Intro to Computer Forensics Quiz
History
- 2004, Brian Carrier and Joe Grand - Hardware-Based Memory Acquisition Procedure for Digital Investigations -2005, DFRW Forensics Challenge: Prof Goatboy -2006. FATKit: The Forensics Analysis Toolkit -- Precursor for Volatility
Tools for Live Memory Capture
- F-Responce + Volatility = Voltage - Rekall via Winpmem
Unstructured Analysis
- Lacks understanding of underlying data structures - Typically performed using -- strings + grep -- data carving - No Context
Summary of Acquisition
- Memory acquisition is incident dependent - Several image formats are available. Be sure the analysis tools being used support the type created during acquisition - Test your tools - There may be other sources of memory available on disk
Differes from disk-based acquisition because:
-No plug pulling -No before and after hash -Not repeatable (in general) -Image smear -Can be subverted
How and When to Acquire
1. Carefully plan your acquisition before executing it 2. Local acquisition to removable media (USB, Firewire, ESATA) is common, but you won't always have physical access 3. Remote acquisition over the network is useful, but - Ensure the transfer is encrypted -Secure admin credentials used to logon to the target machine -May not be feasible for big memory systems over a slow WAN connection 4. Remote interrogation can let you quickly check for indicators without acquiring a full memory dump
Software Tools Typically Work By:
1. Loading a kernel driver 2. Determining the ranges of physical memory 3. Mapping the physical pages into virtual memory 4. Copying the data to non-volatile storage
"image copy" plugin
Allows you to convert from any format into raw
The OS and Its Applications...
Always Deal with Virtual Addresses
Address Spaces
An address space: - Provides flexible and consistent interface to data in RAM - Handles virtual to physical address translation when necessary - Transparently accounts for differences in memory dump file formats (proprietary headers, compression, etc.) Paged address spaces include IA32 and AMD64 Volatility automatically detects the proper AS to use for a memory sample AS are stacked on top of one another
Raw Memory Dumps
Are the most widely supported formats among analysis tools
Profiles
Collections of Types, overlays, and object classes for a specific OS version and hardware architecture Profiles for Windows are distributed with Volatility, but must be built or downloaded separately for Linus and Mac Typically follow a naming convention (for example, Win7SP1x86 or Win2003SP0x64) Volatility requires a profile. If none is specified, then WinXPSP2x86 is the default.
Plugin: volshell (commands)
Commands (incomplete) hh() - help (your best friend) ps() - lit processes (List Walking) db(address) - print bytes of address (hexdump) dd(address) - bring DWORDs at address dis(address) - disassemble code at address dt()- describe an object or show type info
Process Cross View Analysis
Comparing the output from the pslist and psscan can be a good way to identify malicious processes in a memory image This is an example of how a malware's defense mechanisms can be turned against it
CPU Architectures
Define instruction sets Endianess Addressing (byte, word, etc.) Various features (segmentation, paging, etc.)
IA-32 (x86) Architecture
Defines several registers Supports up to 4GiB physical memory Supports (linear/virtual) address space up to 4GiB Little endian Byte addressing
Plugin: imageinfo
Determines profile based on KDBG search Lists - Suggested profiles - KDBG virtual address - Time and date of memory acquisition - Local date and time of memory image Often the first plugin you will run against a memory image
Plugin: pslist
Displays running processes by walking doubly linked list of _EPROCESS structures Lists: - virtual address - name - process id - parent process id - thread count - handles count - session - WoW64 - creation and exit times Plugin arguments: (-p) filter by process id (PID) (-n) filter by name
The Volatility Framework
Does NOT have memory acquisition capability Only used for analysis Command line driven but there are some third party GUI's available - Evolve - Vortessence
Virtual Memory
Each process has its own private address space
Plugin: psxview
Enumerate processes using 7 different methods and displays if each process was found for a given method -- apply-rules can help, but don't rely on it
Plugin: dumpfiles
Extract _FILE_OBJECTs from memory -Q physical offset of _FILE_OBJECT to dump - D directory to dump to - n include extracted filename in output path
Data Carving Tools
Foremost Scalpel bulk Extractor
Some Available Tools
GMG Systems, INC. KnTTools F-Response Mandiant Memorize HBGary FastDump Moonsols Windows Memory Toolkit AccessData FTK Imager EnCase WinEn Belkasoft Live RAM Capturer ATC-NY Windows Memory Reader Winpmem (Recall)
