CHAD TILBURY. chad@forensicmethods.com. http://forensicmethods.com @chadtilbury



Similar documents
Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

Redline Users Guide. Version 1.12

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

A Day in the Life of a Cyber Tool Developer

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Redline Users Guide. Please visit our forums:

Redline User Guide. Release 1.14

The Value of Physical Memory for Incident Response

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

Memory Forensics & Security Analytics: Detecting Unknown Malware

Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM

An Introduction to Incident Detection and Response Memory Forensic Analysis

Republic Polytechnic School of Information and Communications Technology C226 Operating System Concepts. Module Curriculum

Detecting Unknown Malware: Security Analytics & Memory Forensics. Fahad Ehsan. Cyber Security #RSAC

VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation

EVTXtract. Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, Mandiant Corporation. All rights reserved.

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Forensics source: Edward Fjellskål, NorCERT, Nasjonal sikkerhetsmyndighet (NSM)

Digital Forensic analysis of malware infected machine Case study ***

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

Digital Forensics. Module 4 CS 996

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

ELEC 377. Operating Systems. Week 1 Class 3

Running a Program on an AVD

Impact of Digital Forensics Training on Computer Incident Response Techniques

FORENSIC ARTIFACTS FROM A PASS THE HASH (PTH) ATTACK BY: GERARD LAYGUI

Online Backup Client User Manual

Stop the Maelstrom: Using Endpoint Sensor Data in a SIEM to Isolate Threats

Using Process Monitor

Penetration Testing with Kali Linux

Network Traffic Analysis

Code Estimation Tools Directions for a Services Engagement

Creating a More Secure Device with Windows Embedded Compact 7. Douglas Boling Boling Consulting Inc.

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Search and Destroy the Unknown FROM MALWARE ANALYSIS TO INDICATIONS OF COMPROMISE

1. Product Information

Online Backup Client User Manual Linux

Chapter 14 Analyzing Network Traffic. Ed Crowley

F-Secure Internet Security 2014 Data Transfer Declaration

RecoveryVault Express Client User Manual

Q-CERT Workshop. Matthew Geiger 2007 Carnegie Mellon University

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Online Backup Linux Client User Manual

Security Intelligence Services. Cybersecurity training.

Online Backup Client User Manual

Advanced Registry Forensics with Registry Decoder. Dr. Vico Marziale Sleuth Kit and Open Source Digital Forensics Conference /03/2012

As shown, the emulator instance connected to adb on port 5555 is the same as the instance whose console listens on port 5554.

Application Whitelisting - Extend your Security Arsenal? Mike Baldi Cyber Security Architect Honeywell Process Solutions

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

WINDOWS PROCESSES AND SERVICES

Evolving Threat Landscape

Microsoft Windows PowerShell v2 For Administrators

NetSpective Logon Agent Guide for NetAuditor

VitalJacket SDK v Technical Specifications

MSc Computer Security and Forensics. Examinations for / Semester 1

Hi and welcome to the Microsoft Virtual Academy and

What s New in Centrify Server Suite 2014

SAIP 2012 Performance Engineering

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

Forensic Imaging and Artifacts analysis of Linux & Mac (EXT & HFS+)

Who DIT It? Detecting and Mitigating Privilege Escalation Attacks on the Active Directory Data Store

WebSphere Application Server security auditing

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

Snare System Version Release Notes

All Information is derived from Mandiant consulting in a non-classified environment.

Networks and Security Lab. Network Forensics

CICS Transactions Measurement with no Pain

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Y R O. Memory Forensics: A Volatility Primer M E M. Mariano Graziano. Security Day - Lille1 University January Lille, France

How To Fix A Snare Server On A Linux Server On An Ubuntu (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking

Embedded Software development Process and Tools: Lesson-4 Linking and Locating Software

Chapter 2 System Structures

Build Your Own Security Lab

One-byte Modification for Breaking Memory Forensic Analysis

Dr. Lodovico Marziale Managing Partner 504ENSICS, LLC

Host Checker. Configuration Guide

TSPrint - Usage Guide. Usage Guide. TerminalWorks TSPrint Usage Guide. support@terminalworks.com

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

RECOVERING FROM SHAMOON

Ovation Security Center Data Sheet

Acronis Backup & Recovery 10 Server for Linux. Installation Guide

Run-Time Deep Virtual Machine Introspection & Its Applications

McAfee Web Gateway 7.4.1

System Requirements - Table of Contents

Digital Forensics with Open Source Tools

SysPatrol - Server Security Monitor

This document presents the new features available in ngklast release 4.4 and KServer 4.2.

Deep Discovery. Technical details

Stratusphere. Architecture Overview

Operating Systems and Networks

EnCase Endpoint Investigator Fundamentals 5/25/2016

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Advanced Endpoint Protection Overview

EC-Council Ethical Hacking and Countermeasures

Transcription:

CHAD TILBURY chad@forensicmethods.com 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years in the trenches 0 SANS Digital Forensics and Incident Response Instructor & Author http://forensicmethods.com @chadtilbury

The Year of Memory Forensics? Linux Analysis Memory Timelining Mac OS X Analysis Volatile Registry Analysis 64 bit support Live Memory Analysis Whitelisting

Old School vs. New School vs.

