To Security Testing Within A ...

Detection Rules Coverage

2020 FRSecure CISSP Mentor Program - Class 4

Breach and attack simulation tools

Android forensics an Custom Recovery Image

Why you should be using Aegir: The Drupal-oriented hosting system

Recently uploaded

Design and Development of a Provenance Capture Platform for Data Science

Paolo Missier

DBX First Quarter 2024 Investor Presentation

Dropbox

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Introduction to use of FHIR Documents in ABDM

Kumar Satyam

Key topics covered: - Understanding the basics of IAM and its significance in the modern enterprise. IAM in a platformless environment - Tackling real-world issues like prioritizing frictionless yet secure user access, securing high-value APIs, integrating to business, compliance, and adapting to cloud native environments with scalable solutions - Practical demonstrations of how WSO2 products can be instrumental in deploying efficient IAM solutions - Preparing for upcoming trends and innovations in identity management

Navigating Identity and Access Management in the Modern Enterprise

WSO2

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Quantum Leap in Next-Generation Computing

WSO2

Stronger Together: Developing an Organizational Strategy for Accessible Desig...

caitlingebhard1

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

The integration landscape is changing rapidly with the introduction of technologies like GraphQL, gRPC, stream processing, iPaaS, and platformless. However, not all existing applications and industries can keep up with these new technologies. Certain industries, like manufacturing, logistics, and finance, still rely on well-established EDI-based message formats. Some applications use XML or CSV with file-based communications, while others have strict on premises deployment requirements. This talk focuses on how Ballerina's built-in integration capabilities can bridge the gap between "old" and "new" technologies, modernizing enterprise applications without disrupting business operations.

Modernizing Legacy Systems Using Ballerina

WSO2

Architecting Cloud Native Applications

WSO2

In the ever-evolving landscape of data management, Zero-ETL is an approach that is reshaping how businesses handle and integrate their data. This webinar explores Zero-ETL, a paradigm shift from the traditional Extract, Transform, Load (ETL) process, offering a more streamlined, efficient, and real-time data integration method. We will begin with an introduction to the concept of Zero-ETL, including how it allows direct access to data in its native environment and real-time data transformation, providing up-to-date information with significantly reduced data redundancy. Next, we'll take you through several demonstrations showing how Zero-ETL can deliver real-time data and enable the free movement of data between systems. We will also discuss the various tools that support all aspects of Zero-ETL, providing attendees with an understanding of how they can adopt this innovative approach in their organizations. Lastly, the session will conclude with an interactive Q&A segment, allowing participants to gain deeper insights into how Zero-ETL can be tailored to their specific business needs and how they can get started today. Join us to discover how Zero-ETL can elevate your organization's data strategy.

The Zero-ETL Approach: Enhancing Data Agility and Insight

Safe Software

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

Key topics covered: - Real-world examples of Choreo's comprehensive coverage from application design and deployment, security, scaling, and monitoring - Running different types of workloads, such as web applications, APIs, microservices, integrations, and tasks at scale, and wire them together to deliver seamless omnichannel digital experiences - How Choreo improves the developer experience by eliminating repetition, silos, and redundancy through enhanced discoverability and self-serviceability

Choreo: Empowering the Future of Enterprise Software Engineering

WSO2

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Recently uploaded (20)

Design and Development of a Provenance Capture Platform for Data Science

DBX First Quarter 2024 Investor Presentation

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

WSO2's API Vision: Unifying Control, Empowering Developers

Introduction to use of FHIR Documents in ABDM

Navigating Identity and Access Management in the Modern Enterprise

CNIC Information System with Pakdata Cf In Pakistan

Quantum Leap in Next-Generation Computing

Stronger Together: Developing an Organizational Strategy for Accessible Desig...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Why Teams call analytics are critical to your entire business

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Modernizing Legacy Systems Using Ballerina

Architecting Cloud Native Applications

The Zero-ETL Approach: Enhancing Data Agility and Insight

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

AI in Action: Real World Use Cases by Anitaraj

Choreo: Empowering the Future of Enterprise Software Engineering

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Memory Forensic: Investigating Memory Artefact (Workshop)

1. Memory Forensic Investigating Memory Artefact http://xathrya.id/ 1 Satria Ady Pradana@ Universitas Atma Jaya Yogyakarta 29 April 2017 Workshop

