Q-CERT Workshop. Matthew Geiger mgeiger@cert.org. 2007 Carnegie Mellon University



Similar documents
FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

Volatile Memory Acquisition via Warm Boot Memory Survivability

EVTXtract. Recovering EVTX Records from Unallocated Space PRESENTED BY: Willi Ballenthin OCT 6, Mandiant Corporation. All rights reserved.

Detecting Malware With Memory Forensics. Hal Pomeranz SANS Institute

The Value of Physical Memory for Incident Response

Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis

Techniques and Tools for Recovering and Analyzing Data from Volatile Memory

Physical Memory Forensics. Mariusz Burdach

Memory Forensics for QQ from a Live System

CHAD TILBURY.

Run-Time Deep Virtual Machine Introspection & Its Applications

Extraction of forensically sensitive information from windows physical memory

Practical Methods for Dealing with Full Disk Encryption. Jesse Kornblum

Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process

Practical Cryptographic Key Recovery

FACE: Automated Digital Evidence Discovery and Correlation

Full System Emulation:

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

EC-Council Ethical Hacking and Countermeasures

INCIDENT RESPONSE & COMPUTER FORENSICS, SECOND EDITION

Microsoft Vista: Serious Challenges for Digital Investigations

PTK Forensics. Dario Forte, Founder and Ceo DFLabs. The Sleuth Kit and Open Source Digital Forensics Conference

Peeking into Pandora s Bochs. Instrumenting a Full System Emulator to Analyse Malicious Software

A Day in the Life of a Cyber Tool Developer

Y R O. Memory Forensics: A Volatility Primer M E M. Mariano Graziano. Security Day - Lille1 University January Lille, France

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Survey of Disk Image Storage Formats

ENTERPRISE COMPUTER INCIDENT RESPONSE AND FORENSICS TRAINING

Digital Forensics. Tom Pigg Executive Director Tennessee CSEC

One-byte Modification for Breaking Memory Forensic Analysis

VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund

Chapter 14 Analyzing Network Traffic. Ed Crowley

Process Description and Control william stallings, maurizio pizzonia - sistemi operativi

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Digital Forensics, ediscovery and Electronic Evidence

Where is computer forensics used?

Fuzzy Hashing for Digital Forensic Investigators Dustin Hurlbut - AccessData January 9, 2009

Prof. Christos Xenakis, Dr. Christoforos Ntantogian Department of Digital Systems University of Piraeus, Greece

Chapter 15 Windows Operating Systems

Impact of Digital Forensics Training on Computer Incident Response Techniques

Freeware Live Forensics tools evaluation and operation tips

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

The Process of Acquiring Live Systems

ACE STUDY GUIDE. 3. Which Imager pane shows information specific to file systems such as HFS+, NTFS, and Ext2? - Properties Pane

Hi and welcome to the Microsoft Virtual Academy and

The Mobile Forensic Platform

#311 Engineer. Year of birth 1967 Specialities: Embedded Systems, Linux

Whitepaper Document Solutions

Digital Forensics at the National Institute of Standards and Technology

Considering Third Generation ediscovery? Two Approaches for Evaluating ediscovery Offerings

Computer Forensics and Investigations Duration: 5 Days Courseware: CT

Fall. Forensic Examination of Encrypted Systems Matthew Postinger COSC 374

McAfee VirusScan Enterprise for Linux Software

Rapidly Growing Linux OS: Features and Reliability

COS 318: Operating Systems

Memory Forensics: Collecting & Analyzing Malware Artifacts from RAM

COMPREHENSIVE STUDY OF DIGITAL FORENSICS

FRONT FLYLEAF PAGE. This page has been intentionally left blank

Automated Windows Event Log Forensics

Recovering Business Rules from Legacy Source Code for System Modernization

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Storage and File Systems. Chester Rebeiro IIT Madras

