SlideShare uma empresa Scribd logo
1 de 154
Baixar para ler offline
Memory Forensics
(Windows, Mac and Linux)
Sandro Süffert - http://suffert.com
CTO, APURA CyberSecurity Intelligence
http://apura.com.br | twitter: @suffert

2010->2013
Memory Forensics: Course objectives
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
Agenda
Windows Memory Forensics Theory
•
•
•
•
•
•
•
•
•
•
•

Windows Memory Forensics Demos and Hands-On

References
Offline Memory Analysis vs Live Response
Acquisition / Context / Analysis
Order of Volatility
Physical Memory, Virtual Memory
Paging / Swapping / Hibernation
Kernel Modes
Memory Mapping
Processes / Threads / Services / Jobs
Acquisition details
Analysis details

•
•
•
•
•
•
•
•
•
•
•
•
•

Hands-on Bonuses:
•
•
•
•
•

MacOSX memory analysis
Linux memory analysis
Android memory analysis
Stuxnet artifacts analysis
More if time permits

MoonSols Community Edition
FastDump
FTKImager
Memoryze
Volatility
Fget
Microsoft Windows Debugger
LiveKD
Pdgmail / pdymail
Sysinternals / NirSoft / NTSecurity
AccessData FTK 4.x
Encase FIM/Enterprise 6.17
HBGary Responder Pro
Supporting Tools for the
Practical Labs (Hands-On):
• Linux:

•
•
•
•

Hexadecimal editor (hexedit – CLI / ghex - GUI)
Hash calculator (md5sum, sha1sum)
Base64 decoder (base64)
Win ASCII to Unix ASCII convertor (dos2unix)

• Windows Freeware:
• Hexadecimal editor:
• FRHED - http://frhed.sourceforge.net/
• Time conversions:
• TimeLord: http://computerforensics.parsonage.co.uk/timelord/timelord.htm
• Dcode: http://www.digital-detective.co.uk/freetools/decode.asp
Memory Forensics - References
Books:
I - Windows Forensic Analysis v2, Harlan Carvey
Chapter 3 – Windows Memory Analysis
II - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin
Chapter 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps and 9 – Analysis of a Suspect Program
III – Computer Evidence Collection & Preservation, Christopher L.T. Brown
Chapter 6 – Volatile Data and Chapter 11 – Collecting Volatile Data
IV - EnCE – The Official Encase Certified Examiner Study Guide, 2nd Edition, Steve Bunting
Chapter 3 – First Response and Chapter 9 – Windows Operating System Artifacts
V - Undocumented Windows, chapter 4, Sven B. Schreiber
VI - Windows Internals (4st editon) chapter 7, Mark Russinovich and David Salomon.
Memory Forensics - References
Papers:
Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis
CERT: http://www.cert.org/archive/pdf/08tn017.pdf (Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry
Rogers)
Collecting Evidence from a Running Computer - SEARCH:
http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf (Todd Shipley and Henry Reeve)
"A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer”
Lest We Remember: Cold Boot Attacks on Encryption Keys: http://citp.princeton.edu/pub/coldboot.pdf
Eletronic Crime Investigation - NIJ: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf
Electronic Evidence – Guide for First Responders – http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
Memory Forensics - References
Papers DFRWS - Digital Forensic Research Conference:
Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert
Peterson. http://dfrws.org/2010/proceedings/2010-306.pdf
Extracting Windows Command Line Details from Physical Memory. Richard Stevens and Eoghan
Casey. http://dfrws.org/2010/proceedings/2010-307.pdf
A Novel Time-Memory Trade-Off Method for Password Recovery. Vrizlynn L. L. Thing and Hwei-Ming
Ying. http://dfrws.org/2009/proceedings/p114-thing.pdf
Extraction of Forensically Sensitive Information from Windows Physical Memory. Seyed Mahmood Hejazi,
Chamseddine Talhi and Mourad Debbabi. http://dfrws.org/2009/proceedings/p121-hedjazi.pdf
The Persistence of Memory: Forensic Identification and Extraction of Cryptographic Keys. Carsten Maartmann-Moe,
Andre Arnes and Steffen E. Thorkildsen. http://dfrws.org/2009/proceedings/p132-moe.pdf
Forensic Analysis of the Windows Registry in Memory. Brendan Dolan-Gavitt.
http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
Memory Forensics - References
Papers DFRWS - Digital Forensic Research Conference:
Recovering Deleted Data From the Windows Registry. Timothy Morgan.
http://www.dfrws.org/2008/proceedings/p33-morgan.pdf

Forensic Memory Analysis: Files mapped in memory. Ruud van Baar.
http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf

The impact of Microsoft Windows pool allocation strategies on memory forensics. Andreas Schuster.
http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf

BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software. Bradley Schatz.
http://www.dfrws.org/2007/proceedings/p126-schatz.pdf
The VAD Tree: A Process-Eye View of Physical Memory. Brendan F Dolan-Gavitt.
http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf
Searching for processes and threads in Microsoft Windows memory dumps. Andreas Schuster.
http://www.dfrws.org/2006/proceedings/2-Schuster.pdf
Memory Forensics - Tools
1) Virtual Machines:
a) VMWare Workstation, Server or Player: http://www.vmware.com (or Virtualbox)
b) Forensic VM
DEFT VM: http://www.deftlinux.net/; or
SIFT Workstation 2.1: https://computer-forensics2.sans.org/community/siftkit/
c) Lab VM: “ACMEXP01”
2) Free/GPL Tools:
2.01 - MoonSols Community Edition -http://www.moonsols.com/component/jdownloads/view.download/3/2
2.02 - FastDump - https://www.hbgary.com/community/free-tools/#fastdump
2.03 - FTKImager - http://www.accessdata.com/downloads.html#FTKImager
2.04 - Memoryze - http://www.mandiant.com/products/free_software/memoryze/
2.05 - Volatility - https://www.volatilesystems.com/default/volatility
2.06 - Fget - https://www.hbgary.com/community/free-tools/#fget
2.07 - Microsoft Windows Debugger - http://www.microsoft.com/whdc/devtools/debugging/default.mspx
2.08 - LiveKD - http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx
2.09 - pdgmail/pdymail - http://jeffbryner.com/code/
2.10 - PTK - http://ptk.dflabs.com/
2.10 - Sysinternals - http://technet.microsoft.com/en-us/sysinternals/default.aspx
2.11 - NirSoft - http://www.nirsoft.net/
2.12 - NTSecurity - http://ntsecurity.nu/toolbox/
3) Commercial Tools:
3.1 – AccessData FTK 4.x / 5.x
3.2 – Encase FIM/Enterprise 6.17 / Encase 7.x
3.3 – HBGary Responder Pro
Memory Analysis vs Live Response *
• Computer Forensics: Results of Live Response
Inquiry vs. Memory Image Analysis - CERT
Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry Rogers
http://www.cert.org/archive/pdf/08tn017.pdf (2008)
“Despite the drawbacks associated with volatile memory analysis, it is the authors’
opinion that volatile memory analysis will be integral to the digital investigation
process going forward. (…) , the best approach is a hybrid based on situational
awareness and a triage mentality. (..) Full memory analysis (and the requisite
memory acquisition) should be used to augment and supplement traditional
digital forensic examination when greater understanding of the running state of
the machine is critical to resolving the case.”
http://www.cert.org/archive/pdf/08tn017.pdf
Memory Analysis vs Live Response

http://www.cert.org/archive/pdf/08tn017.pdf
Live Response
• Tool execution to get data from the Windows
O.S. While it is running:
– netstat/tasklist/arp/hostname .. (native tools)
– Sysinternals Tools
– NirSoft Tools
– FoundStone Tools
– Microsoft Cofee
– Helix
– Etc..
MS Cofee

Decaf

Computer Online Forensic Evidence Extractor
arp.exe ‐a
at.exe
autorunsc.exe
getmac.exe
handle.exe ‐a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report
nbtstat.exe ‐n
nbtstat.exe ‐A 127.0.0.1
nbtstat.exe ‐S
nbtstat.exe ‐c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators
/domain
net.exe localgroup
net.exe localgroup administrators
net.exe group

netdom.exe query DC
netstat.exe ‐ao
netstat.exe ‐no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe ‐t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck 127.0.0.1
tasklist.exe /svc
whoami.exe

Contaminate MAC Addresses:
Spoof MAC addresses of network adapters
Kill Processes:
Quick shutdown of running processes
Shutdown Computer:
On the fly machine power down
Disable network adapters
Disable USB ports
Disable Floppy drive
Disable CD-ROM
Disable Serial/Printer Ports
Erase Data: Quick file/folder removal (Basic Windows delete)
Clear Event Viewer: Remove logs from the Event Viewer

Remove Torrent Clients: Removes Azureus and BitTorrent clients
Clear Cache: Remove cookies, cache, and history
Live Response - Limitations

http://decafme.org/decaf-software.html
Other Live Response Limitations
(when dealing with a technicaly savvy adversary)
• These tools can be easily defeated:
•

Microsoft sigverif.exe. This is a GUI File Signature Verification included with all Windows installations. It will freeze after enumerating files (but
before checking their signatures).

•
•
•
•

signtool.exe. This is a command-line tool included with Visual Studio.
signdrv.dll. The WMI provider for Signed Drivers.
sigcheck.exe. The popular tool from SysInternals will freeze after printing the version banner, regardless of what options you choose.
Mandiant Redline. A tool for streamlining forensic data acquisition and analysis. On live systems, it will attempt to verify driver signatures before
capturing memory. Unfortunately it will freeze on step 1 and never actually get to the memory step.

•

Any other forensic tools or digital signature verification utilities that use the specific APIs in wintrust.dll.

“To trigger the bug, all you have to do is create a file. It can be done from an
administrator shell as shown below, or you can do it from shell code after an exploit”
C:> echo "" >
C:WINDOWSsystem32catroot2{111111111111111111111111111111111111}
Source: http://mnin.blogspot.com.br/2013/06/how-to-dos-authenticodesignature.html (Michael Ligh)
Lab
– Please log into the “ACMEXP1” VM Machine:
• user: “Administrator” / password: “password”

– Configure your VMWare or Virtualbox to use the
“host-only / private network” network
configuration
– Use built in Windows commands and Freeware
tools to get volatile information from the system
(from the command prompt – cmd.exe – c:usb)
• fport/netstat -ano
• Pslist/tasklist
Lab
– Please log into the Forensic VM (“SIFT 2.1” / “DEFT”)
• user: “sansforensics”
• password: “forensics”

– Configure your VMWare or Virtualbox to use the
“host-only / private network” network configuration
– Use a terminal from your Forensic VM:
• connect to the 666 port (using nc or telnet) to the
“ACMEXP1” machine (keep the connection open)
• ie: $ telnet 192.168.31.133 666
Lab
– From the ACMEXP1 machine, probe again for
information about the proccesses executing and
the sockets that are open with “live response”
tools:
• fport/netstat –ano
• Pslist/tasklist

– Comments ?
Memory Forensics
– A lot of data, some structure
– A lot of internal memory structure is not
documented
– The first objective is to obtain context from
artifacts and evidence found in memory dumps
Memory Forensics
– Acquisition *
• executing memory
• Pagefile
• Hibernation file

– Context
• FInd offsets from the needed structures
• extract structures from memory
• Isolate processes

– Analysis
• Interation between different structures
• Recovering evidence of activity
“Memory”
•
•
•
•
•
•
•
•
•
•
•

RAM
ROM
Flash memory (EPROM)
Cache (L1, L2)
Dynamic RAM (DRAM)
Static RAM (SRAM)
ThumbDrives
Virtual Memory
Video Memory
BIOS
Hard Disk – Permanent
Memory
Memory
• RAM: a read happens in
0.00000001 seconds (electronic)

• HD: a read happens in 0.01 sec
(for mecanic disks)

diagram: wikipedia.org
CPU registers, cache (10-9 seconds)

2.

Kernel Memory e Physical Memory (10-8 seconds)

3.

Network Connections (10-3 seconds)

4.

Processes (1 second)

5.

Discos Rígidos (years)

6.

Floppy, Backup Tapes, CD-ROM (years)

7.

Printed material (decades)

order of volatility

1.

http://www.ietf.org/rfc/rfc3227.txt - Guidelines for Evidence Collection and Archiving
Informations that can be found in Memory *
•
•
•
•
•
•
•
•
•
•
•

Processes
Drivers
Kernel Modules
Socket Information
Passwords
Crypto Passphrases
Decrypted files
Execution order
Execution state
Configuration Information
Clipboard material

•
•
•
•
•
•
•
•
•
•
•

Logged Users
Network Driver Buffers
Open Files
Unsaved documents
Live Registry
Vídeo Buffers (screen shots)
BIOS Memory
VOIP Calls
Malicious Code
IM Chats
Rootkits footprint
Physical Memory
– Electronic circuits / RAM chips (random memory
access), used to temporarily keep the information
on execution time
– Contains the current state of the computer
– Hardware Perspective
Virtual Memory
– Operational System perspective

– Maximum space that an process can
occupy
– Virtual Addresses are mapped into
physical addresses
Memory Paging
• Page = fixed size block from the memory that is
contiguous from the physical and virtual addresses
perspectives
• Its the Menor quantidade de dados para:
– Memory allocation
– Transfer between physical memory and swap (pagefile)

• Memory Page Sizes varies depending on the
architecture of the processor:
– x86: 4Kb (2Mb if PAE is used)
– IA64: from 4kb up to 256Mb
Paging/Swapping
– When a process will be loaded into memory, the pager manager decides
which pages will be used and take only the necessary pages into
memory, reducing the time and the amount of physical memory required
per process.
– When there is little RAM, virtual memory moves data from the physical
memory space (HD) called a paging file (slows your computer).
– In the Windows nomenclature, "Virtual Memory" is the space available
for the paging file:
– Paging file naming:
» Windows 3.x: 386SPART.PAR
» Windows 9x: WIN386.SWP
» Windows NT: PAGEFILE.SYS
32/64 bit architectures limitations
– Maximum virtual memory – available per process*)
• 32 bit *: 4 GB = 2^32 = 4.294.967.296 bits
• 64 bit: 16 TB = 2^64 = 18.446.744.073.709.551.616 bits
* Since “Pentium Pro”, 32bit CPUs are capable of addressing 36 bits of RAM. But they are still limited
to a virtual memory addressing of 32 bit (4GB) per proccess.
http://www.microsoft.com/whdc/system/platform/server/pae/pae_os.mspx

– Size limit of the page file:
• 32 bit: 16 TB
• 64 bit: 256 TB
Hibernation *
– The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is the sum of the
physical memory and the swap (pagination) memory – and is compressed.
– It contains data that was present at memory from the last time that the
system was “hibernated”
– The hiberfil.sys file contains a header, free pages, page tables and
compressed data
– The system can be forced to hibernate
maioria dos endereços de memória são virtuais

todos os endereços são virtuais

Windows Kernel Mode/User Mode
(Virtual) Memory Manager
Manages the Virtual Memory, controlling the protection and
memory paging between the physical memory and the Hard Disk.
Implements generic allocation of physical memory.
Implements a PE analyzer (portable executables) that allows an
executable file to be mapped or removed from memory in one
step
Process Manager
Responsible for creating processes and threads
Windows Kernel
– From the Hierarchical Domain
Protection standpoint, the
Windows Kernel is in Ring 0
– Important: Kernel components have
unrestricted access to all system
Windows Kernel
– Windows Executive manages memory, processes,
threads, security, objects, I/O, network
– Hardware Abstract Layer (HAL)
– USER and GUI functionality
– drivers provide support to (I/O) from hardware
User mode *
• Restrict access to the system (Ring 3)
– Can access resources from the system via Windows
APIs (kernel32.dll, ntdll.dll)

• Contains:
– User applications
– Support processes (logon)
– Service processes
– Environment subsystems
Memory
Memoria (RAM)

