Intro to Computer Forensics Quiz

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

History

- 2004, Brian Carrier and Joe Grand - Hardware-Based Memory Acquisition Procedure for Digital Investigations -2005, DFRW Forensics Challenge: Prof Goatboy -2006. FATKit: The Forensics Analysis Toolkit -- Precursor for Volatility

Tools for Live Memory Capture

- F-Responce + Volatility = Voltage - Rekall via Winpmem

Unstructured Analysis

- Lacks understanding of underlying data structures - Typically performed using -- strings + grep -- data carving - No Context

Summary of Acquisition

- Memory acquisition is incident dependent - Several image formats are available. Be sure the analysis tools being used support the type created during acquisition - Test your tools - There may be other sources of memory available on disk

Differes from disk-based acquisition because:

-No plug pulling -No before and after hash -Not repeatable (in general) -Image smear -Can be subverted

How and When to Acquire

1. Carefully plan your acquisition before executing it 2. Local acquisition to removable media (USB, Firewire, ESATA) is common, but you won't always have physical access 3. Remote acquisition over the network is useful, but - Ensure the transfer is encrypted -Secure admin credentials used to logon to the target machine -May not be feasible for big memory systems over a slow WAN connection 4. Remote interrogation can let you quickly check for indicators without acquiring a full memory dump

Software Tools Typically Work By:

1. Loading a kernel driver 2. Determining the ranges of physical memory 3. Mapping the physical pages into virtual memory 4. Copying the data to non-volatile storage

"image copy" plugin

Allows you to convert from any format into raw

The OS and Its Applications...

Always Deal with Virtual Addresses

Address Spaces

An address space: - Provides flexible and consistent interface to data in RAM - Handles virtual to physical address translation when necessary - Transparently accounts for differences in memory dump file formats (proprietary headers, compression, etc.) Paged address spaces include IA32 and AMD64 Volatility automatically detects the proper AS to use for a memory sample AS are stacked on top of one another

Raw Memory Dumps

Are the most widely supported formats among analysis tools

Profiles

Collections of Types, overlays, and object classes for a specific OS version and hardware architecture Profiles for Windows are distributed with Volatility, but must be built or downloaded separately for Linus and Mac Typically follow a naming convention (for example, Win7SP1x86 or Win2003SP0x64) Volatility requires a profile. If none is specified, then WinXPSP2x86 is the default.

Plugin: volshell (commands)

Commands (incomplete) hh() - help (your best friend) ps() - lit processes (List Walking) db(address) - print bytes of address (hexdump) dd(address) - bring DWORDs at address dis(address) - disassemble code at address dt()- describe an object or show type info

Process Cross View Analysis

Comparing the output from the pslist and psscan can be a good way to identify malicious processes in a memory image This is an example of how a malware's defense mechanisms can be turned against it

CPU Architectures

Define instruction sets Endianess Addressing (byte, word, etc.) Various features (segmentation, paging, etc.)

IA-32 (x86) Architecture

Defines several registers Supports up to 4GiB physical memory Supports (linear/virtual) address space up to 4GiB Little endian Byte addressing

Plugin: imageinfo

Determines profile based on KDBG search Lists - Suggested profiles - KDBG virtual address - Time and date of memory acquisition - Local date and time of memory image Often the first plugin you will run against a memory image

Plugin: pslist

Displays running processes by walking doubly linked list of _EPROCESS structures Lists: - virtual address - name - process id - parent process id - thread count - handles count - session - WoW64 - creation and exit times Plugin arguments: (-p) filter by process id (PID) (-n) filter by name

The Volatility Framework

Does NOT have memory acquisition capability Only used for analysis Command line driven but there are some third party GUI's available - Evolve - Vortessence

Virtual Memory

Each process has its own private address space

Plugin: psxview

Enumerate processes using 7 different methods and displays if each process was found for a given method -- apply-rules can help, but don't rely on it

Plugin: dumpfiles

Extract _FILE_OBJECTs from memory -Q physical offset of _FILE_OBJECT to dump - D directory to dump to - n include extracted filename in output path

Data Carving Tools

Foremost Scalpel bulk Extractor

Some Available Tools

GMG Systems, INC. KnTTools F-Response Mandiant Memorize HBGary FastDump Moonsols Windows Memory Toolkit AccessData FTK Imager EnCase WinEn Belkasoft Live RAM Capturer ATC-NY Windows Memory Reader Winpmem (Recall)

Handles

Handles represent access to a given kernel object - opening a file for reading/writing (File) - modifying a registry key (Key) - creating a child process (Proc) - creating a thread (Thread) Each process maintains its own set of handles