Windows 7. Qing Liu Michael Stevens

Using Process Monitor

Hands-On How-To Computer Forensics Training

Red Hat Linux Internals

AIR FORCE INSTITUTE OF TECHNOLOGY

Frontiers in Cyber Security: Beyond the OS

USTC Course for students entering Clemson F2013 Equivalent Clemson Course Counts for Clemson MS Core Area. CPSC 822 Case Study in Operating Systems

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

Lecture outline. Computer Forensics and Digital Investigation. Defining the word forensic. Defining Computer forensics. The Digital Investigation

Secure Network Communications FIPS Non Proprietary Security Policy

Advanced ANDROID & ios Hands-on Exploitation

Process Forensics - A Pilot Study on the Use of Checkpointing Technology

Post-Mortem Memory Analysis of Cold-Booted Android Devices

Course Title: Computer Forensic Specialist: Data and Image Files

Computer Forensics. Securing and Analysing Digital Information

Digital Investigation

A New Approach to Nuclear Computer Security

Cleartext Passwords in Linux Memory

Comparative Analysis of Digital Forensic Models

Soft-Timer Driven Transient Kernel Control Flow Attacks and Defense

Developing a dynamic, real-time IT infrastructure with Red Hat integrated virtualization

Virtual Private Systems for FreeBSD

MSc Computer Security and Forensics. Examinations for / Semester 1

The Contribution of Tool Testing to the Challenge of Responding to an IT Adversary

Extracting Windows Command Line Details from Physical Memory

State of the art of Digital Forensic Techniques

Cloud Forensics. 175 Lakeside Ave, Room 300A Phone: 802/ Fax: 802/

Security Incident Investigation

Suite. How to Use GrandMaster Suite. Exporting with ODBC

DAWSON -- Synthetic Diversity for Intrusion Tolerance 1

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

TZWorks Windows Event Log Viewer (evtx_view) Users Guide

X-Ways Capture. The program executes the following steps unless you specify a different procedure in the configuration file:

Forensic Toolkit. Sales and Promotional Summary ACCESSDATA, ON YOUR RADAR

Automating the Computer Forensic Triage Process With MantaRay

About the Author About the Technical Contributors About the Technical Reviewers Acknowledgments. How to Use This Book

Transcription:

Memory Analysis Q-CERT Workshop Matthew Geiger mgeiger@cert.org 2007 Carnegie Mellon University

Outline Why live system forensics? Previous techniques Drawbacks and new thinking Approaches to memory acquisition Evolution of memory analysis Survey of tools & methodologies The investigation gap & the future 2

Memory Analysis & Forensics Increasing recognition in the forensics community that: Advances in counter-forensic techniques Metasploit Meterpreter Malcode stealth strategies Pervasive encryption Can focus search for evidence... in some cases 3

Evolution of Technique Live forensics borrowed from incident response Scripted queries using response toolkits (MS COFEE) Often still used initial results to guide data collection netstat ps lsof... etc Tension between speed and thoroughness Memory acquisition 800lb gorilla of forensics what do you do with it? String dumps, virus scans, signature-based carving 4

Old School New School Iterative & invasive Double the opportunity for subversion: Data collection Interpretation One-way, ephemeral information channel Memory collection requires privileged access Working groups developing accepted practices New analysis tools extract familiar information and more from memory Repeatable results Novel acquisition techniques & tools: Increase assurance Bypass access controls 5

Memory Acquisition Software Software mediated Crash / core dump WinHex, other applications secondary functionality dd.exe Commercial enterprise forensics packages: EnCase, ProDiscover, etc Access restrictions on \\.\PhysicalMemory Kernel-mode window needed Commonly use driver installation routines George Garner's KnTTools released in 2007 AccessData, other vendors are working on it 6

Memory Acquisition Hardware Hardware-based Komoku CoPilot, BBN Tech, Tribble IEEE 1394 http://www.security-assessment.com/files/presentations/ ab_firewire_rux2k6-final.pdf http://cansecwest.com/core05/2005-firewire-cansecwest.pdf Can extend DMA access to PC Card and Express Card devices Developing field-deployable memory acquisition unit 7