Physical Memory

Windows
P1

P2

P3

P4

P5

Proccess Virtual Memory

Each Proccess has a Page Directory (PDE), mapping virtual
address to physical address or swap addresses
Total Logical Memory
• Sum of all Virtual Memory
Physical Memory

2 GB Memory (RAM)

OS

4GB

4GB

4GB

4GB

4GB

4GB

Virtual Memory
6 x 4GB = 24 GB <= Logical Memory
2 GB

0 GB

Page Directory and Page Tables

Physical Memory

Process Virtual Memory
0 GB

4 GB

0x00C00000 – 0x00E00000

0x00CE0000 – 0x00E00000

0x00CD0000 – 0x00CDF000
PTE 0010 - 0015

0x00CE0000 – 0x00CF0000

0x00D10000 – 0x00D20000

VAD Tree

The reconstruction of theVAD Tree (Virtual Adress Descriptors) allows the reconstruction of t
memory space of a process togheter with all files mapped by this processele

Disco Rígido

HbGary
Virtual Address Descriptors
Volatility Modules:
vaddump
vadinfo
vadwalk

Dump the Vad sections to files
Dump the VAD info
Walk the vad tree

The reconstruction of the
VAD Tree (Virtual Adress
Descriptors) allows the
reconstruction of the
memory space of a
process togheter with all
files mapped by this
process

$ python volatility vadwalk -f <path-to-image-dump>
************************************************************************
Pid: 4
Address Parent Left Right Start End
Tag Flags
819c1300 00000000 00000000 81948bc0 00010000 00033fff Vad
0x00C00000 – 0x00E00000
81948bc0 819c1300 8185b008 00000000 7c900000 7c9b1fff Vad
8185b008 81948bc0 00000000 817dd0b0 00060000 00060fff Vad
817dd0b0 8185b008 00000000 00000000 00070000 0016ffff Vad
************************************************************************
Pid: 440
0x00CE0000 – 0x00E00000
0x00CD0000 – 0x00CDF000
Address 0010 - 0015
Parent Left Right Start End
Tag Flags
PTE
8183a210 00000000 8186b670 819806e0 48580000 4858efff Vad
8186b670 8183a210 00000000 81856080 00000000 000fffff VadS
81856080 8186b670 00000000 8184a050 00100000 00100fff VadS
8184a050 81856080 00000000 81849790 00110000 00110fff VadS
0x00CE0000 – 0x00CF0000
0x00D10000 – 0x00D20000
81849790 8184a050 00000000 81845050 00120000 0015ffff VadS
81845050 81849790 00000000 816d3030 00160000 0025ffff VadS
816d3030 81845050 00000000 816d30c0 00260000 0026ffff VadS

VAD Tree
Memory Mapping

Virtual Addresses
Memory Pages
Unique pages for this memory block

Block sizes
Unreferenced Pages
Virtual Memory Layout
4 GB

Kernel Memory

2 GB

• The first 2GB* of virtual
memory are reserved for
the Windows Kernel. They
are not accessible from the
userland processes.
*

User Memory

0 GB

Except when the /3GB option is used on boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)WINNT="????" /3GB
Virtual Memory - userland
2 GB

Windows system specific structures
Windows System Libraries (DLLs)
Windows DLLs, Application DLLs or Allocated memory

DLLs or Allocated Memory

Application Binary

Stack
Heap or allocated memory
0 GB
Processes
– Processes are containers for memory address
space and threads
– Own virtual memory space
• Unique ID: Process ID (PID)

– At least one execution thread
– Security Context
Processes
• Processes are units of allocation of resources such
as files, I/O, memory, privileges and run in
separate address spaces

• Processes are also units for scheduling threads they might be ready, waiting or running
Memory Allocation
• When the program is running, each process has its own memory
address space and operating system controls this use of memory
pages in physical memory (RAM) or in "virtual memory" – paging
file: (%SYSTEMDRIVE%pagefile.sys)
• Problem for Forensics: The mapping is not consistent (*)
between versions of Windows (XP, 2000, 2003, Vista, 7) and even
windows editions (Home, Pro, Enterprise) and Service Packs (0,
1, 2, 3, …)
(*) Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert Peterson.
http://dfrws.org/2010/proceedings/2010-306.pdf
Virtual Memory Allocation
– Programs can allocate virtual memory dynamically
– The Windows Kernel use the Virtual Address
Descriptors data structure (VAD Trees) to control
virtual memory allocations

– Memory analysis tools combine the information
contained in VAD Trees with the page tables for
each process
Windows Kernel: Memory
– Analysis for identification of addresses and
memory pages used by processes:
• EPROCESS/KPROCESS/ETHREAD – structures accessed
only via kernel mode
• PEB – Process Environment Block – fixed virtual address
for 32bit: 0x7FFDF000 – can be accessed from user
mode

– Ways to verify it:
• Livekd + Microsoft Windows Debugger (online)
• volatiliy volshell (offline) <= SIFT 2.0+
Windows Kernel: Memory
• EPROCESS
– DirectoryTableBase (DTB) – also known as
PageDirectoryBase (PDB)
– CreateTime
– UniqueProcessId
– ImageFileName – executable name
– InheritedFromUniqueProcessID – Parent Process ID
– PEB – Process Environment Block
Windows Kernel: Memory
Links allow the separation between processes. ie: when a proccess runs in memory it has
aforward link (FLINK) and a backward link (BLINK) for processes that are located on close
addresses on the memory.
Creation and Ending of Processes *
• Process Creation Triggers:
•
•
•
•
•

system startup
actions of other processes;
user actions
manager actions
batch jobs

• Process Ending Triggers:
–
–
–
–
–

Normal exit
Forced error
Unforced error
Killed by an user
Killed by an process
Creation of Processes
common internal structures and commands

•
•
•
•
•

CreateProcess
Rundll32.exe
cmd.exe
cmd /c
command.com /c

•
•
•
•
•
•
•
•

ShellExec
ShellExecute
ShellExecuteA
WinExec
Shell32.DLL
exec
execve
system
Threads
– A Thread is a container for execution
•
•
•
•
•

Private storage Thread Local Storage / TLS
Unique ID: Thread ID (TID)
CPU states (register counters)
Execution stack (stack / LIFO)
Security Context
Threads States
KeInitThread

Transition
k stack
swapped

Initialized

PspCreateThread
KiReadyThread
KiInsertDeferredReadyList

KiInsertDeferredReadyList
KiReadyThread

Deferred
Ready

Ready
process
swapped

KiRetireDpcList/KiSwapThread/
KiExitDispatcher
KiProcessDeferredReadyList
KiDeferredReadyThread
no avail.
processor

KiSetAffinityThread
KiSetpriorityThread

Ready

KiSelectNextThread
KiUnwaitThread
KiReadyThread

Waiting

Idle
processor
or
preemption

Standby

preemption

Affinity
ok
KiQuantumEnd
KiIdleSchedule
KiSwapThread
KiExitDispatcher
NtYieldExecution

Affinity
not ok
Terminated

KeTerminateThread

Running

Kernel Thread Transition Diagram
DavePr@Microsoft.com
2003/04/06 v0.4b

preemption
Process, Thread, Job *
• Process – at least one thread, can be more
(multi-threaded applications)
– used space in memory and resources controlled
by the process

• Thread – basic unit of execution
– The O.S. Schedules threads for execution

• Job – when the execution is controled by
programs (userland) – exists on Windows
since the 2000 version
Device Drivers
– Dynamic modules that are loaded into the Kernel
to provide support for I/O or I/O interface with
the user
– Like all kernel components, drivers have
unrestricted access to the system (Ring 0)
Services
– Programs (user mode) that provide functions
independent of the logged user
– Examples:
• Task Manager
• Print Spooler
• Windows Update
Windows Registry
– A hierarchical database that contains
configuration information
• Registry on disk (windowssystem32config)
• LIVE Registry (Memory)

– Examples:
•
•
•
•
•
•

Startup Settings
Driver Settings
Hardware Configuration
Users settings
Application settings
Current User Settings
Memory Forensics
– Collection/Acquisition
• Running memory
• Page file (pagefile.sys)
• Hibernation File (hiberfil.sys)

– Contextualization
• Isolate processes
• Find necessary offsets
• Extract memory structures

– Analysis
• interaction between structures
• recovery of evidences
Memory Forensics
– Is independent of the operating system (that may be
deceived)
– Anti-Forensics Tools/Malware/Rootkits

– Can detect malicious code that bypass other security tools
such as antivirus and HIPS
– The goal is to reconstruct the information from the physical
layer, checking the system runtime state
Memory Forensics – advantages
– Rootkits bypass the usermode and act in kernel mode,
tricking the O.S. and applications used in "Live Response"
– Password in clear text in memória (ie: mimikatz)
– Programs running
– Open Documents / Files
– Open content of compressed programs (packers)
– Network Connections – current and recent
– Crypto Keys (BitLocker, PGP Whole Disk Encryption,
TrueCrypt, etc...)
– Command Line parameters (DOSKEY/cmd.exe)
Memory Forensics: Hacking
– Always remember: do not trust on the O.S.
– Memory injection attacks do not touch the disk.
Hacker tools use these techniques for years:
• Metasploit Framework/Meterpreter (www.metasploit.com)
• Canvas (www.immunitysec.com)
• Core Impact (www.coresecurity.com)

– For certain attacks, there is no detection mechanism
via software and the acquisition and preservation of
physical memory and later offline analysis is the best
approach
“Trojan Defense” *
– “I did nothing, it was the Trojan horse/backdoor”
• “There was a hacker controlling my PC”

– Defense used for the first time in the United
Kingdom, in 2003
• Plausible deniability because LEO did not generate a
physical memory image

– “Law Enforcement destroyed 4GB of evidence”
• 4GB = more than a million pages of paper
• Objective: Analysis to prove that there was no trojan or
other malicious software running on the machine to
contradict this possible defense claim.
History of process acquisition
•
•
•
•

Pmdump – Arne Vidstrom
Process Dumper – Tobias Klein
Userdump – Microsoft
Adplus.vbs – Microsoft Debugging Tools
– It may be useful to generate a memory dump of a
specific process of interest (MSN, GTALK, IE, FF, ...)
Memory Acquisition via Hardware
– CPU Suspension and and use of Direct Memory Access
(DMA) to copy the physical memory
• Tribble (2004). By Brian Carrier e Joe Grand
• needs to be installed prior to data acquisition
• Similar devices are useful for hardware debugging

– Firewire / Thunderbolt
• IEEE 1394 - Specification allows direct memory access (DMA)
• Memory mapping is done by hardware
• References:
– Firewire: http://blogs.gnome.org/muelli/2010/04/04/reading-ram-using-firewire/
– Thunderbolt: http://www.breaknenter.org/projects/inception/
» Demo: http://www.youtube.com/watch?v=V1MBrwkB
Memory Acquisition
• Crash Dumps
• Advantages:
– System state is frozen
– ensures that no changes are made
– Microsoft provides “Microsoft Debugging Tools” and “Kernel
Memory Space Analyzer”

• Limitations:
– Systems with more than 2GB of memory do not generate
complete dumps
– By default, Windows do not generate crash dumps via
commands
– Some windows versions do not generate complete dumps
Tool: NotmyFault - Sysinternals (Mark Russinovich)
Memory Acquisition
• Memparser – Chris Betz
– DFRWS 2005
• Just for Windows 2000
• http://sourceforge.net/projects/memparser/

• dd for windows – dd.exe
• dd.exe if=.PhysicalMemory of=<…>memorydump.img

• http://gmgsystemsinc.com/fau/
Memory Acquisition
– Nigilant32 – Agile Risk Management (GUI)
– ProDiscover IR (GUI)
– Problems/Limitations: (dd.exe/Nigilant32/Prodiscover IR)
• Userland access to physical memory (=.PhysicalMemory) was blocked
since Windows 2003 SP 1 / Windows XP SP2
Memory Acquisition
– KnTDD (George Garner) – free for LE
•
•
•
•

Runs on 32 & 64 bit machines
Capable of generating Microsoft Crash Dumps
Local dump (usb/firewire) or remote dump (tcp/ip)
Audit registry and integrity checking

– MDD (Mantech)
• Newer Systems (up to Vista)
• Cannot acquire more than 4Gb of memory
Memory Acquisition *
• Virtualization Technologies
– VMWare
• VM Suspension creates .vmem file (similar to raw
dump)
• SnapShots

– VirtualPC
– Xen
– Qemu
Memory Acquisition: Hibernation *
• The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is
the sum of the physical memory and the swap
memory (or paging) - compressed.
• Matthieu Suiche decoded the Windows hibernation
file format (BH 2008 – “SandMan project”)
– Moonsols Community Edition – hibr2bin.exe for XP, 2003,
2008 and Vista 32bits (comercial version: for 32 e 64 bit
up to Windows 7)
Forcing the Hibernation
• 1) configuration
Windows XP,2000,2003
» powercfg.exe /HIBERNATE on
Windows Vista, 7, 2008
» powercfg.exe –h on
• 2) rundll32.exe powrprof.dll,SetSuspendState Hibernate
» Or you can use the GUI
» or c:> psshutdown.exe –h (sysinternals binary)
• <%SYSTEMDRIVE%>/hiberfil.sys is generated (overwrites previous hiberfil.sys)
Memory Acquisition
• Princeton – Cold Boot (True hibernation)
– Lest We Remember: Cold Boot Attacks on
Encryption Keys (2006)
– http://citp.princeton.edu/pub/coldboot.pdf

• DRAM submerged in liquid nitrogen ( -196
degrees Celsius) - loss of only 0.17% of the
data after 60 min off the computer
Memory Acquisition
• Memoryze (Jamie Butler e Peter Silberman)
– The Memoryze tool provides a batch script for the
acquisition of physical memory.
– cd %SystemVolume%%ProgramFiles%MandiantMemoryze”

• Execute “MemoryDD.bat –output <directory_name>”

– Advantage: colects at the same time the pagefile and the
physical memory
– To install it on a pendrive:
• msiexec /a MemoryzeSetup.msi /qb TARGETDIR=<pendrive>:Memoryze
Memory Acquisition
– winen / winen64
– Guidance Software (http://www.guidancesoftware.com)

– Expert Witness Format (EWF/E01)
FTK Imager
• AccessData – http://www.accessdata.com
– GUI or CLI
– raw format / converts from E01 to raw
Memory Acquisition
• FastDump / FastDump Pro (Greg Hoghlund)
– HBGary (http://www.hbgary.com)
• Includes the page file on the dump (pagefile.sys)
Memory Acquisition
• MoonSols / win32dd, win64dd, Dumpit
(Matthieu Suiche)
– Free (community edition)
– All windows 32-64bit
– Open Source
– Can create windbg crash dumps
– Remote acquisition using tcp sockets
– Generates cryptographic Hashes (MD5/SHA1/SHA-256)
Moonsools community edition:
http://moonsols.com | http://msuiche.net
README:

- win32dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits Edition.
- win64dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 64-bits (x64)
hibr2dmp and hibr2bin only works with Microsoft Windows XP, 2003, 2008, Vista 32-bits
Edition Microsoft Windows hibernation files, including corrupted hibernation files.
- dmp2bin only works with Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits
Edition of Microsoft full memory crash dump files.

