Computer Forensics Incident Response and Live Memory Analysis. Thomas S. Hyslip. East Carolina University

Transcription

1 Computer Forensics Incident Response and Live Memory Analysis 1 Computer Forensics Incident Response and Live Memory Analysis Thomas S. Hyslip East Carolina University

2 Computer Forensics Incident Response and Live Memory Analysis 2 Abstract When a computer system is involved in a security incident such as an intrusion, virus, malware infection, or some other compromise the information security personnel must respond to investigate and mitigate the situation. Until recently the standard procedures were to isolate the computer, disconnect it from the network, and shut it down. Then remove the hard drive, create a forensic image of the hard drive and examine the hard drive for evidence. While this is forensically sound, stops further damage and limits liability, it may be destroying important evidence. Emerging threats such as RAM installed rootkits and malware require computer security professionals to change their standard operating procedures for incident response and incorporate live forensics. This paper exams the different free tools available to computer security professionals to capture an image of the running memory from a Windows operating system and perform a forensic analysis of the image.

3 Computer Forensics Incident Response and Live Memory Analysis 3 Introduction Traditional incident response and computer forensic training teaches students to isolate the affected system and shut it down, then remove the hard drive, create a forensic image of the drive and review the image for evidence in a static laboratory setting. The investigation also includes reviewing log data from firewalls and intrusion detection systems for evidence. While this procedure works fine for incidents such as an employee accessing inappropriate web sites, it is insufficient for computer intrusions or malware infection. Incident responders and computer forensic experts must continually update their procedures and incorporate new technologies. This is especially true for computer intrusions and malware infection. With standard memory ranging from 2GB to 4GB of RAM on personal computers, it is possible for intruders to install rootkits or malware within the RAM. Many hacker tools now use DLL injections, hooks, and other methods to ensure that their code will execute only in memory without ever touching the hard drive. The SQL Slammer worm is one such example of a virus that resides only in memory and never touches the hard drive. Therefore it is important for responders to investigate the RAM and conduct a live analysis of the computer prior to shutting the computer down and losing all the volatile data stored in RAM. This paper examines the new technologies available to acquire an image of the RAM and analyze the data prior to shutting it down.

4 Computer Forensics Incident Response and Live Memory Analysis 4 RAM Acquisition To collect evidence from volatile storage of a compromised system, it is necessary to violate one of the iron rules of computer forensics, Don t touch the keyboard or do anything to a running system. Why has this been the rule? It is to preserve the accuracy of the system s file time stamps. When an incident responder arrives on scene and pulls the power (USSS. p.1) on the compromised system the file time stamps are frozen. The responder then pulls the hard drive, creates a forensic bit for bit copy utilizing a write blocker and uses software to examine the copy. Then at court the responder can testify, that they did not do anything to change the data on the hard drive of the compromised system. While this long standing rule has very valid reasons for existing, there are exceptions. The modern tools used by hackers that were discussed in the introduction require all incident responders to consider the fact that pulling the power from a compromised system to preserve file time stamps may actually lose more evidence than it preserves. Therefore responders must make the decision if they should extract and preserve evidence in RAM, as it may be worth the cost of altering some file time stamps. As during any response, it is imperative that responders maintain meticulous notes of their action, especially if they chose to conduct a live analysis and preserve the evidence in RAM. Extracting evidence from RAM requires some sort of live analysis and interacting with the compromised system. It is important to keep your interactions with the compromised to a minimum and bring our own trusted tools. You do not want to utilize any commands or DLLs from the compromised systems. This is because many of the DLLs and system commands can

