CHAD TILBURY.

Transcription

1

2 CHAD TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches 0 SANS Digital Forensics and Incident Response Instructor & Author

3 The Year of Memory Forensics? Linux Analysis Memory Timelining Mac OS X Analysis Volatile Registry Analysis 64 bit support Live Memory Analysis Whitelisting

4 Old School vs. New School vs.

5 Mac and Linux Memory Forensics

6 Mac Memory Reader 0 Runs on Mac OS X , PowerPC, Intel, x86, x64 0 Generates a Mach-O file or raw dump of memory (-P) 0 Optional image hashing (-H) 0 Load kernel extension to fake /dev/mem only (-k) 0 Simple and effective!

7 There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data. -Mac Memory Reader help file

8 Mac Memoryze 0 Dump memory 0 sudo macmemoryze dump f mem.dmp 0 Analysis (just the basics): 0 proclist 0 proclist w (similar to lsof) 0 proclist c (carve for processes) 0 kextlist 0 kextlist c (carve for kernel extensions) 0 Enumerate System Call Table and Mach Trap Table 0 Live analysis capable (do not include f option)

9 Mac Memoryze Proclist

10 Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp /wiki/macmemoryforensics

11 Volatility + Mac

12 Linux Memory Acquisition 0 Old School: 0 dd if=/dev/kmem 0 Fmem kernel module 0 Redhat Crash Dump Utilities 0 New School

13 Volatility + Linux = System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof

14 linux_yarascan

15 linux_bash

16 Memory Timelining

17 What is Timeliner? 0 Set of Volatility plugins to collect time information from memory artifacts 0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files 0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs 0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format

18 Purpose Memory Timelining timeliner Timeliner collects timestamps from memory artifacts and outputs them in a timeline format Important Parameters Send output to a delimited file (--output-file=file_name) v2.1 Create output in body file format (--output=body) v2.3 Log2Timeline output format (pending) v2.4?? Investigative Notes Compatible with XP and Win7: automatically adjusts helper plugins Output can voluminous; best practice is to use --output-file The output is not currently compatible with other timeline formats Timeliner can take hours to run be patient! The -h help information currently lists many incorrect options

19 Example Output: Timeliner Processes Column Header Column Header 1 Creation Time 5 Parent Process ID 2 Artifact Type (PROCESS) 6 Exit Time 3 Process Name 7 EPROCESS Offset 4 Process ID

20 Timeliner Example

21 Redline Time Wrinkles

22 Live Response & Live Memory Analysis

23 Old School Batch Scripts

24 Mandiant Redline Collector

25 Redline Portable Collector

26 Live Memory Analysis Who Cares? 0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory 0 Verification done using file certificates stored on-disk 0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files 0 Must have access to file system 0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries 0 Requires access to Page File

27 Narrowing Your Focus with Live Analysis

28 Whitelist Filtering 0 ID known good hashes from live memory analysis 0 Redline Options Whitelist Management 169 vs. 12 Items

29 Live Memory Analysis with Volatility 0 Winpmem 0 Raw, crash dump, and output to stdout 0 Direct analysis of running kernel (-l switch) 0 Optional write support! Volatility Technology Preview Branch Includes interactive shell (similar to volshell) -> the future of Volatility?

30 Live Analysis with winpmem

31 Live Response with Volatility

32 Good Day or Bad Day?

33 Old School doskey

34 Memory Carving

35 Purpose Typed Commands: cmdscan & consoles Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue Important Parameters None Investigative Notes Gathering command history and console output can give insight into user / attacker activities cmdscan provides information from the command history buffer consoles prints commands (inputs) + screen buffer (outputs) Plugins can identify data from active and closed sessions

36 cmdscan Typed Commands: cmdscan & consoles

37 Old School pclip Find pcclip.exe at (or just get infected with Zeus)

38 Purpose Clipboard Contents: clipboard Extract contents of windows clipboard Important Parameters Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard) Investigative Notes Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.) Works on both XP/2003 and Windows 7/2008 systems In some cases, the clipboard only holds a pointer to the clipped content (i.e. the full path for a copied file)

39 Volatility Clipboard Contents: clipboard

40 Additional References BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf 0 DFIROnline Memory Forensics with Michael Cohen :

41 Thank You! computer-forensics.sans.org/blog

42