- bin2dmp works with Microsoft Windows XP, 2003, 2008, Vista 32-bits Edition raw
memory snapshots (windd, VMWare -- Can also work with Live VMWare Virtual Machine
but only in the Professional Edition).).
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
DUMPIT.EXE
Local
Imaging
Software
Company/Dev
eloper

FastDump
Community

FastDump Pro

WinEn

MDD

Memoryze

Win32DD/Dumpit

HBGary

HBGary

Guidance
Software

Mantech

Mandiant

Matthieu Suiche

www.encase.
com

www.
www.mandiant.co www.win32dd.msu
Mantech.com
m
iche.net

Web Site
www.hbgary.com
Licence Type

Free

Commercial

Commercial

Free

Free

Free

64 BIT

No

Yes

Yes

Yes

Not tested

Yes

4GB Limit No

Yes

Yes

Not tested

Not tested

Yes



Windows 7

No

Yes

Yes

Yes

Not tested

Yes

Windows
Server 2008

No

Not tested

Not tested

Yes

Yes

Yes

Windows Vista No

Yes

Yes

Yes

Yes

Yes

Windows XP

Yes

Yes

Yess

Yes

Yes

Yes

source: Jon Evans
Remote Imaging

EnCase Enterprise EnCase FIM
Edition
Edition

Web Site
www.encase.com

Pro-Disccover

Agile Risk
Management

Software Company/Developer Guidance Software

F-Response

Tech Pathways

www.fresponse.com

www.techpathways.com

Connectivity

One to many
connections

One to one

One to one or one One to one or one to
to many
many

Imaging Option

Yes

Yes

No

Yes

64 BIT

Yes

Yes

Yes

No



Yes

Yes

Yes

No

Windows 7

Yes

Yes

Yes

Yes

Windows Server 2008

Yes

Yes

Yes

Yes

Windows Vista

Yes

Yes

Yes

Yes

Windows XP

Yes

Yes

Yes

Yes

4GB Limit
Memory Analysis
– “old-school” – strings & grep/findstr on a memory
dump to lookup for ASCII and UNICODE strings
(manual carving)
• Can be useful to include as a target for search indexing
and/or names (documents, programs, passwords ...)
• Restricted functionality by inability to differentiate the
mailings and memory pages used by each process
• Produces large amounts of data without
contextualization
Analysis of Physical Memory
• Some artifacts that might exist in memory
– Running processes
– Open files
– Network connections and listening ports
– Open registry keys
– Application information
– Passwords in clear text
5-
Analysis of Physical Memory
–
–
–
–
–
–
–
–
–
–
–

Unencrypted data
Instant messenger chat sessions
Document data
Web based email
Malware
Rootkits & Trojans
Internet History
MFT Records
Pictures
Image data and time
BIOS details

5-
Linking Memory Image to
Computer

• Forensically speaking it is important to be able to produce
repeatable processes
• Therefore linking a particular memory image to a computer
could be an important aspect of any analysis
• This can be achieved by using a GREP expression to extract
the BIOS information of the host computer from the memory
dump
• EnCase, SMART, FTK can all be used to carryout the search

5-
Locating BIOS Information
• The BIOS information may include;
– Make
– Model
– Serial number
• Richard McQuown
(http://forensiczone.blogspot.com/search?q=bio
s) posted the GREP expression on his blog to
locate the BIOS details;
x00x14x00x00x01x02..x03
5-
Using GREP to locate BIOS
Information
• Use GREP tool GUI or Command line capable of
searching binary files
• Use term;

x00x14x00x00x01x02..x03
FTK Imager Searching for BIOS
Information
FTK Imager Searching for BIOS
Information Results
Memory Analysis
• Pattern Matching based on regular
expressions (regex) searches on process or
physical memory dumps:
root@SIFT-Workstation:/usr/local/src/ram-analysis# find . -iname '*.py' -ls
1728861 12 -rwxr-xr-x 1 root root
8497 Mar 16 00:05 ./pdgmail.py
1728862 16 -rwxr-xr-x 1 root root
12645 Mar 16 00:05 ./pdymail.py
82129 16 -rwxr-xr-x 1 root root
16288 Mar 16 00:14 ./pdfbook.py
82133 4 -rwxr-xr-x 1 root root
3014 Mar 8 11:38 ./skypeex/skypeex26.py
Memory Analysis – pdgmail.py
Analysis of memory structures
• Recent (since 2003)
– First Tools: DFRWS 2005, Kornblum, Carvey, .. (page
95 WFA2)
– Open source and academic projects
•
•
•
•

Perl scripts
Hex editors macros
Volatility framework – http://www.volatilesystems.com
Memoryze – http://www.mandiant.com
Volatility
The Volatility Framework is a completely open collection of tools, implemented in
Python under the GNU General Public License, for the extraction of digital artifacts
from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the system being
investigated but offer unprecedented visibilty into the runtime state of the system.
The framework is intended to introduce people to the techniques and complexities
associated with extracting digital artifacts from volatile memory samples and provide a
platform for further work into this exciting area of research.
Volatility Capabilities
The Volatility Framework currently provides the following extraction capabilities for memory samples
•
•
•
•
•
•
•
•
•
•
•
•
•
•

Image information (date, time, CPU count)
Running processes
Process SIDs and environment variables
Open network sockets
Open network connections
DLLs loaded for each process
Open handles to all kernel/executive objects (files, keys, mutexes)
OS kernel modules
Dump any process, DLL, or module to disk
Mapping physical offsets to virtual addresses
Virtual Address Descriptor information
Addressable memory for each process
Memory maps for each process
Extract executable samples

•
•
•
•
•
•
•
•
•
•
•
•

Scanning examples: processes, threads, sockets, connectio
modules
Command histories (cmd.exe) and console input/output b
Imported and exported API functions
PE version information
System call tables (IDT, GDT, SSDT)
API hooks in user- and kernel-mode (inline, IAT, EAT, NT sys
winsock)
Explore cached registry hives
Dump LM/NTLM hashes and LSA secrets
User assist and shimcache exploration
Scan for byte patterns, regular expressions, or strings in m
Analyze kernel timers and callback functions
Report on windows services
Volatility
Usually you run “vol.py” to execute volatility, but on the Linux
VM we have 3 versions of volatility installed (* 1.3, 2.2 and
2.3)
For this reason, to execute each version please type:

$ “volatility” for 1.3
$ volatility-2.2 for 2.2
$ volatility-2.3 for 2.3
Volatility Commands
$ volatility-2.3 --info
Volatile Systems Volatility Framework 2.3_beta

Profiles
-------LinuxEvo4GARM
- A Profile for Linux Evo4G ARM
MacLion_10_7_5_AMDx64 - A Profile for Mac Lion_10.7.5_AMD x64
VistaSP0x64
- A Profile for Windows Vista SP0 x64
VistaSP0x86
- A Profile for Windows Vista SP0 x86
VistaSP1x64
- A Profile for Windows Vista SP1 x64
VistaSP1x86
- A Profile for Windows Vista SP1 x86
VistaSP2x64
- A Profile for Windows Vista SP2 x64
VistaSP2x86
- A Profile for Windows Vista SP2 x86
Win2003SP0x86
- A Profile for Windows 2003 SP0 x86
Win2003SP1x64
- A Profile for Windows 2003 SP1 x64
Win2003SP1x86
- A Profile for Windows 2003 SP1 x86
Win2003SP2x64
- A Profile for Windows 2003 SP2 x64
Win2003SP2x86
- A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64
- A Profile for Windows 2008 SP1 x64
Win2008SP1x86
- A Profile for Windows 2008 SP1 x86
Win2008SP2x64
- A Profile for Windows 2008 SP2 x64
Win2008SP2x86
- A Profile for Windows 2008 SP2 x86
Win7SP0x64
- A Profile for Windows 7 SP0 x64
Win7SP0x86
- A Profile for Windows 7 SP0 x86
Win7SP1x64
- A Profile for Windows 7 SP1 x64
Win7SP1x86
- A Profile for Windows 7 SP1 x86
WinXPSP1x64
- A Profile for Windows XP SP1 x64
WinXPSP2x64
- A Profile for Windows XP SP2 x64
WinXPSP2x86
- A Profile for Windows XP SP2 x86
WinXPSP3x86
- A Profile for Windows XP SP3 x86
Volatility Roadmap
•

Volatility 2.1 (Official x64 Support)

•

RC1: July 8, 2012 Release: August 3, 2012

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

* New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
* Majority of Existing Plugins Updated with x64 Support
* Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
* WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
* Now supports the following profiles:
o Windows XP SP1, SP2 and SP3 x86
o Windows XP SP1 and SP2 x64 (there is no SP3 x64)
o Windows Server 2003 SP0, SP1, and SP2 x86
o Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
o Windows Vista SP0, SP1, and SP2 x86
o Windows Vista SP0, SP1, and SP2 x64
o Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
o Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
o Windows Server 2008 R2 SP0 and SP1 x64
o Windows 7 SP0 and SP1 x86
o Windows 7 SP0 and SP1 x64

•
•
•
•
•

* Plugin Additions
o Printing Process Environment Variables (envvars)
o Inspecting the Shim Cache (shimcache)
o Profiling Command History and Console Usage (cmdscan, consoles)
o Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
Volatility Roadmap
•

Volatility 2.2 (Official Linux Support)

•

RC1: Sept 10, 2012 Release: Oct 2, 2012

•
•
•
•
•
•

* Linux Support (Intel x86, x64) kernels 2.6.11 - 3.x
* Over 25+ Linux plugins
* Windows win32k suite (14+ plugins, classes, algorithms and APIs for analyzing GUI memory)
* New or Updated Plugins
o eventlogs
o getservicesids

•

Volatility 2.3 (Official Mac/Android/ARM Support)

•

RC1: N/A Release: June 2013

•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

* Mac Support (x86, x64)
* Android/Arm Support
* New Address Spaces (VMWareSnapshotFile, VirtualBoxCoreDumpElf64, HpakAddressSpace, MachOAddressSpace)
* New or Updated Plugins
o shellbags
o mbr/vbr parser
o mftparser
o dumpfiles
o iehistory
* Plugin Enhancements
o Verbose details for kdbgscan and kpcrscan
o idt/gdt/timers plugins cycle automatically for each CPU
o apihooks detects LSP/winsock procedure tables
* New Output Formatting Support (Table Rendering)
* New Mechanism for Profile Modifications
* New Registry API Support
* New Volshell Commands
* Updated Documentation and Command Reference
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•

•
•
•
•
•
•
•
•

Volatility Roadmap

Volatility 3.0 (Official Tech Preview Merge) - RC1: Late 2013 Release: Late 2013
* A refactor and clean up of the vtype language/profiles/object system
* Plugin management and the session object
* Interactive IPython shell
* Unified Plugin Output Format (+ JSON renderers)
* Updated Registry Hive and PE File Address Spaces
* Performance Profiling and Regression Testing Framework
* Updates to Config System
* Improved Framework Support (Use as a Library)
* Application Profiles and WOW64
* Addition of Windows 8/Server 2012 Support/Testing
* New or Updated Plugins
o privileges
o pktscan
o cachedump
o dnscache
o stack, heaps
* x64 Updates to Malware Plugins (timers, callbacks, idt/gdt, apihooks)
* Pool Scanner Updates
* Unicode improvements
* KDBG/DTB Improvements
* Profile Selection Enhancements

Volatility Future
* Update to Python 3.0
* Updates to PDBParse
* PyVmiAddressSpace
* Pagefile.sys
* support single process dumps
* Multiprocessing module
* Performance profiling (C modules for some functions?)
Volatility stable / Internal Commands
Volatility Plugins
SANS SIFT 2.x > PTK > Memory
LAB – Live vs Offline
Memory Analysis: Vmware – VM “AcmeXP1”
User: “Administrator”, Password: “password”
Live Response: fport /foundstone:
Lab
Live Response: pstools / sysinternals-microsoft:
Lab
Volatility – SIFT Workstation 2.0:
ident (volatility 1.3)
imageinfo (volatility 2.x)
Lab *
Volatility – SIFT Workstation 2.0:
pslist / pstree
Lab *
python volatility connscan –f <memory-image.bin>
Lab
python volatility sockscan –f <memory-image.bin>
Lab *
python volatility procdump –f <memory-image.bin> -p <pid>
Lab – procdump (1.3) / procexedump & procmemdump (2.3)
“..changes between the in-memory representation of the file and the disk representation the file”

“Visualizing Recovered Executables from Memory Images”
http://jessekornblum.livejournal.com/294997.html
Lab – malfind2 *
Detect hidden and injected code
Lab : Conclusion *
• Offline memory analysis generates identical or better
information and is less invasive than "live response“
• Process and established connections review through the
memory dump analysis enables more data recovery

• This is true even when the machine has usermode and
kernel mode rootkits installed
Lab : Hash Dump
Goal: to Transform the hibernation file on a memory dump and recover user passwords
Obtaining the hibernation file:
With the machine off: traditional disk Forensics: Boot with usb or CD / linux Live (helix/caine/deft/etc..)
or extract hiberfil.sys from a .DD or .E01 image (ftkimager/encase/etc..)
With the machine on : FGET.exe HBGARY
Convert the hibernation file to a memory dump (raw):
using Volatility:
python volatility hibinfo –f <path-to-hiberfil.sys> -d <hiberfil.memory.img>
using Moonsols:
hibr2bin.exe <path-to-hiberfil.sys> -d <hiberfil.memory.img>
Lab
– Volatility & RegRipper
– Steps:
• Find the registry hive locations on memory
• find and dump the SAM e SYSTEM hives
• crack the users passwords

– Volatility modules used:
• hivescan, hivelist, hashdump
Lab
– Finding the registry hives in memory (Volatility
Hivescan)
root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hivescan -f
fdpro_dump/20100817_fdpro_acmexp_dump.bin
Offset
(hex)
34267144
0x20ae008
34289480
0x20b3748
38249752
0x247a518
76358936
0x48d2518
Lab
Identifying which hives are present on this
memory addresses:
root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hivelist -f
fdpro_dump/20100817_fdpro_acmexp_dump.bin -o 0x20ae008
Address Name
0xe107b7b0 Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe1069b60 Documents and SettingsAdministratorNTUSER.DAT
0xe198c720 Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat
0xe14ab008 WINDOWSsystem32configsoftware
0xe18086b8 WINDOWSsystem32configdefault
0xe17c9888 WINDOWSsystem32configSAM
0xe1808b60 WINDOWSsystem32configSECURITY
0xe139c518 [no name]
0xe1019748 WINDOWSsystem32configsystem
0xe1013008 [no name]
Lab
• Dumping the hashes usig the SYSTEM e SAM
offsets
root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hashdump -f
fdpro_dump/20100817_fdpro_acmexp_dump.bin -y 0xe1019748 -s 0xe17c9888
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:b4d242a1cdc59680a8d465842d29c2a2:84ee8679c50437e502ae9b1c8e5f4285:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
Lab (with volatility 2.3)
$ volatility-2.3 hivelist -f ACMEXP1-20130822-045704.raw
Volatile Systems Volatility Framework 2.3_beta
Virtual Physical Name
---------- ---------- ---(…)
0xe17c6008 0x07547008 DeviceHarddiskVolume1WINDOWSsystem32configSAM
0xe101a848 0x020d6848 DeviceHarddiskVolume1WINDOWSsystem32configsystem
(...)
$ volatility-2.3 hashdump -f ACMEXP1-20130822-045704.raw -y 0xe101a848 -s 0xe17c6008
Volatile Systems Volatility Framework 2.3_beta
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:b4d242a1cdc59680a8d465842d29c2a2:84ee8679c50437e502ae9b1c8e5f4285:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
SUPPORT_388945a1:1005:d687124ff5986a06aad3b435b51404ee:76090b810398cfb9d5ec00d7aae43e4c:::
Lab: all steps...
# /usr/bin/python /usr/local/bin/volatility hivescan -f fdpro_dump/20100817_fdpro_acmexp_dump.bin
Offset
34267144
76358936

(hex)
0x20ae008
(…)

# /usr/bin/python /usr/local/bin/volatility hivelist -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -o 0x20ae008
Address
(...)
0xe17c9888
0xe1808b60
0xe1019748
(...)