5 Computer Forensics Incident Response and Live Memory Analysis 5 be compromised by hacker tools and return invalid results to hide the hacker s presence on the system. The preferred method to utilize your trusted tools in through live CDs that contain the commands and associated DLLs required to execute. While it is possible to create your own live CDs to conduct live analysis, it is beyond the scope of this paper. There are a variety of methods available to capture an image of the running system s memory. The solutions range from proprietary software systems costing thousands of dollars to freeware tools that can be downloaded from the internet. Whatever tool you chose to utilize, it is important to conduct your own tests and validation of the tool. This paper examines the following free live analysis, RAM imaging tools. Mantech s Memory DD Helix Memory DD Developed by Mantech, Memory DD captures a record of physical or random access memory which is lost when the computer is shutdown. Memory DD is a free download available from Mantech s website, Memory DD supports acquiring memory images from Microsoft Windows 2000, Server 2003, XP, and Vista. The download is available as either an executable or a zip file. Version 1.3 is the latest release and operates from a command line within Windows. It is capable of capturing up to 4 GBs of memory from a Windows machine. I found the easiest way to run Memory DD is from a USB thumb drive that is at least 4GBs. This

6 Computer Forensics Incident Response and Live Memory Analysis 6 enables you to capture the memory to the USB thumb drive for later analysis. The command line to capture the memory is I:\> mdd_1.3 o winxp This saves the image of the memory to the output file, winxp, on the I: drive, which in this case is the USB thumb drive. Below is a screen capture of Memory DD dumping 1.2GB of memory from a running Windows XP computer. It took approximately 15 minutes to capture the 1.2GB of memory and Memory DD returned 16 errors during the capture. Figure 1. Memory DD Capture.

7 Computer Forensics Incident Response and Live Memory Analysis 7 Helix Helix is really two resources in one. First it is a Live CD portable operating system that comes with computer forensic and incident response software preinstalled. It includes tools to make bit for bit images of hard drives with MD5 hashing capability, recycle bin analyzers, cookie analyzers for internet explorer and root kit hunters, plus many more. I highly recommend this portable operating system to anyone working in the information security field. Figure 2. Helix Live CD Boot Screen. The second part of the Helix CD is a live analysis tool for running Windows systems. If a computer is suspected of being compromised you can run the Helix CD within Windows on the suspect computer and it will provide you with very valuable information including a list of running process and process IDs, as well as the ability to image running RAID arrays, and the RAM of the suspect computer. When you

8 Computer Forensics Incident Response and Live Memory Analysis 8 first insert the Helix CD-Rom in the compromised system, Helix provides a warning screen to remind you that you are making changes to the running system. Figure 2. Helix Warning. Unlike Memory DD, Helix operates from a Windows GUI environment and Helix gives you the additional option of extracting the RAM to a network share or networked computer via netcat. If you chose to save the image to a local drive, you must attach an external hard drive or USB thumb drive because you do not want to save the image to the local hard drive. Helix also provides the user the ability to split the image and set the block size for the image.

9 Computer Forensics Incident Response and Live Memory Analysis 9 Figure 3. Helix Live Acquisition of Physical RAM. Memory Image Analysis Now that you have captured an image of the running memory from the compromised computer, you can isolate the computer and shut it down. The captured image can then be analyzed in a controlled environment. This paper examines the free RAM analysis tool Volatility. Volatility Volatility is a collection of tools implemented in Python for the examination of RAM images. Version is latest stable release of Volatility, but version 1.3 is available in Beta format. The

10 Computer Forensics Incident Response and Live Memory Analysis 10 software is available for download from In addition to the windows version we used, Volatility is also available for Linux, Cygmin, and OSX Volatility requires python to be installed on the examination computer to operate. Python can be obtained at The available commands and their actions are listed below. connections connscan connscan2 datetime dlllist dmp2raw dmpchk files hibinfo ident memdmp memmap modscan modscan2 modules procdump pslist psscan psscan2 raw2dmp regobjkeys sockets sockscan sockscan2 strings thrdscan thrdscan2 vaddump vadinfo vadwalk Print list of open connections Scan for connection objects Scan for connection objects Get date/time information for image Print list of loaded dlls for each process Convert a crash dump to a raw dump Dump crash dump information Print list of open files for each process Convert hibernation file to linear sample Identify image properties Dump the addressable memory for a process Print the memory map Scan for modules Scan for module objects Print list of loaded modules Dump a process to an executable sample Print list of running processes Scan for EPROCESS objects Scan for process objects Convert a raw dump to a crash dump Print list of open regkeys for each process Print list of open sockets Scan for socket objects Scan for socket objects Match physical offsets to virtual addresses Scan for ETHREAD objects Scan for thread objects Dump the Vad sections to files Dump the VAD info Walk the vad tree

