Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware
1. Session ID:
Session Classification:
Andrew Case
The Volatility Project
HTA-W22
Advanced
Memory Forensics:
Defeating Disk Encryption,
Skilled Attackers, and
Advanced Malware
2. âș Showcase the power of memory forensics
âș Distinguish memory forensics from disk forensics
âș Show why live forensics is futile and should be replaced
with offline memory forensics
Purpose of This Presentation
3. âș Memory forensics is the analysis of captures (samples)
of physical memory (RAM) for artifacts relevant to an
investigation
âș Requires modeling of the operating systemâs data
structures and algorithms offline in order to recreate
state at the time of the capture
What is Memory Forensics?
4. âș Traditional forensics only looks at disk images
âș This misses information never written to disk
âș Network connections, memory allocations, running processes,
open file lists, and much more
âș Skilled attackers know to avoid the disk and securely
clean up any on-disk artifacts
Why We *Need* Memory Forensics
5. âș Malware can trivially defeat live analysis
âș Live analysis is running tools built into the OS to gather volatile
data (the general sysadmin/IR response)
âș Malware can lie to any and all userland and even in-kernel tools
âș Advanced malware only operates in memory
âș Never touches the disk, all network traffic encrypted
âș Good luck without memory forensics!
Why Cont.
7. âș Most popular memory analysis framework
âș Open source, written in Python
âș Supports Windows {XP, Vista, 7, 2003, 2008} x86/x64
âș Supports Linux on Intel and ARM (Android)
âș Supports Mac 10.5.x-10.8.x x86/x64
âș Allows for analysis plugins to be easily written
âș Used daily in real forensics investigations
Volatility
8. âș A profile is set of vtypes and (optionally) symbol
addresses that are used to model a particular OS
version
âș This is what allows Volatility plugins to be generic to all
the different versions of Windows, Linux, Mac, etc
Volatility Terminology - Profiles
9. âș Address spaces are used to translate virtual addresses
into physical offsets
âș Intel x86, x86 PAE, x86-64
âș ARM
âș They also prevent the need to convert all memory
captures to a linear format
âș Crash dumps
âș Hibernation files
âș VMware vmss
âș Lime
âș Mac Memory Reader
âș MoreâŠ
Volatility Terminology â Address Spaces
10. âș List and recover processes, network connections,
drivers, file systems, and much more
âș Detect malware in both userland and the kernel
âș We will be using Volatility to recover artifacts throughout
the presentation
Volatility Capabilities
12. âș Determine system effects
âș Uncover processes, network connections, drivers, etc
that are âhiddenâ by malware
âș Acquire the unpacked/unencrypted malware in memory
Malware Analysis Capabilities
13. âș A running system builds a process list by using APIs that
eventually traverse the PsActiveProcessHead list
âș This logic is performed by the pslist plugin
âș Rootkits break processes from this list to hide themselves
âș Pool scanning for EPROCESS structures can find these
hidden processes
âș This is performed in the psscan plugin
âș POC rootkits exist to defeat this by pool header tampering
Finding (Hidden) Processes
14. âș Volatilityâs psxview plugin can detect all known process
hiding techniques by enumerating from many sources
âș A number of these sources are not documented except for in
Volatility
Finding (Hidden) Processes Cont.