2. # Whoami? • Cyber Security Consultant at Mitra Integrasi Informatika (MII) • Researcher at dracOs Dev Team • Coordinator of Reversing.ID http://xathrya.id/ 2

3. Organization • Divided to some sections related to forensic stages. • Each section has objectives • Has background explanation if necessary http://xathrya.id/ 3

4. Overview • Engage in practical forensic activity • Acquisition – Windows Memory Acquisition • Analysis – Process & DLLs – Registry – Connections http://xathrya.id/ 4

5. Assumption • Have understanding of simple UNIX command (explained in previous workshop) http://xathrya.id/ 5

6. Windows Brief Introduction to Our Target’s Internal http://xathrya.id/ 6

7. Volatility Tools of the Trade http://xathrya.id/ 7

8. Profile? • Each operating system has different internal structure • Event for minor version different • Volatility needs to know what type of system our memory dump came from, so it knows which data structures, algorithms, and symbols to use. • List all profiles $ vol.py --info http://xathrya.id/ 8

9. Command Line • Typical command $ vol.py –f memdump.img --profile profile plugins • Every command / task is implemented as plugin http://xathrya.id/ 9

10. Preliminary $ export VOLATILITY_PROFILE=Win7SP0x86 $ export VOLATILITY_LOCATION=file:///tmp/image.img $ vol.py pslist $ vol.py files http://xathrya.id/ 10

11. 0x1 Acquisition Objectives: • Understanding the memory (RAM) and volatile data. • Understanding the acquisition technique for memory forensic. • Know how to dump memory on Windows http://xathrya.id/ 11

12. • Acquisition can be hardware based or software based. • Hardware based, require special hardware and has capability of DMA. – Firewire (IEEE 1394) • But we are talking about software based. http://xathrya.id/ 12

13. Tools • DumpIt & Hibr2Bin • Winpmem http://xathrya.id/ 13

14. Image Format • Raw • Crash Dumps • Hibernate http://xathrya.id/ 14

15. Using DumpIt & Hibr2Bin Producing crash dump > DumpIt.exe Converting Hibernate File > Hibr2Bin.exe http://xathrya.id/ 15

16. Using Winpmem Producing dump in AFF4 compression > winpmem.exe -o imagedump.aff4 Export to raw from AFF4 > winpmem.exe imagedump.aff4 –export PhysicalMemory -o memory.img Producing raw dump > winpmem.exe imagedump.aff4 –export PhysicalMemory -o memory.img http://xathrya.id/ 16

17. Vmware Memory Dump • Applied to OS running on top of Vmware • To generate memory dump, we should suspend the running VM – It will generate a .vmem file http://xathrya.id/ 17

18. VirtualBox Memory Dump • Applied to OS running on top of VirtualBox • Start VM and use Vboxmanage $ vboxmanage debugvm “GuestVM” dumpguestcore --filename dump.elf http://xathrya.id/ 18

19. CHECKING IMAGE Information http://xathrya.id/ 19

20. • Gain information about memory dump $ vol.py imageinfo http://xathrya.id/ 20

21. PROCESS & DLL View & Dump http://xathrya.id/ 21

22. View • List all process $ vol.py pslist $ vol.py psscan $ vol.py pstree $ vol.py psxview $ vol.py privs Different? http://xathrya.id/ 22

23. View • List all threads $ vol.py threads $ vol.py thrdscan Different? http://xathrya.id/ 23

24. View • List modules/libraries of process (ex: pid 135) $ vol.py dlllist –p 135 http://xathrya.id/ 24

25. Dump • Dump process $ vol.py procdump -p 135 --dump-dir /tmp/procdump • Dump DLL $ vol.py dlldump -p 135 –dump-dir /tmp/dlldump http://xathrya.id/ 25

26. CONNECTIONS IP, Port, Sockets http://xathrya.id/ 26

27. • List connections made $ vol.py connscan $ vol.py netscan • List opened sockets $ vol.py sockets $ vol.py sockscan http://xathrya.id/ 27

28. REGISTRY http://xathrya.id/ 28

29. View $ vol.py hivelist $ vol.py hivescan http://xathrya.id/ 29

30. FILES http://xathrya.id/ 30

31. • Scan opened files in memory $ vol.py files • Dump files $ vol.py dumpfiles http://xathrya.id/ 31

32. CHALLENGE: ANALYZE COMPROMISED HOST http://xathrya.id/ 32