Name
WINDOWSsystem32configSAM
WINDOWSsystem32configSECURITY
WINDOWSsystem32configsystem

# /usr/bin/python /usr/local/bin/volatility hashdump -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -y 0xe1019748 -s 0xe17c9888
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
(…)
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
Lab *
• Cracking the hashes using RainbowTables
• Offline
– OphCrack / rcrack / PRTK-DNA / EDPR / Passware

• Online:
– http://www.onlinehashcrack.com
– http://www.objectif-securite.ch/en/products.php?hash=<hash>#Demo

The volatility plugins used on this lab were developed
by Brendan Dolan-Gavitt: http://moyix.blogspot.com
Lab: OnlineHashCrack results:
Lab - Conclusion
Administrator:

SUPPORT_388945a0:
Lab: Live Registry
root@SIFT-Workstation:/usr/local/src/volatility# perl rip.pl -r
/media/usb/fdpro_dump/20100817_fdpro_acmexp_dump.bin@0xe17c9888 -f sam
Parsed Plugins file.
Launching samparse v.20080415
User Information
------------------------Username
: Administrator [500]
Full Name
:
User Comment : Built-in account for administering the computer/domain
Last Login Date : Fri Aug 13 21:47:26 2010 Z
Pwd Reset Date : Wed Jun 27 22:54:58 2007 Z
Pwd Fail Date : Fri Aug 13 00:59:01 2010 Z
Login Count : 55
--> Password does not expire
(...)
Lab: Photorec with mounted memory image
• PhotoRec Is an open source file recovery (aka carving) program
• Recovers video, photos, documents, archive files and EXE files from
volumes and physical disks
• A memory image needs to be mounted as a physical device (ie FTK Imager)
to perform a search
• Can also be run against running memory using F-Response
Site: http://www.cgsecurity.org/wiki/PhotoRec
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Memoryze/AuditViewer
Memoryze / AuditViewer
Lab: RedLine/Memoryze
Encase FIM
Encase FIM
Lab: FTK 4.x (5.x) Remote (Mem)
Bonus – Volatility consoles
root@SIFT-Workstation:/cases/01/MEMORYDUMP# volatility2 -f ACMEXP1-20130815-051322.raw consoles
Volatile Systems Volatility Framework 2.2
**************************************************
ConsoleProcess: csrss.exe Pid: 496
Console: 0x4e2820 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: C:usbDumpIt.exe
Title: C:usbDumpIt.exe
AttachedProcess: DumpIt.exe Pid: 1692 Handle: 0x3f4
---CommandHistory: 0x4e4fd8 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x3f4
---Screen 0x1307750 X:80 Y:300
Dump:
DumpIt - v1.3.2.20110401 - One click memory memory dumper
Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net>
Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com>

Address space size:
268435456 bytes ( 256 Mb)
Free space size:
6060228608 bytes ( 5779 Mb)
* Destination = ??C:usbACMEXP1-20130815-051322.raw
--> Are you sure you want to continue? [y/n] y
+ Processing...
Bonus - Stuxnet analysis with Volatility
How To:
http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html

Or
Stuxnet Memory Dump:
/cases/01/MEMORYDUMP/stuxnet.vmem

SHA256:
5f19ff1333fc3901fbf3fafb50d2adb0c495cf6d33789e5a959499a92aeefe77

Commands: volatility (1.3) and volatility2 (2.2)
Bonus - SilentBanker (IE Dll
injection) Analysis
• http://www.youtube.com/watch?v=ejvqjXv9n
wM
Bonus – MacOSX, Linux and
Android memory Analysis
1.1: The OSX profiles can be found here: https://code.google.com/p/volatility/downloads/detail?name=MacProfilesAll.zip. We used to have a 10.8.3 x64 sample online,
but it seems to have been misplaced (link is 404). Give me a day or two to ping some people and see if they have a copy and if so I'll re-upload it and let you know.
1.2: I believe you'll have to contact osxreverser for the sample, its not available publicly to the best of my knowledge.
2.1: The avgcoder sample can be downloaded from http://secondlookforensics.com/linux-memory-images/centos-6.3-x86_64-LiveDVD-avgcoder.mem.bz2. The profile to
work with the sample is http://code.google.com/p/volatility/downloads/detail?name=CentOS63.zip.
2.2. The android sample can be downloaded from http://dfrws.org/2012/Rodeo2012.tgz. The Volatility profile is also inside.
Just copy Evo4G.zip into your volatility/plugins/overlays/linux directory.
Bonus - Linux
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

Bash History:
$ volatility2 -f centos-6.3-x86_64-LiveDVDavgcoder.mem --profile=LinuxCentOS63x64
linux_bash -H 0x6e0950

linux_arp
- Print the ARP table
linux_bash
- Recover bash history from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_cpuinfo
- Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg
- Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_find_file - Recovers tmpfs filesystems from memory
linux_ifconfig - Gathers active interfaces
linux_iomem
- Provides output similar to /proc/iomem
linux_lsmod
- Gather loaded kernel modules
linux_lsof
- Lists open files
linux_memmap
- Dumps the memory map for linux tasks
linux_mount
- Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netstat
- Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_proc_maps - Gathers process maps for linux
linux_psaux
- Gathers processes along with full command line and start time
linux_pslist
- Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_pstree
- Shows the parent/child relationship between processes
linux_psxview
- Find hidden processes with various process listings
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_tmpfs
- Recovers tmpfs filesystems from memory
linux_vma_cache - Gather VMAs from the vm_area_struct cache
Bonus - MacOSX RootKit
$ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_psxview
$ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_lsmod

$ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64
mac_check_syscalls |grep HOOKED
Volatile Systems Volatility Framework 2.3_beta
SyscallTable
222 0xffffff7f807ff41d HOOKED
SyscallTable
344 0xffffff7f807ff2ee HOOKED
SyscallTable
397 0xffffff7f807ffa7e HOOKED

calls:
(getdirentriesattr)
(getdirentries64)
(write_nocancel)

http://volatility-labs.blogspot.com.br/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html
Bonus - MacOSX password dumper
• https://github.com/juuso/keychaindump
Keychaindump is a proof-of-concept tool for reading OS X keychain
passwords as root. It hunts for unlocked keychain master keys located
in the memory space of the securityd process, and uses them to
decrypt keychain files.
$ sudo ./keychaindump
[*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000
(..)
[*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000
[*] Found 17 master key candidates
[*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain
(…)
[*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7
xxxxxxx:192.168.1.1:xxxxxxx
xxxxxxx@gmail.com:login.facebook.com:xxxxxxx
xxxxxxx@gmail.com:smtp.google.com:xxxxxxx
xxxxxxx@gmail.com:imap.google.com:xxxxxxx
xxxxxxx:twitter.com:xxxxxxx
xxxxxxx@gmail.com:www.google.com:xxxxxxx
Bonus - Android Memory Forensics
• Acquisition – LiME ()
• Analysis:
– List all the executed processes:
• $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_pslist_cache

– List opened / mapped files:
• $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_dentry_cache

– List mount points:
• $ volatility-2.3q --profile=LinuxEvo4GARM -f Evo4GRodeo.lime
linux_mount_cache

• TIP: adding the “–u” option to the command and you get the previous
executed processes, previous opened files and mount points that
previously existed on the Android system.
Bonus - Zeus Banking Trojan
Analysis
http://malwarereversing.wordpress.com/2011/0
9/23/zeus-analysis-in-volatility-2-0/
Bonus - Recovering Twitter and Facebook artifacts from the
Memory
Jeff Bryner with the Facebook and Twitter artifact extraction
Description:
This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished
by scanning the address space for the json/html structures that are used by the social media applications. Examples of
information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.

Download Link:
www.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip
Related Links:
https://github.com/jeffbryner/volatilityPlugins
http://www.youtube.com/watch?v=K_gBpdK936o
Author's Twitter: @0x7eff
Bonus - Lab: Twitter
$ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw twitter –p 2536
Volatile Systems Volatility Framework 2.3_beta
searching for browser processes...
found browser pid: 3684, chrome.exe
examining 35917410 bytes
twitter cookie found for userid:1690220420
found browser pid: 2536, chrome.exe
examining 45819060 bytes
11 s (Thu Aug 22 06:42:41 2013)

@suffert
Sandro Sffert
DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway.
1 m (Thu Aug 22 06:40:19 2013)
Sent
AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: Hi Suffert, how are you my friend?
1 m (Thu Aug 22 06:41:04 2013)
Received
AuthorImage: https://twimg0-a.akamaihd.net/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg
DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you?
agora (Thu Aug 22 06:42:14 2013)
Sent
AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right?
2 m (Thu Aug 22 06:40:19 2013)
Sent
AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: Hi Suffert, how are you my friend?
1 m (Thu Aug 22 06:41:04 2013)
Received
AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg
DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you?
39 s (Thu Aug 22 06:42:14 2013)
Sent
AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right?
12 s (Thu Aug 22 06:42:41 2013)
Received
AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg
DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway.
195.831911087 seconds

How to Convert “User_id” to username => https://twitter.com/intent/user?user_id=1690220420
Bonus - Facebook
$ volatility-2.3 fb-ACMEXP1-20130822-064258.raw facebook –p 2536
Bonus - Linux RootKit
$ volatility_2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_find_file -F /var/run/utmp
Volatile Systems Volatility Framework 2.2
Inode Number
Inode
---------------- -----------------130564 0x88007a85acc0
$ volatility-2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop -i 0x88007a85acc0
(...)
$ volatility-2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop
(...)

http://volatility-labs.blogspot.com.br/2012/09/movp-14-average-coder-rootkit-bash.html
Bonus - Extracting network packets
from memory
$ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw ethscan
Volatile Systems Volatility Framework 2.3_beta
Checking next buffer 0xe774
Packets Found: 1
Ethernet: Src: (00:50:56:e0:09:13)
Dst: (00:0c:29:ec:42:16)
Type:
IPv4 (0x0800)
IPv4:
Src: 199.59.149.230:47873
Dst: 192.168.117.128:54276
Protocol: TCP (6)
Packet Size: (657) Bytes
0x00000000 00 0c 29 ec 42 16 00 50 56 e0 09 13 08 00 45 00 ..).B..PV.....E.
0x00000010 02 83 93 1f 00 00 80 06 12 0b c7 3b 95 e6 c0 a8 ...........;....
0x00000020 75 80 01 bb 04 d4 7e 39 7e a5 79 b8 8c 5b 50 18 u.....~9~.y..[P.
0x00000030 fa f0 56 92 00 00 17 03 01 01 ba 1f 6d d0 25 8a ..V.........m.%.
0x00000040 49 83 5d 39 82 77 b6 31 52 a1 f2 a4 62 9d bf cd I.]9.w.1R...b...
0x00000050 19 ff 7a 0c 2b bf df 2e 84 b4 36 69 35 e2 db 39 ..z.+.....6i5..9
0x00000060 b2 71 ab 11 a1 21 45 7f 58 40 a5 d0 f1 6c 36 a6 .q...!E.X@...l6.
0x00000070 f0 f5 10 7b 30 45 0f 10 4c 6b 42 62 61 90 79 8e ...{0E..LkBba.y.
0x00000080 c9 94 46 92 b2 49 8d 1c f9 f6 5f d0 3d 7b ed cb ..F..I...._.={..
0x00000090 bf 5b 4d 04 fe 35 60 ac 9a 44 13 51 35 d2 31 f5 .[M..5`..D.Q5.1.
Bonus - Memdump.bin
$ volatility connscan -f memdump.bin
root@SIFT-Workstation:/cases/01/MEMORYDUMP/memdump# ^C
root@SIFT-Workstation:/cases/01/MEMORYDUMP/memdump# volatility connscan -f memdump.bin
Local Address
Remote Address
Pid
------------------------- ------------------------- -----192.168.56.103:1084
192.168.56.103:1076
192.168.56.103:1081
192.168.56.103:1079

192.168.56.10:389
58.64.132.141:80
192.168.56.10:445
58.64.132.141:80

320
1072
1184
1072

http://blog.handlerdiaries.com/?p=12
Bonus - Volatility: volshell.py
• http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/omfw-notes.txt
Advanced Malware Analysis and
Memory Forensics Training
•
•
•
•

5 days of intense hands-on training by the Volatility Development Team
1200+ slides, 150+ page lab guide, exclusive plugins and tools
Amsterdam 9/2013 [sold out], Reston VA 11/2013 [available]
Keep an eye on http://volatility-labs.blogspot.com and @volatility for
2014 events (including one in Brazil! ;)
• Email voltraining@memoryanalysis.net for a detailed course outline
• Discounts for full-time students, law enforcement, and government
employees
• See http://volatility-labs.blogspot.com/2013/06/the-perfect-combinationof-ir-malware.html for student feedback
• (http://volatility-labs.blogspot.fr/2013/08/results-are-in-for-1stannual.html)
Other alternatives to Live Respose
and Memory Forensics:
HotPlug by WiebieTech:
https://www.youtube.com/watch?v=eraq4TO_a3z8
Thank you
Sandro Süffert - http://suffert.com

CTO, APURA CyberSecurity Intelligence
http://apura.com.br/en | twitter: @suffert

Mais conteúdo relacionado

Mais procurados

Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Vista Forensics
Vista ForensicsVista Forensics
Vista ForensicsCTIN
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsBrent Muir
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicCTIN
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 

Mais procurados (20)

Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Windows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary ArtefactsWindows 10 Forensics: OS Evidentiary Artefacts
Windows 10 Forensics: OS Evidentiary Artefacts
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Windows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-publicWindows 7 forensics jump lists-rv3-public
Windows 7 forensics jump lists-rv3-public
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 

Destaque

Raidprep
RaidprepRaidprep
RaidprepCTIN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registrysomutripathi
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierBasis Technology
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!Nearpod
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityCTIN
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XPRupesh Kumar
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensicsMarco Alamanni
 
Edrm
EdrmEdrm
EdrmCTIN
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGEduardo Chavarro
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for InvestigatorsCase IQ
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Mark Matienzo
 
NTFS file system
NTFS file systemNTFS file system
NTFS file systemRavi Yasas
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
Nra
NraNra
NraCTIN
 

Destaque (19)

Raidprep
RaidprepRaidprep
Raidprep
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian CarrierOSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
 
Registry forensics
Registry forensicsRegistry forensics
Registry forensics
 
Become an Internet Sleuth!
Become an Internet Sleuth!Become an Internet Sleuth!
Become an Internet Sleuth!
 
Translating Geek To Attorneys It Security
Translating Geek To Attorneys It SecurityTranslating Geek To Attorneys It Security
Translating Geek To Attorneys It Security
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Installation of Joomla on Windows XP
Installation of Joomla on Windows XPInstallation of Joomla on Windows XP
Installation of Joomla on Windows XP
 
File system
File systemFile system
File system
 
Introduction to memory forensics
Introduction to memory forensicsIntroduction to memory forensics
Introduction to memory forensics
 
Edrm
EdrmEdrm
Edrm
 
Sleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKINGSleuth kit by echavarro - HABEMUSHACKING
Sleuth kit by echavarro - HABEMUSHACKING
 
Social Media Forensics for Investigators
Social Media Forensics for InvestigatorsSocial Media Forensics for Investigators
Social Media Forensics for Investigators
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
 
NTFS file system
NTFS file systemNTFS file system
NTFS file system
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drives
 
Nra
NraNra
Nra
 

Semelhante a 2010 2013 sandro suffert memory forensics introdutory work shop - public

Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics reportyash sawarkar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfGnanavi2
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Live memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foringLive memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foringSheikh Foyjul Islam
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the ArchiveGarethKnight
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsPardhasaradhi ch
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windowsguest66dc5f
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi Cn|u - The Open Security Community
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malwaretmugherini
 
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...IJCSIS Research Publications
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic InvestigatorAgape Inc
 
Computer forensics libin
Computer forensics   libinComputer forensics   libin
Computer forensics libinlibinp
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkitsamiable_indian
 
Desktop Forensics: Windows
Desktop Forensics: WindowsDesktop Forensics: Windows
Desktop Forensics: WindowsGol D Roger
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionIJERA Editor
 

Semelhante a 2010 2013 sandro suffert memory forensics introdutory work shop - public (20)

Cyber&digital forensics report
Cyber&digital forensics reportCyber&digital forensics report
Cyber&digital forensics report
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
computerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdfcomputerforensics-140529094816-phpapp01 (1).pdf
computerforensics-140529094816-phpapp01 (1).pdf
 
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docxLecture 09 - Memory Forensics.pdfL E C T U R E  9  B Y .docx
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Live memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foringLive memory analysis tools and techniques in linux environment tech foring
Live memory analysis tools and techniques in linux environment tech foring
 
Digital Forensics in the Archive
Digital Forensics in the ArchiveDigital Forensics in the Archive
Digital Forensics in the Archive
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_WindowsChetan-Mining_Digital_Evidence_in_Microsoft_Windows
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
 
Introduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi CIntroduction to Forensics and Steganography by Pardhasaradhi C
Introduction to Forensics and Steganography by Pardhasaradhi C
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of MalwareLeveraging NTFS Timeline Forensics during the Analysis of Malware
Leveraging NTFS Timeline Forensics during the Analysis of Malware
 
intro to forensics
intro to forensicsintro to forensics
intro to forensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
Virtual Machine Forensic Analysis and Recovery Method for Recovery and Analys...
 
