SlideShare uma empresa Scribd logo

Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware

‱Transferir como PPTX, PDF‱
‱
Andrew Case
Andrew Case

My presentation from RSA 2013 on using memory forensics to defeat advanced malware, encryption, and skilled attackers

Tecnologia
1 de 43
Session ID: Session Classification: Andrew Case The Volatility Project HTA-W22 Advanced Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware
â–ș Showcase the power of memory forensics â–ș Distinguish memory forensics from disk forensics â–ș Show why live forensics is futile and should be replaced with offline memory forensics Purpose of This Presentation
â–ș Memory forensics is the analysis of captures (samples) of physical memory (RAM) for artifacts relevant to an investigation â–ș Requires modeling of the operating system’s data structures and algorithms offline in order to recreate state at the time of the capture What is Memory Forensics?
â–ș Traditional forensics only looks at disk images â–ș This misses information never written to disk â–ș Network connections, memory allocations, running processes, open file lists, and much more â–ș Skilled attackers know to avoid the disk and securely clean up any on-disk artifacts Why We *Need* Memory Forensics
â–ș Malware can trivially defeat live analysis â–ș Live analysis is running tools built into the OS to gather volatile data (the general sysadmin/IR response) â–ș Malware can lie to any and all userland and even in-kernel tools â–ș Advanced malware only operates in memory â–ș Never touches the disk, all network traffic encrypted â–ș Good luck without memory forensics! Why Cont.
Volatility
â–ș Most popular memory analysis framework â–ș Open source, written in Python â–ș Supports Windows {XP, Vista, 7, 2003, 2008} x86/x64 â–ș Supports Linux on Intel and ARM (Android) â–ș Supports Mac 10.5.x-10.8.x x86/x64 â–ș Allows for analysis plugins to be easily written â–ș Used daily in real forensics investigations Volatility
â–ș A profile is set of vtypes and (optionally) symbol addresses that are used to model a particular OS version â–ș This is what allows Volatility plugins to be generic to all the different versions of Windows, Linux, Mac, etc Volatility Terminology - Profiles
â–ș Address spaces are used to translate virtual addresses into physical offsets â–ș Intel x86, x86 PAE, x86-64 â–ș ARM â–ș They also prevent the need to convert all memory captures to a linear format â–ș Crash dumps â–ș Hibernation files â–ș VMware vmss â–ș Lime â–ș Mac Memory Reader â–ș More
 Volatility Terminology – Address Spaces
â–ș List and recover processes, network connections, drivers, file systems, and much more â–ș Detect malware in both userland and the kernel â–ș We will be using Volatility to recover artifacts throughout the presentation Volatility Capabilities
Investigating Advanced Malware
â–ș Determine system effects â–ș Uncover processes, network connections, drivers, etc that are “hidden” by malware â–ș Acquire the unpacked/unencrypted malware in memory Malware Analysis Capabilities
â–ș A running system builds a process list by using APIs that eventually traverse the PsActiveProcessHead list â–ș This logic is performed by the pslist plugin â–ș Rootkits break processes from this list to hide themselves â–ș Pool scanning for EPROCESS structures can find these hidden processes â–ș This is performed in the psscan plugin â–ș POC rootkits exist to defeat this by pool header tampering Finding (Hidden) Processes
â–ș Volatility’s psxview plugin can detect all known process hiding techniques by enumerating from many sources â–ș A number of these sources are not documented except for in Volatility Finding (Hidden) Processes Cont.
$ python vol.py -f ds_fuzz_hidden_proc.img psxview Volatile Systems Volatility Framework 2.3_alpha Offset(P) Name PID pslist psscan thrdproc pspcdid csrss session deskthrd ---------- ---------------- ------ ------ ------ -------- ------- ----- ------- ------- 0x01a2b100 winlogon.exe 620 True True True True True True True 0x01a3d360 svchost.exe 932 True True True True True True True 0x018a13c0 VMwareService.e 1756 True True True True True True True 0x018e75e8 spoolsv.exe 1648 True True True True True True True 0x019dbc30 lsass.exe 684 True True True True True True True 0x0184e3a8 wscntfy.exe 560 True True True True True True True 0x018af860 VMwareTray.exe 1896 True True True True True True True 0x01a4bc20 network_listene 1696 False False True True True True True 0x01843b28 wuauclt.exe 1372 True True True True True True True 0x01a59d70 svchost.exe 844 True True True True True True True [snip] psxview Output
â–ș Each process has three lists that track its loaded DLLs â–ș Process explorer and other live tools focus on one of the lists (load order) â–ș Malware commonly breaks this list to avoid detection â–ș Flame is a popular and high-profile example [2] â–ș ldrmodules cross references the three lists with VAD information for mapped files Hiding Loaded DLLs
$ python vol.py -f flame.raw -p 912 ldrmodules Volatile Systems Volatility Framework 2.1_alpha Pid Process Base InLoad InInit InMem MappedPath -------- -------------------- ---------- ------ ------ ----- ---------- 912 services.exe 0x7c900000 True True True WINDOWSsystem32ntdll.dll 912 services.exe 0x7c9c0000 False False False WINDOWSsystem32shell32.dll [snip] ldrmodules Detecting Flame
â–ș malfind looks for pages with suspicious protection bits set (e.g. RWX) â–ș The following code injection/hiding techniques are all detected by malfind: â–ș Remote Library Injection â–ș Remote Shellcode Injection â–ș Reflective DLL loading Detecting Common Code Hiding Techniques
$ python vol.py -f stuxnet.vmem malfind Process: lsass.exe Pid: 868 Address: 0x80000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x00080000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................ Malfind Detecting Stuxnet
Metasploit’s Reflective VNC Loader