Mac and Linux Memory Forensics

Mac Memory Reader 0 Runs on Mac OS X 10.4-10.8, PowerPC, Intel, x86, x64 0 Generates a Mach-O file or raw dump of memory (-P) 0 Optional image hashing (-H) 0 Load kernel extension to fake /dev/mem only (-k) 0 Simple and effective!

There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data. -Mac Memory Reader help file

Mac Memoryze 0 Dump memory 0 sudo macmemoryze dump f mem.dmp 0 Analysis (just the basics): 0 proclist 0 proclist w (similar to lsof) 0 proclist c (carve for processes) 0 kextlist 0 kextlist c (carve for kernel extensions) 0 Enumerate System Call Table and Mach Trap Table 0 Live analysis capable (do not include f option)

Mac Memoryze Proclist

Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp https://code.google.com/p/volatility /wiki/macmemoryforensics

Volatility + Mac

Linux Memory Acquisition 0 Old School: 0 dd if=/dev/kmem 0 Fmem kernel module 0 Redhat Crash Dump Utilities 0 New School http://code.google.com/p/lime-forensics/

Volatility + Linux = System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof https://code.google.com/p/volatility/wiki/linuxmemoryforensics

linux_yarascan

linux_bash

Memory Timelining

What is Timeliner? 0 Set of Volatility plugins to collect time information from memory artifacts 0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files 0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs 0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format

Purpose Memory Timelining timeliner Timeliner collects timestamps from memory artifacts and outputs them in a timeline format Important Parameters Send output to a delimited file (--output-file=file_name) v2.1 Create output in body file format (--output=body) v2.3 Log2Timeline output format (pending) v2.4?? Investigative Notes Compatible with XP and Win7: automatically adjusts helper plugins Output can voluminous; best practice is to use --output-file The output is not currently compatible with other timeline formats Timeliner can take hours to run be patient! The -h help information currently lists many incorrect options

Example Output: Timeliner Processes Column Header Column Header 1 Creation Time 5 Parent Process ID 2 Artifact Type (PROCESS) 6 Exit Time 3 Process Name 7 EPROCESS Offset 4 Process ID

Timeliner Example

Redline Time Wrinkles

Live Response & Live Memory Analysis

Old School Batch Scripts

Mandiant Redline Collector

Redline Portable Collector

Live Memory Analysis Who Cares? 0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory 0 Verification done using file certificates stored on-disk 0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files 0 Must have access to file system 0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries 0 Requires access to Page File

Narrowing Your Focus with Live Analysis

Whitelist Filtering 0 ID known good hashes from live memory analysis 0 Redline Options Whitelist Management 169 vs. 12 Items

Live Memory Analysis with Volatility 0 Winpmem 0 Raw, crash dump, and output to stdout 0 Direct analysis of running kernel (-l switch) 0 Optional write support! 0 https://code.google.com/p/volatility/downloads/list 0 Volatility Technology Preview Branch 0 https://code.google.com/p/volatility/wiki/techpreviewbranch 0 Includes interactive shell (similar to volshell) -> the future of Volatility?

Live Analysis with winpmem

Live Response with Volatility

Good Day or Bad Day?

Old School doskey

Memory Carving

Purpose Typed Commands: cmdscan & consoles Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue Important Parameters None Investigative Notes Gathering command history and console output can give insight into user / attacker activities cmdscan provides information from the command history buffer consoles prints commands (inputs) + screen buffer (outputs) Plugins can identify data from active and closed sessions

cmdscan Typed Commands: cmdscan & consoles

Old School pclip Find pcclip.exe at http://unxutils.sourceforge.net/ (or just get infected with Zeus)

Purpose Clipboard Contents: clipboard Extract contents of windows clipboard Important Parameters Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard) Investigative Notes Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.) Works on both XP/2003 and Windows 7/2008 systems In some cases, the clipboard only holds a pointer to the clipped content (i.e. the full path for a copied file)

Volatility Clipboard Contents: clipboard

Additional References 0 http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html 0 http://gleeda.blogspot.com/2012/09/week-3-of-month-of-volatility-plugins.html 0 http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html 0 http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader 0 https://www.mandiant.com/blog/unibody-memory-analysis-introducing-mac-memoryze/ 0 http://memoryforensics.blogspot.com/2013/06/final-week-of-month-of-volatility.html 0 http://volatility-labs.blogspot.com/2013/05/movp-ii-32-linuxandroid-memory.html 0 http://holisticinfosec.blogspot.com/2013/03/toolsmith-redline-apt1-and-you-were-all.html 0 http://media.blackhat.com/bh-us-11/butler/ BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf 0 DFIROnline Memory Forensics with Michael Cohen : http://www.youtube.com/watch?v=9ac7yiywvay 0 http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html 0 http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html

Thank You! chad@forensicmethods.com computer-forensics.sans.org/blog ForensicMethods.com @chadtilbury