11 Computer Forensics Incident Response and Live Memory Analysis 11 According to Volatile Systems Website, Volatility is able to extract the following information from memory images: Image date and time Running processes Open network sockets Open network connections DLLs loaded for each process Open files for each process Open registry keys for each process OS kernel modules Mapping physical offsets to virtual addresses Virtual Address Descriptor information Addressable memory for each process Memory maps for each process Extract executable samples Scanning examples: processes, threads, sockets, connections, modules The results of Volatility examination are very similar to the output of Microsoft s Windows Sysinternals. Volatility is able to extract the information from the memory image and put it back together in a useful format. The dlllist command is a useful very information as it shows the size and path to all the DLLs used by each running process. This can be very useful in your investigation. As is the output from the pslist command which shows all the running processes on the system. Any hidden files may not show up on the pslist output or dlllist output, but might be present in the output of the psscan command. The psscan command returns the physical address for all the EProcess objects found by psscan. If you find a eprocess with psscan that does not have a corresponding process from pslist and no dlls according to dlllist, then that is most likely your malware or hidden process put in place by the attacker.

12 Computer Forensics Incident Response and Live Memory Analysis 12 As you can see, much useful information can be retrieved from the memory image, that might not have otherwise been discovered. Below is a screen capture of Volatility. Figure 4. Dlllist Conclusion As you can see, there are free tools available to image the memory (RAM) of a running Windows system. The imaging of the RAM is very simple and straight forward and I recommend using the Helix Live CD and a USB thumb drive or external hard drive. The analysis of the memory image is slightly more complicated and the available free programs are still being developed and improved. However, there are commercial programs available that provide in depth analysis of memory images. HBGary Inc ( released Responder

13 Computer Forensics Incident Response and Live Memory Analysis 13 Professional and recently announced they would be working with Guidance Software to include their products with Encase. So, should you acquire an image of the memory during a computer security incident? That depends. For complex intrusions involving malware, I would definitely recommend it. It is better to capture the RAM just in case your standard investigation doesn t reveal any evidence. Then you can analysis the RAM. For standard misuse cases or inappropriate content, it might not be necessary to capture the RAM. But what does it hurt? I agree with Vidas(2006), Shipley and Reeve(2006) that RAM acquisition will become an industry standard and the benefits outweigh the risks(p. 317, p.6). Therefore, I recommend including the process in all responses as part of your standard operating procedure. That way you always have a copy of the RAM just in case, you will become proficient at the process and when you have the complex intrusion you are not imaging the RAM for the first time.

14 Computer Forensics Incident Response and Live Memory Analysis 14 References Broersa, Matthew. (2007). Rootkits Evade Hardware Detection. PCWorld. Burdach, Mariusz. (2006). Physical Memory Forensics. Blackhat Conference Presentation. Carrier, Brian, and Grand, Joe. A hardware-based memory acquisition procedure for digital investigations. Digital Investigation Vol. 1 No. 1. Carrier, Brian. (2002). Open Source Digital Forensics Tools, The Legal Argument. Guidance Software. (2008). HBGary, Inc. (2008). KornBlum, Jesse. (2002). Preservation of Fragile Digital Evidence by First Responders. US Air Force Office of Special Investigations. Digital Forensic Workshop Mantech, International Corporation. (2008). Russinovich, Mark and Soloman, David. (2005). Microsoft Windows Internals. Microsoft Press. Redmond, Washington. Shiply, Todd and Reeve, Henry. (2006). Collecting Evidence from a Running Computer. SEARCH, The

15 Computer Forensics Incident Response and Live Memory Analysis 15 National Consortium for Justice and Internationals Standards. (p. 6) US Secret Service. (2008). Best Practices for Seizing Electronic Evidence. (p. 1) Vidas, Timothy. (2006). The Acquisition and Analysis of Random Access Memory. Journal of Digital Forensic Practice. December 2006 Issue. (p. 317) Volatile Systems. (2008).