â–ș Technique: â–ș Overwrite the beginning of API functions in order to redirect control flow â–ș Allows the malware to hide virtually any data from userland tools and even some in-kernel monitors â–ș The apihooks plugin detects API hooks â–ș Performs static analysis on the beginning instructions of functions API Hooking
Hook mode: Usermode Hook type: Inline/Trampoline Process: 1176 (lsass.exe) Victim module: ntdll.dll (0x7c900000 - 0x7c9af000) Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0 Hook address: 0x980a02 Hooking module: <unknown> Disassembly(0): 0x7c90d8b0 b8020a9800 MOV EAX, 0x980a02 0x7c90d8b5 ffe0 JMP EAX 0x7c90d8b7 03fe ADD EDI, ESI 0x7c90d8b9 7fff JG 0x7c90d8ba 0x7c90d8bb 12c2 ADC AL, DL 0x7c90d8bd 1400 ADC AL, 0x0 0x7c90d8bf 90 NOP 0x7c90d8c0 b8a8000000 MOV EAX, 0xa8 0x7c90d8c5 ba DB 0xba 0x7c90d8c6 0003 ADD [EBX], AL apihooks - Duqu
â–ș The binaries (.exe, .dll, .sys, etc) involved with malicious processes and drivers can be dumped to disk for analysis â–ș Volatility can also be used to acquire the unpacked version of malware samples from memory â–ș Run sample, take memory capture, acquire executable Dumping Processes to Disk
â–ș Instead of actively hooking functions in the kernel to determine when certain events occur, there is a much safer, passive option â–ș You can "register" a function to be called by the system â–ș Every time the event occurs, your function is called Kernel Callbacks
â–ș Process related â–ș Activated on process/thread creation, executable loading, etc â–ș Used to inject DLL into processes on startup and to stop processes from starting â–ș Used by Mebroot, BlackEnergy, Rustock, TDL â–ș File system â–ș Activated on new file system registration â–ș TDL3 infects MBR and uses callback to know when FS is mounted â–ș Stuxnet uses to attach to device stack to hide its files Malware Targeted Callbacks
â–ș Bugcheck â–ș Activated when machine is crashing (BSOD, crash dumping being written) â–ș Rustock.C cleans itself from memory before a crash dump is written â–ș Sinowal ensures the MBR is still infected before shutting down after a BSOD â–ș Registry â–ș Activated on modifications to the registry, the callback can monitor, block, or modify the operation â–ș Malware uses to prevent persistence methods inside the registry (run keys, etc) from being modified/deleted Targeted Callbacks Cont.
Skilled Attackers
â–ș Besides malware, we also want to recover actions performed directly by attackers â–ș Most of the artifacts used to recover this data are not written to disk â–ș Volatility has many capabilities for this purpose that span across its supported operating systems â–ș We will discuss capabilities not covered in the malware section Skilled Attackers
â–ș cmdscan/consoles â–ș Plugins that can recover both the input and output of cmd.exe sessions â–ș bash_history/bash_hash â–ș Plugins that can recover commands entered on a system and when they were entered as well as the number of times each binary was executed Attacker Keyboard Input/Interaction
â–ș List files/handles opened by each process on a system â–ș Determine which files, processes, registry keys, IPC data, etc were being interacted with by a process â–ș On Linux socket handles are just file descriptors Opened Handles/Files
â–ș Can recover loaded kernel drivers â–ș Can uncover “hidden” drivers through a combination of memory scanning and cross-referencing â–ș Windows â–ș modules & modscan â–ș Linux â–ș linux_lsmod & linux_check_modules Kernel Drivers/Modules
â–ș Can list both active connections (e.g. recreate netstat output) as well locate previously terminated network connection structures â–ș On Linux we can also recover previously sent and received packets and trace them to their owning process Network Connections
â–ș Volatility can recover filesystem information from memory including both metadata and file contents â–ș Windows - mftparser â–ș Recovers and parses the MFT for every active NTFS file system â–ș Output includes metadata for all files and contents for resident files â–ș Linux – linux_find_file â–ș Parses any standard (non-stacked) file system from memory and dumps the file system to disk â–ș tmpfs (/dev/shm) lives only in memory! File systems in Memory
â–ș Volatility can recover privileges assigned to a process â–ș Help determine what level of access the attacker and/or malware gained on your system Process Privileges
Grrcon: What type of access did the attacker gain?
Software-Based Encryption
â–ș All major software encryption systems store encryption keys in memory â–ș The key is used to decrypt file data being read and encrypt file data being written â–ș Memory forensics can recover these keys Software-Based Encryption
â–ș The following have tools and techniques published to recover keys from memory: â–ș Truecrypt â–ș BitLocker â–ș FileVault2 (Mac) â–ș Luks & dm-crypt (Linux, Android) Volume Encryption
â–ș The following have tools and techniques published to recover keys from memory: â–ș PGP â–ș Truecrypt Containers â–ș <<A number of enterprise/commercial tools>> File-Based Encryption
â–ș The protected media must be currently or very recently accessed/mounted for the key to be in memory â–ș Closed-source projects require reversing both of the in- memory key-storage and on-disk format â–ș Already done for Bitlocker and FileVault2 Limitations of Key Recovery
â–ș Memory forensics recovers a wealth of evidence that is never stored to disk and is essential to many investigations â–ș Live forensics processes are outdated and trivially defeated/lied to by malware â–ș Modern malware avoids disk completely â–ș Will never find it if you pull the plug! â–ș The pain of encryption can be eased with memory forensics Conclusion
â–ș Contact: â–ș andrew@memoryanalysis.net â–ș @attrc â–ș Volatility: â–ș http://volatility-labs.blogspot.com/ â–ș @volatility Questions/Comments?
[1] http://code.google.com/p/volatility/ [2] http://mnin.blogspot.com/2012/06/quickpost-flame-volatility.html References