Volatile Memory on Disk

Hibernation file Page file Crash dumps VM snapshots Recovering the hibernation and/or page file(s) typically involves: - Booting the target system with USB/DVD - Mounting the target drive RO from forensic workstation Consult the registry hives (SOFTWARE and SYSTEM) for profile information and also for the exact number and paths to the page file(s)

Process Cross View Analysis (3)

Hiding from all of these methods is extremely difficult (and may in fact be impossible) Volatility supplies all of this information through a single plugin

Plugin: psscan

Identifies _EPROCESS structures by scanning for the pool tag Proc Can find both unlinked and older (terminated) processes Makes several checks to reduce false positives Returns the physical offset where _EPROCESS lies

Tool Testing

Identify Tool Artifacts - processes - drivers - event logs Ensure (too much) memory is not overwritten

Analysis Goals

Identify indicator's of compromise (IOC's) Persistence mechanisms Initial compromise point User activity Support disk and packet analysis

Identifying Windows Profiles with KDBG

If kdbgscan finds multiple KDBG structures, look at the number of processes and modules to determine the best choice Keep in mind the values are nonessential to the stability of the OS, so they ca be manipulated by attackers

Areas of Use

Incident Response Vulnerability Analysis Exploitation Malware Analysis

Motivation

Increasing usage of advanced techniques and technology Processes network data OTR chats browsing history commands executed unencrypted emails injected code rootkit hooks Enables full reconstruction of events when paired with disk forensics and network analysis

Plugin: printkey

Investigate registry keys in memory Use the path specified in the details column from the handles plugin -K path to key

A virtual address in a process...

Is mapped to a physical address in RAM

0xFFFFFFFF

Largest address

Volatility Basic Usage

List all available profiles, address spaces, and plugins: vol.py -- info List help file containing default options and plugins supported by the profile: vol.py -h Plugin specific help: vol.py [plugin] -h Sample command: vol.py -f memory.raw pslist

Plugin: handles (1)

List handles for process with pid 686 that match type File List handles for explorer.exe that match types registry key and process

Plugin: handles

Lists the handles for all running processes -p pid -n process name -o physical offset of _EPROCESS -t <object/handle type(s)> -s ignores unnamed handles Produces large quantity of output. Operate on a per process basis or redirect to file

Finding Hidden Processes

Malware may choose to manifest as a process To improve stealthy, it may unlink itself from the doubly linked lists of processes This is a form of direct kernel object manipulation (dkom) _EPROCESS structures represent user space programs, but the data structure exists within the kernel

Grep and Output Redirection

Many plugins in Volatility will output more information than the analyst can take in or that the buffer will maintain Often you will want to redirect output (use the > operator on the command line to a file) The other option is to pipe output (use the | operator) to grep to search for specific output

Pool Tag Scanning

Many plugins within Volatility use a technique called pool take scanning to identify data structures These plugins typically have the word 'scan' in the name: psscan, netscan, mutantscan, etc. Pool tag scanning typically occurs in the physical address space Therefore offsets returned by scanners will be physical not virtual offsets.

Live Memory Forensics

May be necessary in instances where capturing RAM is not practical - Quantity of RAM - Quantity of Systems

Summary of Architecture

Memory is divided into chunks called pages Pages are typically 4KiB Each process has its own private address space The OS only deals with virtual addresses The CPU and MMU work together to translate virtual addresses to physical offsets of RAM

Paging

Memory is divided into pages (typically 4KiB)

Physical Organization

Our ability to mimic the address translation algorithm offline is key to in-depth memory forensics -- It allows associating context (owning process or driver) with data found in the memory dump

AFF4 Format

Peer reviewed open standard for digital images Built on top of the zip format Consists of one or more streams Used to store - Memory - Mapped Files - Pagefile

What is the issue with data carving physical memory?

Physical memory/ Swap/ Page files are not contiguous Carving a complete file requires the size to be <= 4096 bytes (4k)

Plugin: filescan

Pool tag scanning for _FILE_OBJECTs Searches physical address space for 'File' Output is a physical offset Can be used in conjunction with the dump files plugin to extract files from memory Not all_FILE_OBJECTS found represent open files and cannot be dumped Lots of output. Either redirect to a file or pipe to grep for a specific target

Memory Forensics

Process of acquiring and analyzing physical memory for evidentiary support

Memory Acquisition

Process of copying contents of physical memory to another storage device for preservation

Process Cross View Analysis (2)

PspCidTable contains a list of _HANDLE_TABLE structures. Each structure has a UniqueProcessId (PID) member Most processes belong to a session. Session objects track these processes Desktop objects contain Windows Stations. Each Windows Station has a pointer to the list associated threads

