Memory Analysis

of Technique Live forensics borrowed from incident response Scripted queries using response toolkits (MS COFEE) Often still used initial results to guide data collection Tension between speed and thoroughness 4 what do you do with it? String dumps, virus scans, signature -based carving Old School ? Iterative & invasive Iterative & invasive Double the opportunity for subversion: " Data collection " Interpretation One-way, ephemeral information channel Memory collection requires privileged access ?<br><br> New School Working groups developing accepted practices New analysis tools extract familiar information 3and more 3from memory 5 Repeatable results Novel acquisition techniques & tools: " Increase assurance " Bypass access controls Memory Acquisition Software mediated " Crash / core dump " WinHex, other applications 3 " dd.exe " Commercial enterprise forensics packages: ProDiscover, etc Access restrictions on \\.\ PhysicalMemory Kernel- mode window needed " Commonly use driver installation routines " George Garner's KnTTools released " AccessData , other vendors are working on it Memory Acquisition 3Software secondary functionality Commercial enterprise forensics packages: EnCase, 6 PhysicalMemory mode window needed Commonly use driver installation routines released in 2007 , other vendors are working on it Memory Acquisition Hardware-based " Komoku CoPilot, BBN Tech, Tribble " IEEE 1394 http://www.security- assessment.com/files/presentations/ ab_firewire_rux2k6-final.pdf http://cansecwest.com/core05/2005 Can extend DMA access to PC Card and Express Card devices Developing field-deployable memory acquisition unit Memory Acquisition 3Hardware Komoku CoPilot, BBN Tech, Tribble assessment.com/files/presentations/ http://cansecwest.com/core05/2005 -firewire-cansecwest.pdf 7 Live Forensics Evolutionary Tree String searches, file carving Memory Analysis Branch Live forensics IR-style running system investigation Run-Time Analysis Branch Live Forensics Evolutionary Tree PE canalysis d & carving Informed analysis: state & context reconstruction Memory Analysis Branch 8 running system investigation Controlled run- time analysis Run-Time Analysis Branch Recent History Tool development inspired by DFRWS " Two entries shared prize: Garner/Mora & Betz " Tools released at subsequent conferences step up pace Flurry of subsequent activity " Mariusz Burdach 3 WMFT (plus Linux tools) " Mariusz Burdach 3 WMFT (plus Linux tools) " Andreas Schuster 3 PTFinder, PoolFinder " Harlan Carvey 3 Focused Perl utilities " Garner 3 KnTTools / KnTList " Jesse Kornblum 3 Buffalo tool " Walters/Petroni 3Volatility Tool development inspired by DFRWS 2005 challenge Two entries shared prize: Garner/Mora & Betz Tools released at subsequent conferences step up pace Flurry of subsequent activity WMFT (plus Linux tools) 9 WMFT (plus Linux tools) PTFinder, PoolFinder Focused Perl utilities KnTTools / KnTList Buffalo tool Two Paths to Memory Reconstruction Tree & list traversal " Memparser " KnTList " WMFT " Volatility Object cfingerprint d searches " PTFinder / PoolFinder " Volatility Two Paths to Memory Reconstruction 10 Object cfingerprint d searches List Traversal Basics Find index into lists and tables of interesting structure " Kernel image needed for offsets & symbols that help find a number of these " Addresses can change from SP to SP 4 Copy of NT kernel part of KnTTools acquisition process 4 Other approach is to build hardcoded tool modules for each EPROCESS linked list is a common example, with pointers to " _ETHREAD structures " SID of starting user " Start time, PID, other metadata in PEB " Process virtual memory pages These structures allow reconstruction of some familiar IR List Traversal Basics Find index into lists and tables of interesting structure Kernel image needed for offsets & symbols that help find a number of these Addresses can change from SP to SP Copy of NT kernel part of KnTTools acquisition process Other approach is to build hardcoded tool modules for each 11 EPROCESS linked list is a common example, with pointers to Start time, PID, other metadata in PEB These structures allow reconstruction of some familiar IR -style data Volatility Framework " At present, most actively developed open tool in this space 3 Running processes, DLLs loaded for each 3 Open network sockets, network connections 3 Open files handles for each process 3 System modules 3 Mapping interesting strings to process (physical offset to 3 Mapping interesting strings to process (physical offset to virtual address translation) 3 Virtual Address Descriptor information " Recently added pattern- scanning tools 3 