Recomendados

De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 

Recomendados

De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modulesDheryta Jaisinghani
 
Linux introduction
Linux introductionLinux introduction
Linux introductionAbhishek Khune
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentPriyank Kapadia
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernelMorteza Nourelahi Alamdari
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tspPradeep Kumar TS
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 IntroductionMohammed Farrag
 
Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 

Mais conteĂșdo relacionado

Mais procurados

Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
Linux introduction
Linux introductionLinux introduction
Linux introductionAbhishek Khune
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentPriyank Kapadia
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programmingMohammed Farrag
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 IntroductionMohammed Farrag
 

Mais procurados (20)

Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
Linux kernel modules
Linux kernel modulesLinux kernel modules
Linux kernel modules
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Lecture2 process structure and programming
Lecture2 process structure and programmingLecture2 process structure and programming
Lecture2 process structure and programming
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tsp
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 Introduction
 

Semelhante a Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware

Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsDefconRussia
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemBikrant Gautam
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowTyler Shields
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheetMartin Cabrera
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxRajKumar Rampelli
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009ClubHack
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Ricardo L0gan
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]Phil Huggins FBCS CITP
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Windows Command Line Tools
Windows Command Line ToolsWindows Command Line Tools
Windows Command Line Toolslove4upratik
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistasDavid Barroso
 