16. âș Each process has three lists that track its loaded DLLs
âș Process explorer and other live tools focus on one of the
lists (load order)
âș Malware commonly breaks this list to avoid detection
âș Flame is a popular and high-profile example [2]
âș ldrmodules cross references the three lists with VAD
information for mapped files
Hiding Loaded DLLs
18. âș malfind looks for pages with suspicious protection bits
set (e.g. RWX)
âș The following code injection/hiding techniques are all
detected by malfind:
âș Remote Library Injection
âș Remote Shellcode Injection
âș Reflective DLL loading
Detecting Common Code Hiding Techniques
21. âș Technique:
âș Overwrite the beginning of API functions in order to redirect
control flow
âș Allows the malware to hide virtually any data from userland tools
and even some in-kernel monitors
âș The apihooks plugin detects API hooks
âș Performs static analysis on the beginning instructions of
functions
API Hooking
23. âș The binaries (.exe, .dll, .sys, etc) involved with malicious
processes and drivers can be dumped to disk for
analysis
âș Volatility can also be used to acquire the unpacked
version of malware samples from memory
âș Run sample, take memory capture, acquire executable
Dumping Processes to Disk
24. âș Instead of actively hooking functions in the kernel to
determine when certain events occur, there is a much
safer, passive option
âș You can "register" a function to be called by the system
âș Every time the event occurs, your function is called
Kernel Callbacks
25. âș Process related
âș Activated on process/thread creation, executable loading, etc
âș Used to inject DLL into processes on startup and to stop
processes from starting
âș Used by Mebroot, BlackEnergy, Rustock, TDL
âș File system
âș Activated on new file system registration
âș TDL3 infects MBR and uses callback to know when FS is
mounted
âș Stuxnet uses to attach to device stack to hide its files
Malware Targeted Callbacks
26. âș Bugcheck
âș Activated when machine is crashing (BSOD, crash dumping
being written)
âș Rustock.C cleans itself from memory before a crash dump is
written
âș Sinowal ensures the MBR is still infected before shutting down
after a BSOD
âș Registry
âș Activated on modifications to the registry, the callback can
monitor, block, or modify the operation
âș Malware uses to prevent persistence methods inside the registry
(run keys, etc) from being modified/deleted
Targeted Callbacks Cont.
28. âș Besides malware, we also want to recover actions
performed directly by attackers
âș Most of the artifacts used to recover this data are not written to
disk
âș Volatility has many capabilities for this purpose that span
across its supported operating systems
âș We will discuss capabilities not covered in the malware
section
Skilled Attackers
29. âș cmdscan/consoles
âș Plugins that can recover both the input and output of cmd.exe
sessions
âș bash_history/bash_hash
âș Plugins that can recover commands entered on a system and
when they were entered as well as the number of times each
binary was executed
Attacker Keyboard Input/Interaction
30. âș List files/handles opened by each process on a system
âș Determine which files, processes, registry keys, IPC
data, etc were being interacted with by a process
âș On Linux socket handles are just file descriptors
Opened Handles/Files
31. âș Can recover loaded kernel drivers
âș Can uncover âhiddenâ drivers through a combination of
memory scanning and cross-referencing
âș Windows
âș modules & modscan
âș Linux
âș linux_lsmod & linux_check_modules
Kernel Drivers/Modules
32. âș Can list both active connections (e.g. recreate netstat
output) as well locate previously terminated network
connection structures
âș On Linux we can also recover previously sent and
received packets and trace them to their owning process
Network Connections
33. âș Volatility can recover filesystem information from
memory including both metadata and file contents
âș Windows - mftparser
âș Recovers and parses the MFT for every active NTFS file system
âș Output includes metadata for all files and contents for resident
files
âș Linux â linux_find_file
âș Parses any standard (non-stacked) file system from memory and
dumps the file system to disk
âș tmpfs (/dev/shm) lives only in memory!
File systems in Memory
34. âș Volatility can recover privileges assigned to a process
âș Help determine what level of access the attacker and/or
malware gained on your system
Process Privileges
37. âș All major software encryption systems store encryption
keys in memory
âș The key is used to decrypt file data being read and
encrypt file data being written
âș Memory forensics can recover these keys
Software-Based Encryption
38. âș The following have tools and techniques published to
recover keys from memory:
âș Truecrypt
âș BitLocker
âș FileVault2 (Mac)
âș Luks & dm-crypt (Linux, Android)
Volume Encryption
39. âș The following have tools and techniques published to
recover keys from memory:
âș PGP
âș Truecrypt Containers
âș <<A number of enterprise/commercial tools>>
File-Based Encryption
40. âș The protected media must be currently or very recently
accessed/mounted for the key to be in memory
âș Closed-source projects require reversing both of the in-
memory key-storage and on-disk format
âș Already done for Bitlocker and FileVault2
Limitations of Key Recovery
41. âș Memory forensics recovers a wealth of evidence that is
never stored to disk and is essential to many
investigations
âș Live forensics processes are outdated and trivially
defeated/lied to by malware
âș Modern malware avoids disk completely
âș Will never find it if you pull the plug!
âș The pain of encryption can be eased with memory
forensics
Conclusion