processes & threads 3 sockets & connections " Framework approach intentionally maintains IR feel Volatility Framework At present, most actively developed open -source Running processes, DLLs loaded for each Open network sockets, network connections Open files handles for each process Mapping interesting strings to process (physical offset to 12 Mapping interesting strings to process (physical offset to Virtual Address Descriptor information scanning tools Framework approach intentionally maintains IR feel Fingerprint Searching Basics Scan for sufficiently unique structure signatures " PTFinder works with EPROCESS, ETHREAD structs " PoolFinder parses kernel pool memory Perform basic sanity checks on data to weed out corrupt records, duplicates corrupt records, duplicates PTFinder doesn't perform further analysis but does provide optional graphical output Fingerprint Searching Basics Scan for sufficiently unique structure signatures PTFinder works with EPROCESS, ETHREAD structs PoolFinder parses kernel pool memory Perform basic sanity checks on data to weed out 13 PTFinder doesn't perform further analysis but does provide optional graphical output PTFinder 3graphical output 14 15 Pros& Pattern search " Find unlinked, dead structures (warm reboot) " Can work with imperfect dumps List traversal " Can stitch together more related records from kernel perspective Cons Pattern search " Less context without following related structures/objects " Susceptible to chaff 16 List traversal " Can miss unlinked, dead structures " Targeted counter- measures Enhanced Techniques Pagefile incorporation Combining cnaive d pattern searches with list techniques " Cross-view analysis " Defense against chaff " Defense against chaff Highlighting potentially interesting situations " Orphaned threads still referenced in other structures " Executable segments not mapped into shared sections Enhanced Techniques Combining cnaive d pattern searches with list -traversal 17 Highlighting potentially interesting situations Orphaned threads still referenced in other structures Executable segments not mapped into shared sections What's next Specialized tools will bridge the investigative gap " Focus now centers on malcode, execution state analysis 3 but the investigative mission is much broader " Recovery of cryptographic material to defeat disk encryption Forensic platform vendors making friendlier analysis tools Bring some analysis tasks into mainstream " Bring some analysis tasks into mainstream " Provide momentum to adoption of memory analysis " Automate extraction of typically interesting data " Provide better anomaly detection or flags Court cases and working groups will hammer out standards Specialized tools will bridge the investigative gap Focus now centers on malcode, execution state analysis but the investigative mission is much broader Recovery of cryptographic material to defeat disk encryption Forensic platform vendors making friendlier analysis tools Bring some analysis tasks into mainstream 18 Bring some analysis tasks into mainstream Provide momentum to adoption of memory analysis Automate extraction of typically interesting data Provide better anomaly detection or flags Court cases and working groups will hammer out standards Questions / Comments? Questions / Comments? Questions / Comments?<br><br> © 2007 Carnegie Mellon University Questions / Comments? References PTFinder -by Andreas Schuster http://computer.forensikblog.de/en/2006/09/ptfinder_0_3_00.html Volatility - by AAron Walters and Nick Pedroni Jr. http://www.volatilesystems.com/VolatileWeb/volatility.gsp Brian Carrier and Joe Grand's work on hardware http://www.digital- evidence.org/papers/tribble George Garner's KnTTools and KnTList memory acquisition and analysis suite George Garner's KnTTools and KnTList memory acquisition and analysis suite http://www.gmgsystemsinc.com/knttools/ Mariusz Burdach 3 Windows Memory Forensic Toolkit http://forensic.seccure.net/ Harlan Carvey's memory tools http://sourceforge.net/project/showfiles.php?group_id=164158 Chris Betz's Memparser http://sourceforge.net/project/showfiles.php?group_id=167028 http://computer.forensikblog.de/en/2006/09/ptfinder_0_3_00.html by AAron Walters and Nick Pedroni Jr.<br><br> http://www.volatilesystems.com/VolatileWeb/volatility.gsp Brian Carrier and Joe Grand's work on hardware -based memory acquisition evidence.org/papers/tribble -preprint.pdf memory acquisition and analysis suite 20 memory acquisition and analysis suite Windows Memory Forensic Toolkit http://sourceforge.net/project/showfiles.php?group_id=164158 http://sourceforge.net/project/showfiles.php?group_id=167028

less