Semelhante a Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware (20)

Oleksyk applied-anti-forensics
Oleksyk applied-anti-forensicsOleksyk applied-anti-forensics
Oleksyk applied-anti-forensics
 
Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation Virtual Machines Security Internals: Detection and Exploitation
Virtual Machines Security Internals: Detection and Exploitation
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Penetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection SystemPenetration Testing and Intrusion Detection System
Penetration Testing and Intrusion Detection System
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Writing Character driver (loadable module) in linux
Writing Character driver (loadable module) in linuxWriting Character driver (loadable module) in linux
Writing Character driver (loadable module) in linux
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
Kush wadhwa _mining_digital_evidence_in_windows - ClubHack2009
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Hta f42
Hta f42Hta f42
Hta f42
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Windows Command Line Tools
Windows Command Line ToolsWindows Command Line Tools
Windows Command Line Tools
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
 

Último

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Christopher Logan Kennedy
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Último (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware

  • 1. Session ID: Session Classification: Andrew Case The Volatility Project HTA-W22 Advanced Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced Malware
  • 2. â–ș Showcase the power of memory forensics â–ș Distinguish memory forensics from disk forensics â–ș Show why live forensics is futile and should be replaced with offline memory forensics Purpose of This Presentation
  • 3. â–ș Memory forensics is the analysis of captures (samples) of physical memory (RAM) for artifacts relevant to an investigation â–ș Requires modeling of the operating system’s data structures and algorithms offline in order to recreate state at the time of the capture What is Memory Forensics?
  • 4. â–ș Traditional forensics only looks at disk images â–ș This misses information never written to disk â–ș Network connections, memory allocations, running processes, open file lists, and much more â–ș Skilled attackers know to avoid the disk and securely clean up any on-disk artifacts Why We *Need* Memory Forensics
  • 5. â–ș Malware can trivially defeat live analysis â–ș Live analysis is running tools built into the OS to gather volatile data (the general sysadmin/IR response) â–ș Malware can lie to any and all userland and even in-kernel tools â–ș Advanced malware only operates in memory â–ș Never touches the disk, all network traffic encrypted â–ș Good luck without memory forensics! Why Cont.
  • 7. â–ș Most popular memory analysis framework â–ș Open source, written in Python â–ș Supports Windows {XP, Vista, 7, 2003, 2008} x86/x64 â–ș Supports Linux on Intel and ARM (Android) â–ș Supports Mac 10.5.x-10.8.x x86/x64 â–ș Allows for analysis plugins to be easily written â–ș Used daily in real forensics investigations Volatility
  • 8. â–ș A profile is set of vtypes and (optionally) symbol addresses that are used to model a particular OS version â–ș This is what allows Volatility plugins to be generic to all the different versions of Windows, Linux, Mac, etc Volatility Terminology - Profiles
  • 9. â–ș Address spaces are used to translate virtual addresses into physical offsets â–ș Intel x86, x86 PAE, x86-64 â–ș ARM â–ș They also prevent the need to convert all memory captures to a linear format â–ș Crash dumps â–ș Hibernation files â–ș VMware vmss â–ș Lime â–ș Mac Memory Reader â–ș More
 Volatility Terminology – Address Spaces
  • 10. â–ș List and recover processes, network connections, drivers, file systems, and much more â–ș Detect malware in both userland and the kernel â–ș We will be using Volatility to recover artifacts throughout the presentation Volatility Capabilities
  • 12. â–ș Determine system effects â–ș Uncover processes, network connections, drivers, etc that are “hidden” by malware â–ș Acquire the unpacked/unencrypted malware in memory Malware Analysis Capabilities
  • 13. â–ș A running system builds a process list by using APIs that eventually traverse the PsActiveProcessHead list â–ș This logic is performed by the pslist plugin â–ș Rootkits break processes from this list to hide themselves â–ș Pool scanning for EPROCESS structures can find these hidden processes â–ș This is performed in the psscan plugin â–ș POC rootkits exist to defeat this by pool header tampering Finding (Hidden) Processes
