CHAD TILBURY chad@forensicmethods.com 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches 0 SANS Digital Forensics and Incident Response Instructor & Author http://forensicmethods.com @chadtilbury
The Year of Memory Forensics? Linux Analysis Memory Timelining Mac OS X Analysis Volatile Registry Analysis 64 bit support Live Memory Analysis Whitelisting
Old School vs. New School vs.
Mac and Linux Memory Forensics
Mac Memory Reader 0 Runs on Mac OS X 10.4-10.8, PowerPC, Intel, x86, x64 0 Generates a Mach-O file or raw dump of memory (-P) 0 Optional image hashing (-H) 0 Load kernel extension to fake /dev/mem only (-k) 0 Simple and effective!
There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data. -Mac Memory Reader help file
Mac Memoryze 0 Dump memory 0 sudo macmemoryze dump f mem.dmp 0 Analysis (just the basics): 0 proclist 0 proclist w (similar to lsof) 0 proclist c (carve for processes) 0 kextlist 0 kextlist c (carve for kernel extensions) 0 Enumerate System Call Table and Mach Trap Table 0 Live analysis capable (do not include f option)
Mac Memoryze Proclist
Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp https://code.google.com/p/volatility /wiki/macmemoryforensics
Volatility + Mac
Linux Memory Acquisition 0 Old School: 0 dd if=/dev/kmem 0 Fmem kernel module 0 Redhat Crash Dump Utilities 0 New School http://code.google.com/p/lime-forensics/
Volatility + Linux = System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof https://code.google.com/p/volatility/wiki/linuxmemoryforensics
linux_yarascan
linux_bash
Memory Timelining
What is Timeliner? 0 Set of Volatility plugins to collect time information from memory artifacts 0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files 0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs 0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format
Purpose Memory Timelining timeliner Timeliner collects timestamps from memory artifacts and outputs them in a timeline format Important Parameters Send output to a delimited file (--output-file=file_name) v2.1 Create output in body file format (--output=body) v2.3 Log2Timeline output format (pending) v2.4?? Investigative Notes Compatible with XP and Win7: automatically adjusts helper plugins Output can voluminous; best practice is to use --output-file The output is not currently compatible with other timeline formats Timeliner can take hours to run be patient! The -h help information currently lists many incorrect options
Example Output: Timeliner Processes Column Header Column Header 1 Creation Time 5 Parent Process ID 2 Artifact Type (PROCESS) 6 Exit Time 3 Process Name 7 EPROCESS Offset 4 Process ID
Timeliner Example
Redline Time Wrinkles
Live Response & Live Memory Analysis
Old School Batch Scripts
Mandiant Redline Collector
Redline Portable Collector
Live Memory Analysis Who Cares? 0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory 0 Verification done using file certificates stored on-disk 0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files 0 Must have access to file system 0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries 0 Requires access to Page File
Narrowing Your Focus with Live Analysis
Whitelist Filtering 0 ID known good hashes from live memory analysis 0 Redline Options Whitelist Management 169 vs. 12 Items
Live Memory Analysis with Volatility 0 Winpmem 0 Raw, crash dump, and output to stdout 0 Direct analysis of running kernel (-l switch) 0 Optional write support! 0 https://code.google.com/p/volatility/downloads/list 0 Volatility Technology Preview Branch 0 https://code.google.com/p/volatility/wiki/techpreviewbranch 0 Includes interactive shell (similar to volshell) -> the future of Volatility?
Live Analysis with winpmem
Live Response with Volatility
Good Day or Bad Day?
Old School doskey
Memory Carving
Purpose Typed Commands: cmdscan & consoles Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue Important Parameters None Investigative Notes Gathering command history and console output can give insight into user / attacker activities cmdscan provides information from the command history buffer consoles prints commands (inputs) + screen buffer (outputs) Plugins can identify data from active and closed sessions
cmdscan Typed Commands: cmdscan & consoles
Old School pclip Find pcclip.exe at http://unxutils.sourceforge.net/ (or just get infected with Zeus)
Purpose Clipboard Contents: clipboard Extract contents of windows clipboard Important Parameters Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard) Investigative Notes Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.) Works on both XP/2003 and Windows 7/2008 systems In some cases, the clipboard only holds a pointer to the clipped content (i.e. the full path for a copied file)
Volatility Clipboard Contents: clipboard
Additional References 0 http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html 0 http://gleeda.blogspot.com/2012/09/week-3-of-month-of-volatility-plugins.html 0 http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html 0 http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader 0 https://www.mandiant.com/blog/unibody-memory-analysis-introducing-mac-memoryze/ 0 http://memoryforensics.blogspot.com/2013/06/final-week-of-month-of-volatility.html 0 http://volatility-labs.blogspot.com/2013/05/movp-ii-32-linuxandroid-memory.html 0 http://holisticinfosec.blogspot.com/2013/03/toolsmith-redline-apt1-and-you-were-all.html 0 http://media.blackhat.com/bh-us-11/butler/ BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf 0 DFIROnline Memory Forensics with Michael Cohen : http://www.youtube.com/watch?v=9ac7yiywvay 0 http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html 0 http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html
Thank You! chad@forensicmethods.com computer-forensics.sans.org/blog ForensicMethods.com @chadtilbury