Role of a Forensic Investigator
Role of a Forensic InvestigatorRole of a Forensic Investigator
Role of a Forensic Investigator
 
Computer forensics libin
Computer forensics   libinComputer forensics   libin
Computer forensics libin
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Anti-Forensic Rootkits
Anti-Forensic RootkitsAnti-Forensic Rootkits
Anti-Forensic Rootkits
 
Desktop Forensics: Windows
Desktop Forensics: WindowsDesktop Forensics: Windows
Desktop Forensics: Windows
 
Automated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data AcquisitionAutomated Live Forensics Analysis for Volatile Data Acquisition
Automated Live Forensics Analysis for Volatile Data Acquisition
 

Mais de Sandro Suffert

Desafios para a Cibersegurança em 2014 e 2016
Desafios para a Cibersegurança em 2014 e 2016Desafios para a Cibersegurança em 2014 e 2016
Desafios para a Cibersegurança em 2014 e 2016Sandro Suffert
 
Iccyber2012 sandro suffert apura - jacomo picolini teamcymru - desafio fore...
Iccyber2012   sandro suffert apura - jacomo picolini teamcymru - desafio fore...Iccyber2012   sandro suffert apura - jacomo picolini teamcymru - desafio fore...
Iccyber2012 sandro suffert apura - jacomo picolini teamcymru - desafio fore...Sandro Suffert
 
Iccyber 2012 sandro suffert - apura - evolucao das tecnicas de investigacao...
Iccyber 2012   sandro suffert - apura - evolucao das tecnicas de investigacao...Iccyber 2012   sandro suffert - apura - evolucao das tecnicas de investigacao...
Iccyber 2012 sandro suffert - apura - evolucao das tecnicas de investigacao...Sandro Suffert
 
Forense windows registro_sandro_suffert
Forense windows registro_sandro_suffertForense windows registro_sandro_suffert
Forense windows registro_sandro_suffertSandro Suffert
 
201108 sandro süffert - desafios em forense computacional e resposta a incide...
201108 sandro süffert - desafios em forense computacional e resposta a incide...201108 sandro süffert - desafios em forense computacional e resposta a incide...
201108 sandro süffert - desafios em forense computacional e resposta a incide...Sandro Suffert
 
Forense memoria windows_sandro_suffert_2009_2010
Forense memoria windows_sandro_suffert_2009_2010Forense memoria windows_sandro_suffert_2009_2010
Forense memoria windows_sandro_suffert_2009_2010Sandro Suffert
 
Iccyber 2010 - Sandro Süffert Avanços Tecnológicos
Iccyber 2010 - Sandro Süffert   Avanços TecnológicosIccyber 2010 - Sandro Süffert   Avanços Tecnológicos
Iccyber 2010 - Sandro Süffert Avanços TecnológicosSandro Suffert
 

Mais de Sandro Suffert (7)

Desafios para a Cibersegurança em 2014 e 2016
Desafios para a Cibersegurança em 2014 e 2016Desafios para a Cibersegurança em 2014 e 2016
Desafios para a Cibersegurança em 2014 e 2016
 
Iccyber2012 sandro suffert apura - jacomo picolini teamcymru - desafio fore...
Iccyber2012   sandro suffert apura - jacomo picolini teamcymru - desafio fore...Iccyber2012   sandro suffert apura - jacomo picolini teamcymru - desafio fore...
Iccyber2012 sandro suffert apura - jacomo picolini teamcymru - desafio fore...
 
Iccyber 2012 sandro suffert - apura - evolucao das tecnicas de investigacao...
Iccyber 2012   sandro suffert - apura - evolucao das tecnicas de investigacao...Iccyber 2012   sandro suffert - apura - evolucao das tecnicas de investigacao...
Iccyber 2012 sandro suffert - apura - evolucao das tecnicas de investigacao...
 
Forense windows registro_sandro_suffert
Forense windows registro_sandro_suffertForense windows registro_sandro_suffert
Forense windows registro_sandro_suffert
 
201108 sandro süffert - desafios em forense computacional e resposta a incide...
201108 sandro süffert - desafios em forense computacional e resposta a incide...201108 sandro süffert - desafios em forense computacional e resposta a incide...
201108 sandro süffert - desafios em forense computacional e resposta a incide...
 
Forense memoria windows_sandro_suffert_2009_2010
Forense memoria windows_sandro_suffert_2009_2010Forense memoria windows_sandro_suffert_2009_2010
Forense memoria windows_sandro_suffert_2009_2010
 
Iccyber 2010 - Sandro Süffert Avanços Tecnológicos
Iccyber 2010 - Sandro Süffert   Avanços TecnológicosIccyber 2010 - Sandro Süffert   Avanços Tecnológicos
Iccyber 2010 - Sandro Süffert Avanços Tecnológicos
 

Último

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 

Último (20)