Handles
Handles represent access to a given kernel object - opening a file for reading/writing (File) - modifying a registry key (Key) - creating a child process (Proc) - creating a thread (Thread) Each process maintains its own set of handles
Volatile Memory on Disk
Hibernation file Page file Crash dumps VM snapshots Recovering the hibernation and/or page file(s) typically involves: - Booting the target system with USB/DVD - Mounting the target drive RO from forensic workstation Consult the registry hives (SOFTWARE and SYSTEM) for profile information and also for the exact number and paths to the page file(s)
Process Cross View Analysis (3)
Hiding from all of these methods is extremely difficult (and may in fact be impossible) Volatility supplies all of this information through a single plugin
Plugin: psscan
Identifies _EPROCESS structures by scanning for the pool tag Proc Can find both unlinked and older (terminated) processes Makes several checks to reduce false positives Returns the physical offset where _EPROCESS lies
Tool Testing
Identify Tool Artifacts - processes - drivers - event logs Ensure (too much) memory is not overwritten
Analysis Goals
Identify indicator's of compromise (IOC's) Persistence mechanisms Initial compromise point User activity Support disk and packet analysis
Identifying Windows Profiles with KDBG
If kdbgscan finds multiple KDBG structures, look at the number of processes and modules to determine the best choice Keep in mind the values are nonessential to the stability of the OS, so they ca be manipulated by attackers
Areas of Use
Incident Response Vulnerability Analysis Exploitation Malware Analysis
Motivation
Increasing usage of advanced techniques and technology Processes network data OTR chats browsing history commands executed unencrypted emails injected code rootkit hooks Enables full reconstruction of events when paired with disk forensics and network analysis
Plugin: printkey
Investigate registry keys in memory Use the path specified in the details column from the handles plugin -K path to key
A virtual address in a process...
Is mapped to a physical address in RAM
0xFFFFFFFF
Largest address
Volatility Basic Usage
List all available profiles, address spaces, and plugins: vol.py -- info List help file containing default options and plugins supported by the profile: vol.py -h Plugin specific help: vol.py [plugin] -h Sample command: vol.py -f memory.raw pslist
Plugin: handles (1)
List handles for process with pid 686 that match type File List handles for explorer.exe that match types registry key and process
Plugin: handles
Lists the handles for all running processes -p pid -n process name -o physical offset of _EPROCESS -t <object/handle type(s)> -s ignores unnamed handles Produces large quantity of output. Operate on a per process basis or redirect to file
Finding Hidden Processes
Malware may choose to manifest as a process To improve stealthy, it may unlink itself from the doubly linked lists of processes This is a form of direct kernel object manipulation (dkom) _EPROCESS structures represent user space programs, but the data structure exists within the kernel
Grep and Output Redirection
Many plugins in Volatility will output more information than the analyst can take in or that the buffer will maintain Often you will want to redirect output (use the > operator on the command line to a file) The other option is to pipe output (use the | operator) to grep to search for specific output
Pool Tag Scanning
Many plugins within Volatility use a technique called pool take scanning to identify data structures These plugins typically have the word 'scan' in the name: psscan, netscan, mutantscan, etc. Pool tag scanning typically occurs in the physical address space Therefore offsets returned by scanners will be physical not virtual offsets.
Live Memory Forensics
May be necessary in instances where capturing RAM is not practical - Quantity of RAM - Quantity of Systems
Summary of Architecture
Memory is divided into chunks called pages Pages are typically 4KiB Each process has its own private address space The OS only deals with virtual addresses The CPU and MMU work together to translate virtual addresses to physical offsets of RAM
Paging
Memory is divided into pages (typically 4KiB)
Physical Organization
Our ability to mimic the address translation algorithm offline is key to in-depth memory forensics -- It allows associating context (owning process or driver) with data found in the memory dump
AFF4 Format
Peer reviewed open standard for digital images Built on top of the zip format Consists of one or more streams Used to store - Memory - Mapped Files - Pagefile
What is the issue with data carving physical memory?