Live Forensics Evolutionary Tree Memory Analysis Branch String searches, file carving PE analysis & carving Informed analysis: state & context reconstruction Live forensics IR-style running system investigation Controlled runtime analysis Run-Time Analysis Branch 8

Recent History Tool development inspired by DFRWS 2005 challenge Two entries shared prize: Garner/Mora & Betz Tools released at subsequent conferences step up pace Flurry of subsequent activity Mariusz Burdach WMFT (plus Linux tools) Andreas Schuster PTFinder, PoolFinder Harlan Carvey Focused Perl utilities Garner KnTTools / KnTList Jesse Kornblum Buffalo tool Walters/Petroni Volatility 9

Two Paths to Memory Reconstruction Tree & list traversal Memparser KnTList WMFT Volatility Object fingerprint searches PTFinder / PoolFinder Volatility 10

List Traversal Basics Find index into lists and tables of interesting structure Kernel image needed for offsets & symbols that help find a number of these Addresses can change from SP to SP Copy of NT kernel part of KnTTools acquisition process Other approach is to build hardcoded tool modules for each EPROCESS linked list is a common example, with pointers to _ETHREAD structures SID of starting user Start time, PID, other metadata in PEB Process virtual memory pages These structures allow reconstruction of some familiar IR-style data 11

Volatility Framework At present, most actively developed open-source tool in this space Running processes, DLLs loaded for each Open network sockets, network connections Open files handles for each process System modules Mapping interesting strings to process (physical offset to virtual address translation) Virtual Address Descriptor information Recently added pattern-scanning tools processes & threads sockets & connections Framework approach intentionally maintains IR feel 12

Fingerprint Searching Basics Scan for sufficiently unique structure signatures PTFinder works with EPROCESS, ETHREAD structs PoolFinder parses kernel pool memory Perform basic sanity checks on data to weed out corrupt records, duplicates PTFinder doesn't perform further analysis but does provide optional graphical output 13

PTFinder graphical output 14

15

Pros & Cons Pattern search Find unlinked, dead structures (warm reboot) Can work with imperfect dumps List traversal Can stitch together more related records from kernel perspective Pattern search Less context without following related structures/objects Susceptible to chaff List traversal Can miss unlinked, dead structures Targeted countermeasures 16

Enhanced Techniques Pagefile incorporation Combining naive pattern searches with list-traversal techniques Cross-view analysis Defense against chaff Highlighting potentially interesting situations Orphaned threads still referenced in other structures Executable segments not mapped into shared sections 17

What's next Specialized tools will bridge the investigative gap Focus now centers on malcode, execution state analysis but the investigative mission is much broader Recovery of cryptographic material to defeat disk encryption Forensic platform vendors making friendlier analysis tools Bring some analysis tasks into mainstream Provide momentum to adoption of memory analysis Automate extraction of typically interesting data Provide better anomaly detection or flags Court cases and working groups will hammer out standards 18

Questions / Comments? 2007 Carnegie Mellon University

References PTFinder - by Andreas Schuster http://computer.forensikblog.de/en/2006/09/ptfinder_0_3_00.html Volatility - by AAron Walters and Nick Pedroni Jr. http://www.volatilesystems.com/volatileweb/volatility.gsp Brian Carrier and Joe Grand's work on hardware-based memory acquisition http://www.digital-evidence.org/papers/tribble-preprint.pdf George Garner's KnTTools and KnTList memory acquisition and analysis suite http://www.gmgsystemsinc.com/knttools/ Mariusz Burdach Windows Memory Forensic Toolkit http://forensic.seccure.net/ Harlan Carvey's memory tools http://sourceforge.net/project/showfiles.php?group_id=164158 Chris Betz's Memparser http://sourceforge.net/project/showfiles.php?group_id=167028 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information