The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 

2010 2013 sandro suffert memory forensics introdutory work shop - public

  • 1. Memory Forensics (Windows, Mac and Linux) Sandro Süffert - http://suffert.com CTO, APURA CyberSecurity Intelligence http://apura.com.br | twitter: @suffert 2010->2013
  • 2. Memory Forensics: Course objectives • Help the student to achieve a broad understanding of the main types of memory forensic data gathering and analysis • Serve as an introduction to low level concepts necessary for a proper understanding of the task of performing memory forensics on Windows, MacOSX and Linux (incl. Android). • Put the student in contact with different memory forensics tools and provide him information on how to use the gathered forensic data to perform a wide range of investigations
  • 3. Agenda Windows Memory Forensics Theory • • • • • • • • • • • Windows Memory Forensics Demos and Hands-On References Offline Memory Analysis vs Live Response Acquisition / Context / Analysis Order of Volatility Physical Memory, Virtual Memory Paging / Swapping / Hibernation Kernel Modes Memory Mapping Processes / Threads / Services / Jobs Acquisition details Analysis details • • • • • • • • • • • • • Hands-on Bonuses: • • • • • MacOSX memory analysis Linux memory analysis Android memory analysis Stuxnet artifacts analysis More if time permits MoonSols Community Edition FastDump FTKImager Memoryze Volatility Fget Microsoft Windows Debugger LiveKD Pdgmail / pdymail Sysinternals / NirSoft / NTSecurity AccessData FTK 4.x Encase FIM/Enterprise 6.17 HBGary Responder Pro
  • 4. Supporting Tools for the Practical Labs (Hands-On): • Linux: • • • • Hexadecimal editor (hexedit – CLI / ghex - GUI) Hash calculator (md5sum, sha1sum) Base64 decoder (base64) Win ASCII to Unix ASCII convertor (dos2unix) • Windows Freeware: • Hexadecimal editor: • FRHED - http://frhed.sourceforge.net/ • Time conversions: • TimeLord: http://computerforensics.parsonage.co.uk/timelord/timelord.htm • Dcode: http://www.digital-detective.co.uk/freetools/decode.asp
  • 5. Memory Forensics - References Books: I - Windows Forensic Analysis v2, Harlan Carvey Chapter 3 – Windows Memory Analysis II - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin Chapter 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps and 9 – Analysis of a Suspect Program III – Computer Evidence Collection & Preservation, Christopher L.T. Brown Chapter 6 – Volatile Data and Chapter 11 – Collecting Volatile Data IV - EnCE – The Official Encase Certified Examiner Study Guide, 2nd Edition, Steve Bunting Chapter 3 – First Response and Chapter 9 – Windows Operating System Artifacts V - Undocumented Windows, chapter 4, Sven B. Schreiber VI - Windows Internals (4st editon) chapter 7, Mark Russinovich and David Salomon.
  • 6. Memory Forensics - References Papers: Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis CERT: http://www.cert.org/archive/pdf/08tn017.pdf (Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry Rogers) Collecting Evidence from a Running Computer - SEARCH: http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf (Todd Shipley and Henry Reeve) "A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer” Lest We Remember: Cold Boot Attacks on Encryption Keys: http://citp.princeton.edu/pub/coldboot.pdf Eletronic Crime Investigation - NIJ: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf Electronic Evidence – Guide for First Responders – http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
  • 7. Memory Forensics - References Papers DFRWS - Digital Forensic Research Conference: Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert Peterson. http://dfrws.org/2010/proceedings/2010-306.pdf Extracting Windows Command Line Details from Physical Memory. Richard Stevens and Eoghan Casey. http://dfrws.org/2010/proceedings/2010-307.pdf A Novel Time-Memory Trade-Off Method for Password Recovery. Vrizlynn L. L. Thing and Hwei-Ming Ying. http://dfrws.org/2009/proceedings/p114-thing.pdf Extraction of Forensically Sensitive Information from Windows Physical Memory. Seyed Mahmood Hejazi, Chamseddine Talhi and Mourad Debbabi. http://dfrws.org/2009/proceedings/p121-hedjazi.pdf The Persistence of Memory: Forensic Identification and Extraction of Cryptographic Keys. Carsten Maartmann-Moe, Andre Arnes and Steffen E. Thorkildsen. http://dfrws.org/2009/proceedings/p132-moe.pdf Forensic Analysis of the Windows Registry in Memory. Brendan Dolan-Gavitt. http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
  • 8. Memory Forensics - References Papers DFRWS - Digital Forensic Research Conference: Recovering Deleted Data From the Windows Registry. Timothy Morgan. http://www.dfrws.org/2008/proceedings/p33-morgan.pdf Forensic Memory Analysis: Files mapped in memory. Ruud van Baar. http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf The impact of Microsoft Windows pool allocation strategies on memory forensics. Andreas Schuster. http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software. Bradley Schatz. http://www.dfrws.org/2007/proceedings/p126-schatz.pdf The VAD Tree: A Process-Eye View of Physical Memory. Brendan F Dolan-Gavitt. http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf Searching for processes and threads in Microsoft Windows memory dumps. Andreas Schuster. http://www.dfrws.org/2006/proceedings/2-Schuster.pdf
  • 9. Memory Forensics - Tools 1) Virtual Machines: a) VMWare Workstation, Server or Player: http://www.vmware.com (or Virtualbox) b) Forensic VM DEFT VM: http://www.deftlinux.net/; or SIFT Workstation 2.1: https://computer-forensics2.sans.org/community/siftkit/ c) Lab VM: “ACMEXP01” 2) Free/GPL Tools: 2.01 - MoonSols Community Edition -http://www.moonsols.com/component/jdownloads/view.download/3/2 2.02 - FastDump - https://www.hbgary.com/community/free-tools/#fastdump 2.03 - FTKImager - http://www.accessdata.com/downloads.html#FTKImager 2.04 - Memoryze - http://www.mandiant.com/products/free_software/memoryze/ 2.05 - Volatility - https://www.volatilesystems.com/default/volatility 2.06 - Fget - https://www.hbgary.com/community/free-tools/#fget 2.07 - Microsoft Windows Debugger - http://www.microsoft.com/whdc/devtools/debugging/default.mspx 2.08 - LiveKD - http://technet.microsoft.com/en-us/sysinternals/bb897415.aspx 2.09 - pdgmail/pdymail - http://jeffbryner.com/code/ 2.10 - PTK - http://ptk.dflabs.com/ 2.10 - Sysinternals - http://technet.microsoft.com/en-us/sysinternals/default.aspx 2.11 - NirSoft - http://www.nirsoft.net/ 2.12 - NTSecurity - http://ntsecurity.nu/toolbox/ 3) Commercial Tools: 3.1 – AccessData FTK 4.x / 5.x 3.2 – Encase FIM/Enterprise 6.17 / Encase 7.x 3.3 – HBGary Responder Pro
  • 10. Memory Analysis vs Live Response * • Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis - CERT Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry Rogers http://www.cert.org/archive/pdf/08tn017.pdf (2008) “Despite the drawbacks associated with volatile memory analysis, it is the authors’ opinion that volatile memory analysis will be integral to the digital investigation process going forward. (…) , the best approach is a hybrid based on situational awareness and a triage mentality. (..) Full memory analysis (and the requisite memory acquisition) should be used to augment and supplement traditional digital forensic examination when greater understanding of the running state of the machine is critical to resolving the case.”
  • 12. Memory Analysis vs Live Response http://www.cert.org/archive/pdf/08tn017.pdf
  • 13. Live Response • Tool execution to get data from the Windows O.S. While it is running: – netstat/tasklist/arp/hostname .. (native tools) – Sysinternals Tools – NirSoft Tools – FoundStone Tools – Microsoft Cofee – Helix – Etc..
  • 14. MS Cofee Decaf Computer Online Forensic Evidence Extractor arp.exe ‐a at.exe autorunsc.exe getmac.exe handle.exe ‐a hostname.exe ipconfig.exe /all msinfo32.exe /report nbtstat.exe ‐n nbtstat.exe ‐A 127.0.0.1 nbtstat.exe ‐S nbtstat.exe ‐c net.exe share net.exe use net.exe file net.exe user net.exe accounts net.exe view net.exe start net.exe Session net.exe localgroup administrators /domain net.exe localgroup net.exe localgroup administrators net.exe group netdom.exe query DC netstat.exe ‐ao netstat.exe ‐no openfiles.exe /query/v psfile.exe pslist.exe pslist.exe ‐t psloggedon.exe psservice.exe pstat.exe psuptime.exe quser.exe route.exe print sc.exe query sc.exe queryex sclist.exe showgrps.exe srvcheck 127.0.0.1 tasklist.exe /svc whoami.exe Contaminate MAC Addresses: Spoof MAC addresses of network adapters Kill Processes: Quick shutdown of running processes Shutdown Computer: On the fly machine power down Disable network adapters Disable USB ports Disable Floppy drive Disable CD-ROM Disable Serial/Printer Ports Erase Data: Quick file/folder removal (Basic Windows delete) Clear Event Viewer: Remove logs from the Event Viewer Remove Torrent Clients: Removes Azureus and BitTorrent clients Clear Cache: Remove cookies, cache, and history
  • 15. Live Response - Limitations http://decafme.org/decaf-software.html
  • 16. Other Live Response Limitations (when dealing with a technicaly savvy adversary) • These tools can be easily defeated: • Microsoft sigverif.exe. This is a GUI File Signature Verification included with all Windows installations. It will freeze after enumerating files (but before checking their signatures). • • • • signtool.exe. This is a command-line tool included with Visual Studio. signdrv.dll. The WMI provider for Signed Drivers. sigcheck.exe. The popular tool from SysInternals will freeze after printing the version banner, regardless of what options you choose. Mandiant Redline. A tool for streamlining forensic data acquisition and analysis. On live systems, it will attempt to verify driver signatures before capturing memory. Unfortunately it will freeze on step 1 and never actually get to the memory step. • Any other forensic tools or digital signature verification utilities that use the specific APIs in wintrust.dll. “To trigger the bug, all you have to do is create a file. It can be done from an administrator shell as shown below, or you can do it from shell code after an exploit” C:> echo "" > C:WINDOWSsystem32catroot2{111111111111111111111111111111111111} Source: http://mnin.blogspot.com.br/2013/06/how-to-dos-authenticodesignature.html (Michael Ligh)
  • 17. Lab – Please log into the “ACMEXP1” VM Machine: • user: “Administrator” / password: “password” – Configure your VMWare or Virtualbox to use the “host-only / private network” network configuration – Use built in Windows commands and Freeware tools to get volatile information from the system (from the command prompt – cmd.exe – c:usb) • fport/netstat -ano • Pslist/tasklist
  • 18. Lab – Please log into the Forensic VM (“SIFT 2.1” / “DEFT”) • user: “sansforensics” • password: “forensics” – Configure your VMWare or Virtualbox to use the “host-only / private network” network configuration – Use a terminal from your Forensic VM: • connect to the 666 port (using nc or telnet) to the “ACMEXP1” machine (keep the connection open) • ie: $ telnet 192.168.31.133 666
  • 19. Lab – From the ACMEXP1 machine, probe again for information about the proccesses executing and the sockets that are open with “live response” tools: • fport/netstat –ano • Pslist/tasklist – Comments ?
  • 20. Memory Forensics – A lot of data, some structure – A lot of internal memory structure is not documented – The first objective is to obtain context from artifacts and evidence found in memory dumps
  • 21. Memory Forensics – Acquisition * • executing memory • Pagefile • Hibernation file – Context • FInd offsets from the needed structures • extract structures from memory • Isolate processes – Analysis • Interation between different structures • Recovering evidence of activity
  • 22. “Memory” • • • • • • • • • • • RAM ROM Flash memory (EPROM) Cache (L1, L2) Dynamic RAM (DRAM) Static RAM (SRAM) ThumbDrives Virtual Memory Video Memory BIOS Hard Disk – Permanent Memory
  • 23. Memory • RAM: a read happens in 0.00000001 seconds (electronic) • HD: a read happens in 0.01 sec (for mecanic disks) diagram: wikipedia.org
  • 24. CPU registers, cache (10-9 seconds) 2. Kernel Memory e Physical Memory (10-8 seconds) 3. Network Connections (10-3 seconds) 4. Processes (1 second) 5. Discos Rígidos (years) 6. Floppy, Backup Tapes, CD-ROM (years) 7. Printed material (decades) order of volatility 1. http://www.ietf.org/rfc/rfc3227.txt - Guidelines for Evidence Collection and Archiving
  • 25. Informations that can be found in Memory * • • • • • • • • • • • Processes Drivers Kernel Modules Socket Information Passwords Crypto Passphrases Decrypted files Execution order Execution state Configuration Information Clipboard material • • • • • • • • • • • Logged Users Network Driver Buffers Open Files Unsaved documents Live Registry Vídeo Buffers (screen shots) BIOS Memory VOIP Calls Malicious Code IM Chats Rootkits footprint
  • 26. Physical Memory – Electronic circuits / RAM chips (random memory access), used to temporarily keep the information on execution time – Contains the current state of the computer – Hardware Perspective
  • 27. Virtual Memory – Operational System perspective – Maximum space that an process can occupy – Virtual Addresses are mapped into physical addresses
  • 28. Memory Paging • Page = fixed size block from the memory that is contiguous from the physical and virtual addresses perspectives • Its the Menor quantidade de dados para: – Memory allocation – Transfer between physical memory and swap (pagefile) • Memory Page Sizes varies depending on the architecture of the processor: – x86: 4Kb (2Mb if PAE is used) – IA64: from 4kb up to 256Mb
  • 29. Paging/Swapping – When a process will be loaded into memory, the pager manager decides which pages will be used and take only the necessary pages into memory, reducing the time and the amount of physical memory required per process. – When there is little RAM, virtual memory moves data from the physical memory space (HD) called a paging file (slows your computer). – In the Windows nomenclature, "Virtual Memory" is the space available for the paging file: – Paging file naming: » Windows 3.x: 386SPART.PAR » Windows 9x: WIN386.SWP » Windows NT: PAGEFILE.SYS
  • 30. 32/64 bit architectures limitations – Maximum virtual memory – available per process*) • 32 bit *: 4 GB = 2^32 = 4.294.967.296 bits • 64 bit: 16 TB = 2^64 = 18.446.744.073.709.551.616 bits * Since “Pentium Pro”, 32bit CPUs are capable of addressing 36 bits of RAM. But they are still limited to a virtual memory addressing of 32 bit (4GB) per proccess. http://www.microsoft.com/whdc/system/platform/server/pae/pae_os.mspx – Size limit of the page file: • 32 bit: 16 TB • 64 bit: 256 TB
  • 31. Hibernation * – The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is the sum of the physical memory and the swap (pagination) memory – and is compressed. – It contains data that was present at memory from the last time that the system was “hibernated” – The hiberfil.sys file contains a header, free pages, page tables and compressed data – The system can be forced to hibernate
  • 32. maioria dos endereços de memória são virtuais todos os endereços são virtuais Windows Kernel Mode/User Mode (Virtual) Memory Manager Manages the Virtual Memory, controlling the protection and memory paging between the physical memory and the Hard Disk. Implements generic allocation of physical memory. Implements a PE analyzer (portable executables) that allows an executable file to be mapped or removed from memory in one step Process Manager Responsible for creating processes and threads
  • 33. Windows Kernel – From the Hierarchical Domain Protection standpoint, the Windows Kernel is in Ring 0 – Important: Kernel components have unrestricted access to all system
  • 34. Windows Kernel – Windows Executive manages memory, processes, threads, security, objects, I/O, network – Hardware Abstract Layer (HAL) – USER and GUI functionality – drivers provide support to (I/O) from hardware
  • 35. User mode * • Restrict access to the system (Ring 3) – Can access resources from the system via Windows APIs (kernel32.dll, ntdll.dll) • Contains: – User applications – Support processes (logon) – Service processes – Environment subsystems
  • 36. Memory Memoria (RAM) Physical Memory Windows P1 P2 P3 P4 P5 Proccess Virtual Memory Each Proccess has a Page Directory (PDE), mapping virtual address to physical address or swap addresses
  • 37. Total Logical Memory • Sum of all Virtual Memory Physical Memory 2 GB Memory (RAM) OS 4GB 4GB 4GB 4GB 4GB 4GB Virtual Memory 6 x 4GB = 24 GB <= Logical Memory
  • 38. 2 GB 0 GB Page Directory and Page Tables Physical Memory Process Virtual Memory 0 GB 4 GB 0x00C00000 – 0x00E00000 0x00CE0000 – 0x00E00000 0x00CD0000 – 0x00CDF000 PTE 0010 - 0015 0x00CE0000 – 0x00CF0000 0x00D10000 – 0x00D20000 VAD Tree The reconstruction of theVAD Tree (Virtual Adress Descriptors) allows the reconstruction of t memory space of a process togheter with all files mapped by this processele Disco Rígido HbGary
  • 39. Virtual Address Descriptors Volatility Modules: vaddump vadinfo vadwalk Dump the Vad sections to files Dump the VAD info Walk the vad tree The reconstruction of the VAD Tree (Virtual Adress Descriptors) allows the reconstruction of the memory space of a process togheter with all files mapped by this process $ python volatility vadwalk -f <path-to-image-dump> ************************************************************************ Pid: 4 Address Parent Left Right Start End Tag Flags 819c1300 00000000 00000000 81948bc0 00010000 00033fff Vad 0x00C00000 – 0x00E00000 81948bc0 819c1300 8185b008 00000000 7c900000 7c9b1fff Vad 8185b008 81948bc0 00000000 817dd0b0 00060000 00060fff Vad 817dd0b0 8185b008 00000000 00000000 00070000 0016ffff Vad ************************************************************************ Pid: 440 0x00CE0000 – 0x00E00000 0x00CD0000 – 0x00CDF000 Address 0010 - 0015 Parent Left Right Start End Tag Flags PTE 8183a210 00000000 8186b670 819806e0 48580000 4858efff Vad 8186b670 8183a210 00000000 81856080 00000000 000fffff VadS 81856080 8186b670 00000000 8184a050 00100000 00100fff VadS 8184a050 81856080 00000000 81849790 00110000 00110fff VadS 0x00CE0000 – 0x00CF0000 0x00D10000 – 0x00D20000 81849790 8184a050 00000000 81845050 00120000 0015ffff VadS 81845050 81849790 00000000 816d3030 00160000 0025ffff VadS 816d3030 81845050 00000000 816d30c0 00260000 0026ffff VadS VAD Tree
  • 40. Memory Mapping Virtual Addresses Memory Pages Unique pages for this memory block Block sizes Unreferenced Pages
  • 41. Virtual Memory Layout 4 GB Kernel Memory 2 GB • The first 2GB* of virtual memory are reserved for the Windows Kernel. They are not accessible from the userland processes. * User Memory 0 GB Except when the /3GB option is used on boot.ini [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(2)WINNT="????" /3GB
