FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Transcription

1 FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory DFRWS 2006: Work in Progress (WIP) Aug 16, 2006 AAron Walters 4TΦ Research Nick L. Petroni Jr. University of Maryland FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

2 Problem Anti-Forensics: Meterpreter, Core Impact, Canvas Minimize non-volatile artifacts Complex and opaque information infrastructure and systems Runtime Integrity? Rootkits Large collections of images (crash dump, dd, etc) Assume malicious adversary FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.2/11

3 Forensic Analysis ToolKit Visualization Modules Architecture Profile Data View Modules GUI Address Space Modules Profile Class Application Profile Classes Address Space Class Object Classes Input Data FATKit: cross-platform, modular, extensible framework Extract, analyze, aggregate, and visualize Research: Static analysis (CIL/Ocaml), memory informatics, multi-relational data mining Reusability, automation, abstraction Advanced detection: semantic integrity predicates (Petroni,2006) FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.3/11

4 Intel IA-32 Virtual Memory Module 31 Virtual Address 0 Directory Page Directory Directory Entry Table Offset Page Table Page Table Entry 4KB Page Physical Address CR3 Segmentation and paging Virtual to physical address translation Emulated virtual address spaces (including swap) Operating system independent FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.4/11

5 Linux Support init_tasks next_task next_task next_task next_task pid gid pid gid pid gid pid gid uids uids uids uids Automatic profile generation using static analysis (CIL/Ocaml) Linux Kernel/User Objects: List walking and linear address space scanning (physical/virtual) Accumulator functions (tasks, modules, filesystem data, network sockets,etc) FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.5/11

6 Windows Support Automatic profile generation (Debugging information/binary Dissassembly): Windows 2000, Windows XP, Windows 2003 Server, Windows Vista Windows Kernel/User Objects: List walking and linear address space scanning (physical/virtual) Processes, threads, devices, drivers, etc PE parsing, integrity, and reconstruction (exe,dll,etc) Stack tracing (kernel/user) Enumerate Object Handles: Ports, Registry Keys, Files, etc FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.6/11

7 Advanced Detection Modules Advanced detection data analysis module Kernel and userland malware (rootkits, viruses, etc) Injected or modified code and data Semantic integrity: inconsistant data conditions Data hiding (DKOM) Capability/access control modifications Control flow modifications Anti-forensics techniques (contraception) Example: Remote library injection FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.7/11

8 Example: Remote Library Injection Kernal Address Space User Address Space PE EXE LDR_MODULE KPROCESS DirectoryTableBase Pcb Peb EPROCESS PEB ImageBaseAddress Ldr ProcessParameters PEB_LDR_DATA InLoadOrderModuleList InMemoryOrderModuleList InInitializeOrderModuleList BaseAddress FullDllName LoadCount DLL PE TimeDateStamp ImagePathName RTL_USER_PROCESS_PARAMETERS Exploits dynamic linking of shared objects Correlating filesystem, memory, traffic dumps Semantic integrity of objects Extract suspicious artifacts (outlier) Detects public library injection attacks (Metasploit,NTIllusion,etc) FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.8/11

9 Visualization Modules Address Space Browser Linear address space representation, color coding Object Browser Navigate memory objects FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.9/11

10 Current Work Update hash databases (Trust) Disassembly (BinDiff, Flake) Hardware/Software Virtualization Inside virtual machine (Blue Pill) Acquisition Mechanism (quantify obtrusiveness) Anti-forensics (Metasploit modules) Cross-memory analysis (Garfinkel) Clustering machines (rootkits,botnets) Xinu? Implemented available tools in our framework FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.10/11

11 Related Information Andreas Schuster: Harlan Carvey: Mariusz Burdach: Jesse Kornblum: FATKit: FATKit: Detecting Malicious Library Injection and Upping the Anti Mailing List: Volatile Memory Mailing List FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.11/11