Address Space

Refers to a range of valid addresses used to identify the data stored within a finite allocation of memory

Rootkit Paradox

Rootkits obey two basic principles: - They want to remain hidden -They need to run Memory forensics can exploit this

Plugin: kdbgscan

Scans physical memory for signatures matching the _KDDEBUGGER_DATA64 data structure Signature varies across operating system/ service pack

0x0000000

Smallest address

Plugin: volshell

Special plugin that enables interactive exploration of a memory image Provides a python shell (with additional functionality within the memory image) Great for investigating specific aspects of a memory image that a plugin does not address Very useful for research and education

Notes on Process Listing

System represent the Windows kernel. It is not a standard user process System's create time can be used to determine a boot time but not always be present Use sass.exe's create time if it is not present

Pool Tag Scanning (2)

The _POOL_HEADER contains a 4 byte field named PoolTag This tag is used to describe the allocation (largely for debugging purposes) Volatility can use this tag to identify hidden and older memory allocations in physical memory May yield also positives

Plugins

The entire Volatility Framework is expandable - Add address spaces to support new hardware architectures or file formats - Add profiles to support new operating system versions - Add analysis plugins to recover new types of data from the kernel, processes, etc. Plugins have a calculate() and render_text() method. The data gathering is performed in calculate() and it yields results to the rendering function - You can also add renderers for output to CSV, XML, database, etc.

Main Factors

The right tool for the job heavily depends on the job Is the target a virtual machine? Is the target powered on? Do you have administrative credentials? Do you have physical access to the target? Is hardware acquisition an option? - Does the target already have Firewire? -Otherwise, does it allow hot swapping?

Physical Address Space

The set of addresses used by the processor to access physical memory

Linear (or Virtual) Address Space

The single contiguous range of addresses exposed to a running process

Process Cross View Analysis (1)

There are several structures in memory that track process allocations Volatility knows about 7 of them Threads also have pointers back to owning processes The csrss.exe process plays a role in process creation and termination

Structured Analysis

Two core requirements of structured memory forensics - Implement virtual memory translation - Knowledge of core operating system data structures

Network Activity

Two sets of plugins depending on Windows version - Windows XP/ 2003 -- connections, connscan, sockets, sockscan - Windows Vista + -- netscan -Both yield similar information: --IP, port, connection status, protocol, owning process (pid and name)

Memory Analysis Techniques

Unstructured Structured

Type Language

Used to represent C structures in Python Automatically generated from debugging symbols when possible - Microsoft PDB files - Linux/ Mac DWARF If debugging symbols aren't available they must be created or fixed ("overlays") manually via source code analysis or reverse engineering

Volatility Components

VTypes Profiles Address Spaces Plugins

Structured Analysis Tools

Volatility Rekall Responder Pro Redline

Summary

Volatility is a cross platform, open source, memory analysis framework It makes structured analysis possible through its use of address spaces and profiles Fully extensible via plugins

Identifying Windows Profiles

Volatility requires a profile to understand a memory image. The profile must be "close" to the actual memory image

KDBG Structure

Volatility uses this to determine several things about the memory image Contains beginning of the process list and modules (drivers) list Specifying the virtual address of this structure can speed up analysis

Pool Scanning (1)

When the kernel needs to allocate space, it allocates from areas of memory known as pools There are two types of pools: paged and non paged When a pool allocation is made, it is prepended with an 8 byte _POOL_HEADER

Skilling Up (Tools that can be used)

Windows System Internals Networking Crypto Reverse Engineering Malware Behaviors

Virtual memory provides:

a security boundary between processes

Hibernation files

are compressed and will typically not include networking information

HPAK format

can include physical memory and the page fire in one archive

Windows Crash Dumps

contain useful metadata, but malware can evade them with callbacks

How you acquire virtual machine memory

depends on the hypervisor -VMWare -VirtualBox -QEMU -these are all supported by Volatility

Paging provides:

the ability to virtualize an address space - Simulates a large amount of memory with a modest amount of RAM - Temporarily stores unused data to disk, and reads it back into RAM when necessary - Reduce redundancy in physical memory

imageinfo or kdbgscan

these plugins find the kernel debugger data block (KDBG) structure which contains version information

The CPU and MMU

translate virtual addresses to physical offsets in RAM


Ensembles d'études connexes

Texas Promulgated Forms PRACTICE EXAM 1

View Set

Internal Environment -Value Chain Analysis

View Set

Pharmacology - Chapters 30, 32, 33, 34

View Set

parties to a crime and court systems

View Set

Chapter 10 Pay for Performance: Incentive Rewards

View Set