  • 14. â–ș Volatility’s psxview plugin can detect all known process hiding techniques by enumerating from many sources â–ș A number of these sources are not documented except for in Volatility Finding (Hidden) Processes Cont.
  • 15. $ python vol.py -f ds_fuzz_hidden_proc.img psxview Volatile Systems Volatility Framework 2.3_alpha Offset(P) Name PID pslist psscan thrdproc pspcdid csrss session deskthrd ---------- ---------------- ------ ------ ------ -------- ------- ----- ------- ------- 0x01a2b100 winlogon.exe 620 True True True True True True True 0x01a3d360 svchost.exe 932 True True True True True True True 0x018a13c0 VMwareService.e 1756 True True True True True True True 0x018e75e8 spoolsv.exe 1648 True True True True True True True 0x019dbc30 lsass.exe 684 True True True True True True True 0x0184e3a8 wscntfy.exe 560 True True True True True True True 0x018af860 VMwareTray.exe 1896 True True True True True True True 0x01a4bc20 network_listene 1696 False False True True True True True 0x01843b28 wuauclt.exe 1372 True True True True True True True 0x01a59d70 svchost.exe 844 True True True True True True True [snip] psxview Output
  • 16. â–ș Each process has three lists that track its loaded DLLs â–ș Process explorer and other live tools focus on one of the lists (load order) â–ș Malware commonly breaks this list to avoid detection â–ș Flame is a popular and high-profile example [2] â–ș ldrmodules cross references the three lists with VAD information for mapped files Hiding Loaded DLLs
  • 17. $ python vol.py -f flame.raw -p 912 ldrmodules Volatile Systems Volatility Framework 2.1_alpha Pid Process Base InLoad InInit InMem MappedPath -------- -------------------- ---------- ------ ------ ----- ---------- 912 services.exe 0x7c900000 True True True WINDOWSsystem32ntdll.dll 912 services.exe 0x7c9c0000 False False False WINDOWSsystem32shell32.dll [snip] ldrmodules Detecting Flame
  • 18. â–ș malfind looks for pages with suspicious protection bits set (e.g. RWX) â–ș The following code injection/hiding techniques are all detected by malfind: â–ș Remote Library Injection â–ș Remote Shellcode Injection â–ș Reflective DLL loading Detecting Common Code Hiding Techniques
  • 19. $ python vol.py -f stuxnet.vmem malfind Process: lsass.exe Pid: 868 Address: 0x80000 Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE Flags: Protection: 6 0x00080000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. 0x00080010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... 0x00080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0x00080030 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 ................ Malfind Detecting Stuxnet
  • 21. â–ș Technique: â–ș Overwrite the beginning of API functions in order to redirect control flow â–ș Allows the malware to hide virtually any data from userland tools and even some in-kernel monitors â–ș The apihooks plugin detects API hooks â–ș Performs static analysis on the beginning instructions of functions API Hooking
  • 22. Hook mode: Usermode Hook type: Inline/Trampoline Process: 1176 (lsass.exe) Victim module: ntdll.dll (0x7c900000 - 0x7c9af000) Function: ntdll.dll!ZwQuerySection at 0x7c90d8b0 Hook address: 0x980a02 Hooking module: <unknown> Disassembly(0): 0x7c90d8b0 b8020a9800 MOV EAX, 0x980a02 0x7c90d8b5 ffe0 JMP EAX 0x7c90d8b7 03fe ADD EDI, ESI 0x7c90d8b9 7fff JG 0x7c90d8ba 0x7c90d8bb 12c2 ADC AL, DL 0x7c90d8bd 1400 ADC AL, 0x0 0x7c90d8bf 90 NOP 0x7c90d8c0 b8a8000000 MOV EAX, 0xa8 0x7c90d8c5 ba DB 0xba 0x7c90d8c6 0003 ADD [EBX], AL apihooks - Duqu
  • 23. â–ș The binaries (.exe, .dll, .sys, etc) involved with malicious processes and drivers can be dumped to disk for analysis â–ș Volatility can also be used to acquire the unpacked version of malware samples from memory â–ș Run sample, take memory capture, acquire executable Dumping Processes to Disk
  • 24. â–ș Instead of actively hooking functions in the kernel to determine when certain events occur, there is a much safer, passive option â–ș You can "register" a function to be called by the system â–ș Every time the event occurs, your function is called Kernel Callbacks
  • 25. â–ș Process related â–ș Activated on process/thread creation, executable loading, etc â–ș Used to inject DLL into processes on startup and to stop processes from starting â–ș Used by Mebroot, BlackEnergy, Rustock, TDL â–ș File system â–ș Activated on new file system registration â–ș TDL3 infects MBR and uses callback to know when FS is mounted â–ș Stuxnet uses to attach to device stack to hide its files Malware Targeted Callbacks