  • 42. Virtual Memory - userland 2 GB Windows system specific structures Windows System Libraries (DLLs) Windows DLLs, Application DLLs or Allocated memory DLLs or Allocated Memory Application Binary Stack Heap or allocated memory 0 GB
  • 43. Processes – Processes are containers for memory address space and threads – Own virtual memory space • Unique ID: Process ID (PID) – At least one execution thread – Security Context
  • 44. Processes • Processes are units of allocation of resources such as files, I/O, memory, privileges and run in separate address spaces • Processes are also units for scheduling threads they might be ready, waiting or running
  • 45. Memory Allocation • When the program is running, each process has its own memory address space and operating system controls this use of memory pages in physical memory (RAM) or in "virtual memory" – paging file: (%SYSTEMDRIVE%pagefile.sys) • Problem for Forensics: The mapping is not consistent (*) between versions of Windows (XP, 2000, 2003, Vista, 7) and even windows editions (Home, Pro, Enterprise) and Service Packs (0, 1, 2, 3, …) (*) Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert Peterson. http://dfrws.org/2010/proceedings/2010-306.pdf
  • 46. Virtual Memory Allocation – Programs can allocate virtual memory dynamically – The Windows Kernel use the Virtual Address Descriptors data structure (VAD Trees) to control virtual memory allocations – Memory analysis tools combine the information contained in VAD Trees with the page tables for each process
  • 47. Windows Kernel: Memory – Analysis for identification of addresses and memory pages used by processes: • EPROCESS/KPROCESS/ETHREAD – structures accessed only via kernel mode • PEB – Process Environment Block – fixed virtual address for 32bit: 0x7FFDF000 – can be accessed from user mode – Ways to verify it: • Livekd + Microsoft Windows Debugger (online) • volatiliy volshell (offline) <= SIFT 2.0+
  • 48. Windows Kernel: Memory • EPROCESS – DirectoryTableBase (DTB) – also known as PageDirectoryBase (PDB) – CreateTime – UniqueProcessId – ImageFileName – executable name – InheritedFromUniqueProcessID – Parent Process ID – PEB – Process Environment Block
  • 49. Windows Kernel: Memory Links allow the separation between processes. ie: when a proccess runs in memory it has aforward link (FLINK) and a backward link (BLINK) for processes that are located on close addresses on the memory.
  • 50. Creation and Ending of Processes * • Process Creation Triggers: • • • • • system startup actions of other processes; user actions manager actions batch jobs • Process Ending Triggers: – – – – – Normal exit Forced error Unforced error Killed by an user Killed by an process
  • 51. Creation of Processes common internal structures and commands • • • • • CreateProcess Rundll32.exe cmd.exe cmd /c command.com /c • • • • • • • • ShellExec ShellExecute ShellExecuteA WinExec Shell32.DLL exec execve system
  • 52. Threads – A Thread is a container for execution • • • • • Private storage Thread Local Storage / TLS Unique ID: Thread ID (TID) CPU states (register counters) Execution stack (stack / LIFO) Security Context
  • 53. Threads States KeInitThread Transition k stack swapped Initialized PspCreateThread KiReadyThread KiInsertDeferredReadyList KiInsertDeferredReadyList KiReadyThread Deferred Ready Ready process swapped KiRetireDpcList/KiSwapThread/ KiExitDispatcher KiProcessDeferredReadyList KiDeferredReadyThread no avail. processor KiSetAffinityThread KiSetpriorityThread Ready KiSelectNextThread KiUnwaitThread KiReadyThread Waiting Idle processor or preemption Standby preemption Affinity ok KiQuantumEnd KiIdleSchedule KiSwapThread KiExitDispatcher NtYieldExecution Affinity not ok Terminated KeTerminateThread Running Kernel Thread Transition Diagram DavePr@Microsoft.com 2003/04/06 v0.4b preemption
  • 54. Process, Thread, Job * • Process – at least one thread, can be more (multi-threaded applications) – used space in memory and resources controlled by the process • Thread – basic unit of execution – The O.S. Schedules threads for execution • Job – when the execution is controled by programs (userland) – exists on Windows since the 2000 version
  • 55. Device Drivers – Dynamic modules that are loaded into the Kernel to provide support for I/O or I/O interface with the user – Like all kernel components, drivers have unrestricted access to the system (Ring 0)
  • 56. Services – Programs (user mode) that provide functions independent of the logged user – Examples: • Task Manager • Print Spooler • Windows Update
  • 57. Windows Registry – A hierarchical database that contains configuration information • Registry on disk (windowssystem32config) • LIVE Registry (Memory) – Examples: • • • • • • Startup Settings Driver Settings Hardware Configuration Users settings Application settings Current User Settings
  • 58. Memory Forensics – Collection/Acquisition • Running memory • Page file (pagefile.sys) • Hibernation File (hiberfil.sys) – Contextualization • Isolate processes • Find necessary offsets • Extract memory structures – Analysis • interaction between structures • recovery of evidences
  • 59. Memory Forensics – Is independent of the operating system (that may be deceived) – Anti-Forensics Tools/Malware/Rootkits – Can detect malicious code that bypass other security tools such as antivirus and HIPS – The goal is to reconstruct the information from the physical layer, checking the system runtime state
  • 60. Memory Forensics – advantages – Rootkits bypass the usermode and act in kernel mode, tricking the O.S. and applications used in "Live Response" – Password in clear text in memória (ie: mimikatz) – Programs running – Open Documents / Files – Open content of compressed programs (packers) – Network Connections – current and recent – Crypto Keys (BitLocker, PGP Whole Disk Encryption, TrueCrypt, etc...) – Command Line parameters (DOSKEY/cmd.exe)
  • 61. Memory Forensics: Hacking – Always remember: do not trust on the O.S. – Memory injection attacks do not touch the disk. Hacker tools use these techniques for years: • Metasploit Framework/Meterpreter (www.metasploit.com) • Canvas (www.immunitysec.com) • Core Impact (www.coresecurity.com) – For certain attacks, there is no detection mechanism via software and the acquisition and preservation of physical memory and later offline analysis is the best approach
  • 62. “Trojan Defense” * – “I did nothing, it was the Trojan horse/backdoor” • “There was a hacker controlling my PC” – Defense used for the first time in the United Kingdom, in 2003 • Plausible deniability because LEO did not generate a physical memory image – “Law Enforcement destroyed 4GB of evidence” • 4GB = more than a million pages of paper • Objective: Analysis to prove that there was no trojan or other malicious software running on the machine to contradict this possible defense claim.
  • 63. History of process acquisition • • • • Pmdump – Arne Vidstrom Process Dumper – Tobias Klein Userdump – Microsoft Adplus.vbs – Microsoft Debugging Tools – It may be useful to generate a memory dump of a specific process of interest (MSN, GTALK, IE, FF, ...)
  • 64. Memory Acquisition via Hardware – CPU Suspension and and use of Direct Memory Access (DMA) to copy the physical memory • Tribble (2004). By Brian Carrier e Joe Grand • needs to be installed prior to data acquisition • Similar devices are useful for hardware debugging – Firewire / Thunderbolt • IEEE 1394 - Specification allows direct memory access (DMA) • Memory mapping is done by hardware • References: – Firewire: http://blogs.gnome.org/muelli/2010/04/04/reading-ram-using-firewire/ – Thunderbolt: http://www.breaknenter.org/projects/inception/ » Demo: http://www.youtube.com/watch?v=V1MBrwkB
  • 65. Memory Acquisition • Crash Dumps • Advantages: – System state is frozen – ensures that no changes are made – Microsoft provides “Microsoft Debugging Tools” and “Kernel Memory Space Analyzer” • Limitations: – Systems with more than 2GB of memory do not generate complete dumps – By default, Windows do not generate crash dumps via commands – Some windows versions do not generate complete dumps Tool: NotmyFault - Sysinternals (Mark Russinovich)
  • 66. Memory Acquisition • Memparser – Chris Betz – DFRWS 2005 • Just for Windows 2000 • http://sourceforge.net/projects/memparser/ • dd for windows – dd.exe • dd.exe if=.PhysicalMemory of=<…>memorydump.img • http://gmgsystemsinc.com/fau/
  • 67. Memory Acquisition – Nigilant32 – Agile Risk Management (GUI) – ProDiscover IR (GUI) – Problems/Limitations: (dd.exe/Nigilant32/Prodiscover IR) • Userland access to physical memory (=.PhysicalMemory) was blocked since Windows 2003 SP 1 / Windows XP SP2
  • 68. Memory Acquisition – KnTDD (George Garner) – free for LE • • • • Runs on 32 & 64 bit machines Capable of generating Microsoft Crash Dumps Local dump (usb/firewire) or remote dump (tcp/ip) Audit registry and integrity checking – MDD (Mantech) • Newer Systems (up to Vista) • Cannot acquire more than 4Gb of memory
  • 69. Memory Acquisition * • Virtualization Technologies – VMWare • VM Suspension creates .vmem file (similar to raw dump) • SnapShots – VirtualPC – Xen – Qemu
  • 70. Memory Acquisition: Hibernation * • The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is the sum of the physical memory and the swap memory (or paging) - compressed. • Matthieu Suiche decoded the Windows hibernation file format (BH 2008 – “SandMan project”) – Moonsols Community Edition – hibr2bin.exe for XP, 2003, 2008 and Vista 32bits (comercial version: for 32 e 64 bit up to Windows 7)
  • 71. Forcing the Hibernation • 1) configuration Windows XP,2000,2003 » powercfg.exe /HIBERNATE on Windows Vista, 7, 2008 » powercfg.exe –h on • 2) rundll32.exe powrprof.dll,SetSuspendState Hibernate » Or you can use the GUI » or c:> psshutdown.exe –h (sysinternals binary) • <%SYSTEMDRIVE%>/hiberfil.sys is generated (overwrites previous hiberfil.sys)
  • 72. Memory Acquisition • Princeton – Cold Boot (True hibernation) – Lest We Remember: Cold Boot Attacks on Encryption Keys (2006) – http://citp.princeton.edu/pub/coldboot.pdf • DRAM submerged in liquid nitrogen ( -196 degrees Celsius) - loss of only 0.17% of the data after 60 min off the computer
  • 73. Memory Acquisition • Memoryze (Jamie Butler e Peter Silberman) – The Memoryze tool provides a batch script for the acquisition of physical memory. – cd %SystemVolume%%ProgramFiles%MandiantMemoryze” • Execute “MemoryDD.bat –output <directory_name>” – Advantage: colects at the same time the pagefile and the physical memory – To install it on a pendrive: • msiexec /a MemoryzeSetup.msi /qb TARGETDIR=<pendrive>:Memoryze
  • 74. Memory Acquisition – winen / winen64 – Guidance Software (http://www.guidancesoftware.com) – Expert Witness Format (EWF/E01)
  • 75. FTK Imager • AccessData – http://www.accessdata.com – GUI or CLI – raw format / converts from E01 to raw
  • 76. Memory Acquisition • FastDump / FastDump Pro (Greg Hoghlund) – HBGary (http://www.hbgary.com) • Includes the page file on the dump (pagefile.sys)
  • 77. Memory Acquisition • MoonSols / win32dd, win64dd, Dumpit (Matthieu Suiche) – Free (community edition) – All windows 32-64bit – Open Source – Can create windbg crash dumps – Remote acquisition using tcp sockets – Generates cryptographic Hashes (MD5/SHA1/SHA-256)
  • 78. Moonsools community edition: http://moonsols.com | http://msuiche.net README: - win32dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits Edition. - win64dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 64-bits (x64) hibr2dmp and hibr2bin only works with Microsoft Windows XP, 2003, 2008, Vista 32-bits Edition Microsoft Windows hibernation files, including corrupted hibernation files. - dmp2bin only works with Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits Edition of Microsoft full memory crash dump files. - bin2dmp works with Microsoft Windows XP, 2003, 2008, Vista 32-bits Edition raw memory snapshots (windd, VMWare -- Can also work with Live VMWare Virtual Machine but only in the Professional Edition).).
  • 82. Local Imaging Software Company/Dev eloper FastDump Community FastDump Pro WinEn MDD Memoryze Win32DD/Dumpit HBGary HBGary Guidance Software Mantech Mandiant Matthieu Suiche www.encase. com www. www.mandiant.co www.win32dd.msu Mantech.com m iche.net Web Site www.hbgary.com Licence Type Free Commercial Commercial Free Free Free 64 BIT No Yes Yes Yes Not tested Yes 4GB Limit No Yes Yes Not tested Not tested Yes  Windows 7 No Yes Yes Yes Not tested Yes Windows Server 2008 No Not tested Not tested Yes Yes Yes Windows Vista No Yes Yes Yes Yes Yes Windows XP Yes Yes Yess Yes Yes Yes source: Jon Evans
  • 83. Remote Imaging EnCase Enterprise EnCase FIM Edition Edition Web Site www.encase.com Pro-Disccover Agile Risk Management Software Company/Developer Guidance Software F-Response Tech Pathways www.fresponse.com www.techpathways.com Connectivity One to many connections One to one One to one or one One to one or one to to many many Imaging Option Yes Yes No Yes 64 BIT Yes Yes Yes No  Yes Yes Yes No Windows 7 Yes Yes Yes Yes Windows Server 2008 Yes Yes Yes Yes Windows Vista Yes Yes Yes Yes Windows XP Yes Yes Yes Yes 4GB Limit
  • 84. Memory Analysis – “old-school” – strings & grep/findstr on a memory dump to lookup for ASCII and UNICODE strings (manual carving) • Can be useful to include as a target for search indexing and/or names (documents, programs, passwords ...) • Restricted functionality by inability to differentiate the mailings and memory pages used by each process • Produces large amounts of data without contextualization
  • 85. Analysis of Physical Memory • Some artifacts that might exist in memory – Running processes – Open files – Network connections and listening ports – Open registry keys – Application information – Passwords in clear text 5-
  • 86. Analysis of Physical Memory – – – – – – – – – – – Unencrypted data Instant messenger chat sessions Document data Web based email Malware Rootkits & Trojans Internet History MFT Records Pictures Image data and time BIOS details 5-
  • 87. Linking Memory Image to Computer • Forensically speaking it is important to be able to produce repeatable processes • Therefore linking a particular memory image to a computer could be an important aspect of any analysis • This can be achieved by using a GREP expression to extract the BIOS information of the host computer from the memory dump • EnCase, SMART, FTK can all be used to carryout the search 5-
  • 88. Locating BIOS Information • The BIOS information may include; – Make – Model – Serial number • Richard McQuown (http://forensiczone.blogspot.com/search?q=bio s) posted the GREP expression on his blog to locate the BIOS details; x00x14x00x00x01x02..x03 5-
  • 89. Using GREP to locate BIOS Information • Use GREP tool GUI or Command line capable of searching binary files • Use term; x00x14x00x00x01x02..x03
  • 90. FTK Imager Searching for BIOS Information
  • 91. FTK Imager Searching for BIOS Information Results
  • 92. Memory Analysis • Pattern Matching based on regular expressions (regex) searches on process or physical memory dumps: root@SIFT-Workstation:/usr/local/src/ram-analysis# find . -iname '*.py' -ls 1728861 12 -rwxr-xr-x 1 root root 8497 Mar 16 00:05 ./pdgmail.py 1728862 16 -rwxr-xr-x 1 root root 12645 Mar 16 00:05 ./pdymail.py 82129 16 -rwxr-xr-x 1 root root 16288 Mar 16 00:14 ./pdfbook.py 82133 4 -rwxr-xr-x 1 root root 3014 Mar 8 11:38 ./skypeex/skypeex26.py
  • 93. Memory Analysis – pdgmail.py
  • 94. Analysis of memory structures • Recent (since 2003) – First Tools: DFRWS 2005, Kornblum, Carvey, .. (page 95 WFA2) – Open source and academic projects • • • • Perl scripts Hex editors macros Volatility framework – http://www.volatilesystems.com Memoryze – http://www.mandiant.com
  • 95. Volatility The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
  • 96. Volatility Capabilities The Volatility Framework currently provides the following extraction capabilities for memory samples • • • • • • • • • • • • • • Image information (date, time, CPU count) Running processes Process SIDs and environment variables Open network sockets Open network connections DLLs loaded for each process Open handles to all kernel/executive objects (files, keys, mutexes) OS kernel modules Dump any process, DLL, or module to disk Mapping physical offsets to virtual addresses Virtual Address Descriptor information Addressable memory for each process Memory maps for each process Extract executable samples • • • • • • • • • • • • Scanning examples: processes, threads, sockets, connectio modules Command histories (cmd.exe) and console input/output b Imported and exported API functions PE version information System call tables (IDT, GDT, SSDT) API hooks in user- and kernel-mode (inline, IAT, EAT, NT sys winsock) Explore cached registry hives Dump LM/NTLM hashes and LSA secrets User assist and shimcache exploration Scan for byte patterns, regular expressions, or strings in m Analyze kernel timers and callback functions Report on windows services
  • 97. Volatility Usually you run “vol.py” to execute volatility, but on the Linux VM we have 3 versions of volatility installed (* 1.3, 2.2 and 2.3) For this reason, to execute each version please type: $ “volatility” for 1.3 $ volatility-2.2 for 2.2 $ volatility-2.3 for 2.3
  • 98. Volatility Commands $ volatility-2.3 --info Volatile Systems Volatility Framework 2.3_beta Profiles -------LinuxEvo4GARM - A Profile for Linux Evo4G ARM MacLion_10_7_5_AMDx64 - A Profile for Mac Lion_10.7.5_AMD x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x86 - A Profile for Windows 7 SP1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86
  • 99. Volatility Roadmap • Volatility 2.1 (Official x64 Support) • RC1: July 8, 2012 Release: August 3, 2012 • • • • • • • • • • • • • • • • * New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64) * Majority of Existing Plugins Updated with x64 Support * Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21) * WindowsHiberFileSpace32 Overhaul (also includes x64 Support) * Now supports the following profiles: o Windows XP SP1, SP2 and SP3 x86 o Windows XP SP1 and SP2 x64 (there is no SP3 x64) o Windows Server 2003 SP0, SP1, and SP2 x86 o Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64) o Windows Vista SP0, SP1, and SP2 x86 o Windows Vista SP0, SP1, and SP2 x64 o Windows Server 2008 SP1 and SP2 x86 (there is no SP0) o Windows Server 2008 SP1 and SP2 x64 (there is no SP0) o Windows Server 2008 R2 SP0 and SP1 x64 o Windows 7 SP0 and SP1 x86 o Windows 7 SP0 and SP1 x64 • • • • • * Plugin Additions o Printing Process Environment Variables (envvars) o Inspecting the Shim Cache (shimcache) o Profiling Command History and Console Usage (cmdscan, consoles) o Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