Physical memory/ Swap/ Page files are not contiguous Carving a complete file requires the size to be <= 4096 bytes (4k)
Plugin: filescan
Pool tag scanning for _FILE_OBJECTs Searches physical address space for 'File' Output is a physical offset Can be used in conjunction with the dump files plugin to extract files from memory Not all_FILE_OBJECTS found represent open files and cannot be dumped Lots of output. Either redirect to a file or pipe to grep for a specific target
Memory Forensics
Process of acquiring and analyzing physical memory for evidentiary support
Memory Acquisition
Process of copying contents of physical memory to another storage device for preservation
Process Cross View Analysis (2)
PspCidTable contains a list of _HANDLE_TABLE structures. Each structure has a UniqueProcessId (PID) member Most processes belong to a session. Session objects track these processes Desktop objects contain Windows Stations. Each Windows Station has a pointer to the list associated threads
Address Space
Refers to a range of valid addresses used to identify the data stored within a finite allocation of memory
Rootkit Paradox
Rootkits obey two basic principles: - They want to remain hidden -They need to run Memory forensics can exploit this
Plugin: kdbgscan
Scans physical memory for signatures matching the _KDDEBUGGER_DATA64 data structure Signature varies across operating system/ service pack
0x0000000
Smallest address
Plugin: volshell
Special plugin that enables interactive exploration of a memory image Provides a python shell (with additional functionality within the memory image) Great for investigating specific aspects of a memory image that a plugin does not address Very useful for research and education
Notes on Process Listing
System represent the Windows kernel. It is not a standard user process System's create time can be used to determine a boot time but not always be present Use sass.exe's create time if it is not present
Pool Tag Scanning (2)
The _POOL_HEADER contains a 4 byte field named PoolTag This tag is used to describe the allocation (largely for debugging purposes) Volatility can use this tag to identify hidden and older memory allocations in physical memory May yield also positives
Plugins
The entire Volatility Framework is expandable - Add address spaces to support new hardware architectures or file formats - Add profiles to support new operating system versions - Add analysis plugins to recover new types of data from the kernel, processes, etc. Plugins have a calculate() and render_text() method. The data gathering is performed in calculate() and it yields results to the rendering function - You can also add renderers for output to CSV, XML, database, etc.
Main Factors
The right tool for the job heavily depends on the job Is the target a virtual machine? Is the target powered on? Do you have administrative credentials? Do you have physical access to the target? Is hardware acquisition an option? - Does the target already have Firewire? -Otherwise, does it allow hot swapping?
Physical Address Space
The set of addresses used by the processor to access physical memory
Linear (or Virtual) Address Space
The single contiguous range of addresses exposed to a running process
Process Cross View Analysis (1)
There are several structures in memory that track process allocations Volatility knows about 7 of them Threads also have pointers back to owning processes The csrss.exe process plays a role in process creation and termination
Structured Analysis
Two core requirements of structured memory forensics - Implement virtual memory translation - Knowledge of core operating system data structures
Network Activity
Two sets of plugins depending on Windows version - Windows XP/ 2003 -- connections, connscan, sockets, sockscan - Windows Vista + -- netscan -Both yield similar information: --IP, port, connection status, protocol, owning process (pid and name)
Memory Analysis Techniques
Unstructured Structured
Type Language
Used to represent C structures in Python Automatically generated from debugging symbols when possible - Microsoft PDB files - Linux/ Mac DWARF If debugging symbols aren't available they must be created or fixed ("overlays") manually via source code analysis or reverse engineering
Volatility Components
VTypes Profiles Address Spaces Plugins
Structured Analysis Tools
Volatility Rekall Responder Pro Redline
Summary
Volatility is a cross platform, open source, memory analysis framework It makes structured analysis possible through its use of address spaces and profiles Fully extensible via plugins
Identifying Windows Profiles
Volatility requires a profile to understand a memory image. The profile must be "close" to the actual memory image
KDBG Structure
Volatility uses this to determine several things about the memory image Contains beginning of the process list and modules (drivers) list Specifying the virtual address of this structure can speed up analysis
Pool Scanning (1)
When the kernel needs to allocate space, it allocates from areas of memory known as pools There are two types of pools: paged and non paged When a pool allocation is made, it is prepended with an 8 byte _POOL_HEADER
Skilling Up (Tools that can be used)
Windows System Internals Networking Crypto Reverse Engineering Malware Behaviors
Virtual memory provides:
a security boundary between processes
Hibernation files
are compressed and will typically not include networking information
HPAK format
can include physical memory and the page fire in one archive
Windows Crash Dumps
contain useful metadata, but malware can evade them with callbacks
How you acquire virtual machine memory
depends on the hypervisor -VMWare -VirtualBox -QEMU -these are all supported by Volatility
Paging provides:
the ability to virtualize an address space - Simulates a large amount of memory with a modest amount of RAM - Temporarily stores unused data to disk, and reads it back into RAM when necessary - Reduce redundancy in physical memory
imageinfo or kdbgscan
these plugins find the kernel debugger data block (KDBG) structure which contains version information
The CPU and MMU
translate virtual addresses to physical offsets in RAM