  • 26. â–ș Bugcheck â–ș Activated when machine is crashing (BSOD, crash dumping being written) â–ș Rustock.C cleans itself from memory before a crash dump is written â–ș Sinowal ensures the MBR is still infected before shutting down after a BSOD â–ș Registry â–ș Activated on modifications to the registry, the callback can monitor, block, or modify the operation â–ș Malware uses to prevent persistence methods inside the registry (run keys, etc) from being modified/deleted Targeted Callbacks Cont.
  • 28. â–ș Besides malware, we also want to recover actions performed directly by attackers â–ș Most of the artifacts used to recover this data are not written to disk â–ș Volatility has many capabilities for this purpose that span across its supported operating systems â–ș We will discuss capabilities not covered in the malware section Skilled Attackers
  • 29. â–ș cmdscan/consoles â–ș Plugins that can recover both the input and output of cmd.exe sessions â–ș bash_history/bash_hash â–ș Plugins that can recover commands entered on a system and when they were entered as well as the number of times each binary was executed Attacker Keyboard Input/Interaction
  • 30. â–ș List files/handles opened by each process on a system â–ș Determine which files, processes, registry keys, IPC data, etc were being interacted with by a process â–ș On Linux socket handles are just file descriptors Opened Handles/Files
  • 31. â–ș Can recover loaded kernel drivers â–ș Can uncover “hidden” drivers through a combination of memory scanning and cross-referencing â–ș Windows â–ș modules & modscan â–ș Linux â–ș linux_lsmod & linux_check_modules Kernel Drivers/Modules
  • 32. â–ș Can list both active connections (e.g. recreate netstat output) as well locate previously terminated network connection structures â–ș On Linux we can also recover previously sent and received packets and trace them to their owning process Network Connections
  • 33. â–ș Volatility can recover filesystem information from memory including both metadata and file contents â–ș Windows - mftparser â–ș Recovers and parses the MFT for every active NTFS file system â–ș Output includes metadata for all files and contents for resident files â–ș Linux – linux_find_file â–ș Parses any standard (non-stacked) file system from memory and dumps the file system to disk â–ș tmpfs (/dev/shm) lives only in memory! File systems in Memory
  • 34. â–ș Volatility can recover privileges assigned to a process â–ș Help determine what level of access the attacker and/or malware gained on your system Process Privileges
  • 35. Grrcon: What type of access did the attacker gain?
  • 37. â–ș All major software encryption systems store encryption keys in memory â–ș The key is used to decrypt file data being read and encrypt file data being written â–ș Memory forensics can recover these keys Software-Based Encryption
  • 38. â–ș The following have tools and techniques published to recover keys from memory: â–ș Truecrypt â–ș BitLocker â–ș FileVault2 (Mac) â–ș Luks & dm-crypt (Linux, Android) Volume Encryption
  • 39. â–ș The following have tools and techniques published to recover keys from memory: â–ș PGP â–ș Truecrypt Containers â–ș <<A number of enterprise/commercial tools>> File-Based Encryption
  • 40. â–ș The protected media must be currently or very recently accessed/mounted for the key to be in memory â–ș Closed-source projects require reversing both of the in- memory key-storage and on-disk format â–ș Already done for Bitlocker and FileVault2 Limitations of Key Recovery
  • 41. â–ș Memory forensics recovers a wealth of evidence that is never stored to disk and is essential to many investigations â–ș Live forensics processes are outdated and trivially defeated/lied to by malware â–ș Modern malware avoids disk completely â–ș Will never find it if you pull the plug! â–ș The pain of encryption can be eased with memory forensics Conclusion
  • 42. â–ș Contact: â–ș andrew@memoryanalysis.net â–ș @attrc â–ș Volatility: â–ș http://volatility-labs.blogspot.com/ â–ș @volatility Questions/Comments?

Notas do Editor

  1. Ask who has used memory forensics before -> if any say yes -> then ask if for traditional IR/forensics and/or if for malware analysis
  2. Tell the audience to think about malware they may have missed in the past by looking only at disk or by trusting a live system’s output