  • 100. Volatility Roadmap • Volatility 2.2 (Official Linux Support) • RC1: Sept 10, 2012 Release: Oct 2, 2012 • • • • • • * Linux Support (Intel x86, x64) kernels 2.6.11 - 3.x * Over 25+ Linux plugins * Windows win32k suite (14+ plugins, classes, algorithms and APIs for analyzing GUI memory) * New or Updated Plugins o eventlogs o getservicesids • Volatility 2.3 (Official Mac/Android/ARM Support) • RC1: N/A Release: June 2013 • • • • • • • • • • • • • • • • • • * Mac Support (x86, x64) * Android/Arm Support * New Address Spaces (VMWareSnapshotFile, VirtualBoxCoreDumpElf64, HpakAddressSpace, MachOAddressSpace) * New or Updated Plugins o shellbags o mbr/vbr parser o mftparser o dumpfiles o iehistory * Plugin Enhancements o Verbose details for kdbgscan and kpcrscan o idt/gdt/timers plugins cycle automatically for each CPU o apihooks detects LSP/winsock procedure tables * New Output Formatting Support (Table Rendering) * New Mechanism for Profile Modifications * New Registry API Support * New Volshell Commands * Updated Documentation and Command Reference
  • 101. • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • Volatility Roadmap Volatility 3.0 (Official Tech Preview Merge) - RC1: Late 2013 Release: Late 2013 * A refactor and clean up of the vtype language/profiles/object system * Plugin management and the session object * Interactive IPython shell * Unified Plugin Output Format (+ JSON renderers) * Updated Registry Hive and PE File Address Spaces * Performance Profiling and Regression Testing Framework * Updates to Config System * Improved Framework Support (Use as a Library) * Application Profiles and WOW64 * Addition of Windows 8/Server 2012 Support/Testing * New or Updated Plugins o privileges o pktscan o cachedump o dnscache o stack, heaps * x64 Updates to Malware Plugins (timers, callbacks, idt/gdt, apihooks) * Pool Scanner Updates * Unicode improvements * KDBG/DTB Improvements * Profile Selection Enhancements Volatility Future * Update to Python 3.0 * Updates to PDBParse * PyVmiAddressSpace * Pagefile.sys * support single process dumps * Multiprocessing module * Performance profiling (C modules for some functions?)
  • 102. Volatility stable / Internal Commands
  • 104. SANS SIFT 2.x > PTK > Memory
  • 105. LAB – Live vs Offline Memory Analysis: Vmware – VM “AcmeXP1” User: “Administrator”, Password: “password” Live Response: fport /foundstone:
  • 106. Lab Live Response: pstools / sysinternals-microsoft:
  • 107. Lab Volatility – SIFT Workstation 2.0: ident (volatility 1.3) imageinfo (volatility 2.x)
  • 108. Lab * Volatility – SIFT Workstation 2.0: pslist / pstree
  • 109. Lab * python volatility connscan –f <memory-image.bin>
  • 110. Lab python volatility sockscan –f <memory-image.bin>
  • 111. Lab * python volatility procdump –f <memory-image.bin> -p <pid>
  • 112. Lab – procdump (1.3) / procexedump & procmemdump (2.3) “..changes between the in-memory representation of the file and the disk representation the file” “Visualizing Recovered Executables from Memory Images” http://jessekornblum.livejournal.com/294997.html
  • 113. Lab – malfind2 * Detect hidden and injected code
  • 114. Lab : Conclusion * • Offline memory analysis generates identical or better information and is less invasive than "live response“ • Process and established connections review through the memory dump analysis enables more data recovery • This is true even when the machine has usermode and kernel mode rootkits installed
  • 115. Lab : Hash Dump Goal: to Transform the hibernation file on a memory dump and recover user passwords Obtaining the hibernation file: With the machine off: traditional disk Forensics: Boot with usb or CD / linux Live (helix/caine/deft/etc..) or extract hiberfil.sys from a .DD or .E01 image (ftkimager/encase/etc..) With the machine on : FGET.exe HBGARY Convert the hibernation file to a memory dump (raw): using Volatility: python volatility hibinfo –f <path-to-hiberfil.sys> -d <hiberfil.memory.img> using Moonsols: hibr2bin.exe <path-to-hiberfil.sys> -d <hiberfil.memory.img>
  • 116. Lab – Volatility & RegRipper – Steps: • Find the registry hive locations on memory • find and dump the SAM e SYSTEM hives • crack the users passwords – Volatility modules used: • hivescan, hivelist, hashdump
  • 117. Lab – Finding the registry hives in memory (Volatility Hivescan) root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hivescan -f fdpro_dump/20100817_fdpro_acmexp_dump.bin Offset (hex) 34267144 0x20ae008 34289480 0x20b3748 38249752 0x247a518 76358936 0x48d2518
  • 118. Lab Identifying which hives are present on this memory addresses: root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hivelist -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -o 0x20ae008 Address Name 0xe107b7b0 Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat 0xe1069b60 Documents and SettingsAdministratorNTUSER.DAT 0xe198c720 Documents and SettingsLocalServiceLocal SettingsApplication DataMicrosoftWindowsUsrClass.dat 0xe14ab008 WINDOWSsystem32configsoftware 0xe18086b8 WINDOWSsystem32configdefault 0xe17c9888 WINDOWSsystem32configSAM 0xe1808b60 WINDOWSsystem32configSECURITY 0xe139c518 [no name] 0xe1019748 WINDOWSsystem32configsystem 0xe1013008 [no name]
  • 119. Lab • Dumping the hashes usig the SYSTEM e SAM offsets root@SIFT-Workstation:/media/usb# /usr/bin/python /usr/local/bin/volatility hashdump -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -y 0xe1019748 -s 0xe17c9888 Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:b4d242a1cdc59680a8d465842d29c2a2:84ee8679c50437e502ae9b1c8e5f4285::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
  • 120. Lab (with volatility 2.3) $ volatility-2.3 hivelist -f ACMEXP1-20130822-045704.raw Volatile Systems Volatility Framework 2.3_beta Virtual Physical Name ---------- ---------- ---(…) 0xe17c6008 0x07547008 DeviceHarddiskVolume1WINDOWSsystem32configSAM 0xe101a848 0x020d6848 DeviceHarddiskVolume1WINDOWSsystem32configsystem (...) $ volatility-2.3 hashdump -f ACMEXP1-20130822-045704.raw -y 0xe101a848 -s 0xe17c6008 Volatile Systems Volatility Framework 2.3_beta Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:b4d242a1cdc59680a8d465842d29c2a2:84ee8679c50437e502ae9b1c8e5f4285::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c::: SUPPORT_388945a1:1005:d687124ff5986a06aad3b435b51404ee:76090b810398cfb9d5ec00d7aae43e4c:::
  • 121. Lab: all steps... # /usr/bin/python /usr/local/bin/volatility hivescan -f fdpro_dump/20100817_fdpro_acmexp_dump.bin Offset 34267144 76358936 (hex) 0x20ae008 (…) # /usr/bin/python /usr/local/bin/volatility hivelist -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -o 0x20ae008 Address (...) 0xe17c9888 0xe1808b60 0xe1019748 (...) Name WINDOWSsystem32configSAM WINDOWSsystem32configSECURITY WINDOWSsystem32configsystem # /usr/bin/python /usr/local/bin/volatility hashdump -f fdpro_dump/20100817_fdpro_acmexp_dump.bin -y 0xe1019748 -s 0xe17c9888 Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c::: (…) SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:edf2c0cd26a166c903a857f3785b043c:::
  • 122. Lab * • Cracking the hashes using RainbowTables • Offline – OphCrack / rcrack / PRTK-DNA / EDPR / Passware • Online: – http://www.onlinehashcrack.com – http://www.objectif-securite.ch/en/products.php?hash=<hash>#Demo The volatility plugins used on this lab were developed by Brendan Dolan-Gavitt: http://moyix.blogspot.com
  • 125. Lab: Live Registry root@SIFT-Workstation:/usr/local/src/volatility# perl rip.pl -r /media/usb/fdpro_dump/20100817_fdpro_acmexp_dump.bin@0xe17c9888 -f sam Parsed Plugins file. Launching samparse v.20080415 User Information ------------------------Username : Administrator [500] Full Name : User Comment : Built-in account for administering the computer/domain Last Login Date : Fri Aug 13 21:47:26 2010 Z Pwd Reset Date : Wed Jun 27 22:54:58 2007 Z Pwd Fail Date : Fri Aug 13 00:59:01 2010 Z Login Count : 55 --> Password does not expire (...)
  • 126. Lab: Photorec with mounted memory image • PhotoRec Is an open source file recovery (aka carving) program • Recovers video, photos, documents, archive files and EXE files from volumes and physical disks • A memory image needs to be mounted as a physical device (ie FTK Imager) to perform a search • Can also be run against running memory using F-Response Site: http://www.cgsecurity.org/wiki/PhotoRec
  • 135. Lab: FTK 4.x (5.x) Remote (Mem)
  • 136. Bonus – Volatility consoles root@SIFT-Workstation:/cases/01/MEMORYDUMP# volatility2 -f ACMEXP1-20130815-051322.raw consoles Volatile Systems Volatility Framework 2.2 ************************************************** ConsoleProcess: csrss.exe Pid: 496 Console: 0x4e2820 CommandHistorySize: 50 HistoryBufferCount: 1 HistoryBufferMax: 4 OriginalTitle: C:usbDumpIt.exe Title: C:usbDumpIt.exe AttachedProcess: DumpIt.exe Pid: 1692 Handle: 0x3f4 ---CommandHistory: 0x4e4fd8 Application: DumpIt.exe Flags: Allocated CommandCount: 0 LastAdded: -1 LastDisplayed: -1 FirstCommand: 0 CommandCountMax: 50 ProcessHandle: 0x3f4 ---Screen 0x1307750 X:80 Y:300 Dump: DumpIt - v1.3.2.20110401 - One click memory memory dumper Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net> Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com> Address space size: 268435456 bytes ( 256 Mb) Free space size: 6060228608 bytes ( 5779 Mb) * Destination = ??C:usbACMEXP1-20130815-051322.raw --> Are you sure you want to continue? [y/n] y + Processing...
  • 137. Bonus - Stuxnet analysis with Volatility How To: http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html Or Stuxnet Memory Dump: /cases/01/MEMORYDUMP/stuxnet.vmem SHA256: 5f19ff1333fc3901fbf3fafb50d2adb0c495cf6d33789e5a959499a92aeefe77 Commands: volatility (1.3) and volatility2 (2.2)
  • 138. Bonus - SilentBanker (IE Dll injection) Analysis • http://www.youtube.com/watch?v=ejvqjXv9n wM
  • 139. Bonus – MacOSX, Linux and Android memory Analysis 1.1: The OSX profiles can be found here: https://code.google.com/p/volatility/downloads/detail?name=MacProfilesAll.zip. We used to have a 10.8.3 x64 sample online, but it seems to have been misplaced (link is 404). Give me a day or two to ping some people and see if they have a copy and if so I'll re-upload it and let you know. 1.2: I believe you'll have to contact osxreverser for the sample, its not available publicly to the best of my knowledge. 2.1: The avgcoder sample can be downloaded from http://secondlookforensics.com/linux-memory-images/centos-6.3-x86_64-LiveDVD-avgcoder.mem.bz2. The profile to work with the sample is http://code.google.com/p/volatility/downloads/detail?name=CentOS63.zip. 2.2. The android sample can be downloaded from http://dfrws.org/2012/Rodeo2012.tgz. The Volatility profile is also inside. Just copy Evo4G.zip into your volatility/plugins/overlays/linux directory.
  • 140. Bonus - Linux https://code.google.com/p/volatility/wiki/LinuxMemoryForensics Bash History: $ volatility2 -f centos-6.3-x86_64-LiveDVDavgcoder.mem --profile=LinuxCentOS63x64 linux_bash -H 0x6e0950 linux_arp - Print the ARP table linux_bash - Recover bash history from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_find_file - Recovers tmpfs filesystems from memory linux_ifconfig - Gathers active interfaces linux_iomem - Provides output similar to /proc/iomem linux_lsmod - Gather loaded kernel modules linux_lsof - Lists open files linux_memmap - Dumps the memory map for linux tasks linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_proc_maps - Gathers process maps for linux linux_psaux - Gathers processes along with full command line and start time linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_tmpfs - Recovers tmpfs filesystems from memory linux_vma_cache - Gather VMAs from the vm_area_struct cache
  • 141. Bonus - MacOSX RootKit $ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_psxview $ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_lsmod $ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_check_syscalls |grep HOOKED Volatile Systems Volatility Framework 2.3_beta SyscallTable 222 0xffffff7f807ff41d HOOKED SyscallTable 344 0xffffff7f807ff2ee HOOKED SyscallTable 397 0xffffff7f807ffa7e HOOKED calls: (getdirentriesattr) (getdirentries64) (write_nocancel) http://volatility-labs.blogspot.com.br/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html
  • 142. Bonus - MacOSX password dumper • https://github.com/juuso/keychaindump Keychaindump is a proof-of-concept tool for reading OS X keychain passwords as root. It hunts for unlocked keychain master keys located in the memory space of the securityd process, and uses them to decrypt keychain files. $ sudo ./keychaindump [*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000 (..) [*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000 [*] Found 17 master key candidates [*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain (…) [*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a [+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a [+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7 xxxxxxx:192.168.1.1:xxxxxxx xxxxxxx@gmail.com:login.facebook.com:xxxxxxx xxxxxxx@gmail.com:smtp.google.com:xxxxxxx xxxxxxx@gmail.com:imap.google.com:xxxxxxx xxxxxxx:twitter.com:xxxxxxx xxxxxxx@gmail.com:www.google.com:xxxxxxx
  • 143. Bonus - Android Memory Forensics • Acquisition – LiME () • Analysis: – List all the executed processes: • $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_pslist_cache – List opened / mapped files: • $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_dentry_cache – List mount points: • $ volatility-2.3q --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_mount_cache • TIP: adding the “–u” option to the command and you get the previous executed processes, previous opened files and mount points that previously existed on the Android system.
  • 144. Bonus - Zeus Banking Trojan Analysis http://malwarereversing.wordpress.com/2011/0 9/23/zeus-analysis-in-volatility-2-0/
  • 145. Bonus - Recovering Twitter and Facebook artifacts from the Memory Jeff Bryner with the Facebook and Twitter artifact extraction Description: This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished by scanning the address space for the json/html structures that are used by the social media applications. Examples of information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc. Download Link: www.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip Related Links: https://github.com/jeffbryner/volatilityPlugins http://www.youtube.com/watch?v=K_gBpdK936o Author's Twitter: @0x7eff
  • 146. Bonus - Lab: Twitter $ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw twitter –p 2536 Volatile Systems Volatility Framework 2.3_beta searching for browser processes... found browser pid: 3684, chrome.exe examining 35917410 bytes twitter cookie found for userid:1690220420 found browser pid: 2536, chrome.exe examining 45819060 bytes 11 s (Thu Aug 22 06:42:41 2013) @suffert Sandro Sffert DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway. 1 m (Thu Aug 22 06:40:19 2013) Sent AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: Hi Suffert, how are you my friend? 1 m (Thu Aug 22 06:41:04 2013) Received AuthorImage: https://twimg0-a.akamaihd.net/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you? agora (Thu Aug 22 06:42:14 2013) Sent AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right? 2 m (Thu Aug 22 06:40:19 2013) Sent AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: Hi Suffert, how are you my friend? 1 m (Thu Aug 22 06:41:04 2013) Received AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you? 39 s (Thu Aug 22 06:42:14 2013) Sent AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right? 12 s (Thu Aug 22 06:42:41 2013) Received AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway. 195.831911087 seconds How to Convert “User_id” to username => https://twitter.com/intent/user?user_id=1690220420
  • 147. Bonus - Facebook $ volatility-2.3 fb-ACMEXP1-20130822-064258.raw facebook –p 2536
  • 148. Bonus - Linux RootKit $ volatility_2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_find_file -F /var/run/utmp Volatile Systems Volatility Framework 2.2 Inode Number Inode ---------------- -----------------130564 0x88007a85acc0 $ volatility-2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop -i 0x88007a85acc0 (...) $ volatility-2.2 -f centos-6.3-x86_64-LiveDVD-avgcoder.mem --profile=LinuxCentOS63x64 linux_check_fop (...) http://volatility-labs.blogspot.com.br/2012/09/movp-14-average-coder-rootkit-bash.html
  • 149. Bonus - Extracting network packets from memory $ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw ethscan Volatile Systems Volatility Framework 2.3_beta Checking next buffer 0xe774 Packets Found: 1 Ethernet: Src: (00:50:56:e0:09:13) Dst: (00:0c:29:ec:42:16) Type: IPv4 (0x0800) IPv4: Src: 199.59.149.230:47873 Dst: 192.168.117.128:54276 Protocol: TCP (6) Packet Size: (657) Bytes 0x00000000 00 0c 29 ec 42 16 00 50 56 e0 09 13 08 00 45 00 ..).B..PV.....E. 0x00000010 02 83 93 1f 00 00 80 06 12 0b c7 3b 95 e6 c0 a8 ...........;.... 0x00000020 75 80 01 bb 04 d4 7e 39 7e a5 79 b8 8c 5b 50 18 u.....~9~.y..[P. 0x00000030 fa f0 56 92 00 00 17 03 01 01 ba 1f 6d d0 25 8a ..V.........m.%. 0x00000040 49 83 5d 39 82 77 b6 31 52 a1 f2 a4 62 9d bf cd I.]9.w.1R...b... 0x00000050 19 ff 7a 0c 2b bf df 2e 84 b4 36 69 35 e2 db 39 ..z.+.....6i5..9 0x00000060 b2 71 ab 11 a1 21 45 7f 58 40 a5 d0 f1 6c 36 a6 .q...!E.X@...l6. 0x00000070 f0 f5 10 7b 30 45 0f 10 4c 6b 42 62 61 90 79 8e ...{0E..LkBba.y. 0x00000080 c9 94 46 92 b2 49 8d 1c f9 f6 5f d0 3d 7b ed cb ..F..I...._.={.. 0x00000090 bf 5b 4d 04 fe 35 60 ac 9a 44 13 51 35 d2 31 f5 .[M..5`..D.Q5.1.
  • 150. Bonus - Memdump.bin $ volatility connscan -f memdump.bin root@SIFT-Workstation:/cases/01/MEMORYDUMP/memdump# ^C root@SIFT-Workstation:/cases/01/MEMORYDUMP/memdump# volatility connscan -f memdump.bin Local Address Remote Address Pid ------------------------- ------------------------- -----192.168.56.103:1084 192.168.56.103:1076 192.168.56.103:1081 192.168.56.103:1079 192.168.56.10:389 58.64.132.141:80 192.168.56.10:445 58.64.132.141:80 320 1072 1184 1072 http://blog.handlerdiaries.com/?p=12
  • 151. Bonus - Volatility: volshell.py • http://kurtz.cs.wesleyan.edu/~bdolangavitt/memory/omfw-notes.txt
  • 152. Advanced Malware Analysis and Memory Forensics Training • • • • 5 days of intense hands-on training by the Volatility Development Team 1200+ slides, 150+ page lab guide, exclusive plugins and tools Amsterdam 9/2013 [sold out], Reston VA 11/2013 [available] Keep an eye on http://volatility-labs.blogspot.com and @volatility for 2014 events (including one in Brazil! ;) • Email voltraining@memoryanalysis.net for a detailed course outline • Discounts for full-time students, law enforcement, and government employees • See http://volatility-labs.blogspot.com/2013/06/the-perfect-combinationof-ir-malware.html for student feedback • (http://volatility-labs.blogspot.fr/2013/08/results-are-in-for-1stannual.html)
  • 153. Other alternatives to Live Respose and Memory Forensics: HotPlug by WiebieTech: https://www.youtube.com/watch?v=eraq4TO_a3z8
  • 154. Thank you Sandro Süffert - http://suffert.com CTO, APURA CyberSecurity Intelligence http://apura.com.br/en | twitter: @suffert