SlideShare uma empresa Scribd logo

Mac Memory Analysis with Volatility

Transferir como PPT, PDF
Andrew Case
Andrew Case

My talk on Mac memory analysis with Volatility from the 2012 SANS Digital Forensics and Incident Response summit

Tecnologia
1 de 58
Mac Memory Analysis with Volatility Andrew Case / @attrc Digital Forensics Researcher Terremark
Who Am I? • Digital Forensics Researcher @ Terremark • Volatility Developer & Registry Decoder Co- Developer • Former Blackhat, SOURCE, DFRWS, BSides, and SANS @Night speaker • GIAC Certified Forensics Analyst (GCFA)
Motivation for this Research • There is a good tool for acquisition of memory from Mac machines [1], but no tools for deep analysis of the captured memory • Matthieu Suiche did initial research but no tool [16] • Only one public tool, Volafox [7], supports Mac analysis, but not as robustly or as thoroughly as we would like • To fix this, we added full Mac support to Volatility
Agenda • Introduction to Memory Analysis • Overview of the Volatility architecture • Mac Memory Acquisition • Analysis with Volatility • Conclusions/Q&A
Memory Forensics Introduction 5
Introduction • Memory analysis is the process of taking a memory capture (a sample of RAM) and producing higher-level objects that are useful for an investigation • A memory capture has the entire state of the operating system as well as running applications – Including all the related data structures, variables, etc 6
The Goal of Memory Analysis • The higher level objects we are interested in are in-memory representations of C structures, custom data structures, and other variables used by the operating system • With these we can recover processes listings, filesystem information, networking data, etc • This is what we will be talking about throughout this presentation 7
Volatility • Most popular memory analysis framework – Written in Python – Open Source – Supports Windows {XP, Vista, 7, 2003, 2008} – Supports Linux on Intel and ARM – And now supports Mac! • Allows for analysis plugins to be easily written • Used daily in real forensics investigations 8
Volatility Terminology - Vtypes • A representation of structures used in the OS, such as size, names, members, types, and offsets • Example: '_IMAGE_EXPORT_DIRECTORY': [ 0x28, { 'Base': [ 0x10, ['unsigned int']], 'NumberOfFunctions': [ 0x14, ['unsigned int']], 'NumberOfNames': [ 0x18, ['unsigned int']], 'AddressOfFunctions': [ 0x1C, ['unsigned int']],
Volatility Terminology - Profiles • A profile is set of vtypes and (optionally) symbol addresses that are used to model a particular OS version • This is what allows Volatility plugins to be generic to all the different versions of Windows, Linux, Mac, etc
Volatility Terminology – Address Spaces • Address spaces are used to translate virtual addresses into physical offsets • They also prevent the need to convert all memory captures to a linear format
Current Address Spaces • Memory Management Address Spaces – x86 / x64 – Arm (Android) • Interface (File) Address Spaces – Firewire – Windows Hibernation Files – Crash Dumps – EWF Files – Lime – And a new one for this talk! 12
Mac Profiles • Mac profiles are built in two steps: • The addresses of symbols are gathered from the system’s mach_kernel • The types are gathered by running dwarfdump on the debug mach_kernel ― This is contained in the KernelDebugKit ― This output is then converted into a proper vtype
Mac Memory Acquistion 14
No Native Software Support • Modern versions of Mac do not support /dev/ mem or /dev/kmem • This means that 3rd party software must be used to access physical memory
Mac Memory Reader [1] • Main memory acquistion tool – Free, but not open source • Supports capture from 32 and 64 bit systems running on native hardware as well as from Parallels and VirtualBox guests – Does not work with VMware Fusion guests • Loads a driver to recreate /dev/mem and captures from it
The Capture File • Mac Memory Reader creates a mach-o file of captured memory – Mach-o is the standard Mac exe format • RAM is not contiguous in physical memory so a linear capture would be much bigger than actual RAM size – Too big to deal with on 64 bit
Mach-O Address Space • To handle Mac Memory Reader captures, a mach-o address space was developed • Supports 32 and 64 bit captures • It parses mach-o files and for each segment gathers: – The offset into the file – The size of the segment – Its mapped address, which is its physical address
Recovering Runtime Information 19
Runtime Information • This rest of this session is focused on orderly recovery of data that was active at the time of the memory capture • We will be discussing how to find key pieces of information and then use Volatility to recover them 20
Information to be Recovered • Processes • Memory Maps • Open Files • Network Connections • Network Data • Loaded Kernel Modules • Rootkit Detection 21
Mach Overview • No split address space • (Almost?) Micro-kernel – Only the components that need hardware access run in ring 0 – Everything else runs as a userland process – Mach is the only mainstream kernel like this – The mechanisms needed to make this work tend to be annoying as a memory analysis researcher
Mach Processes & Tasks • A process (proc) represents a BSD process – Its threads are called uthreads • A task (task) represents a Mach task – Its threads are called “Mach Threads” and represented by the thread structure
Recovering Processes • The list of processes is stored in the allproc list • Each element of the list is of type struct proc – The p_comm member stores the ASCII name of the binary that was executed – The p_pid member stores the process ID – Other members you would expect: • p_uid, p_gid, p_ppid • The mac_pslist plugin enumerates this list and prints out the per-process information
Recovering Command Line Arguments • mac_pslist only recovers the name of the binary that was executed • mac_psaux recovers the command line args (**argv) and optionally the env variables • The CR3 value for each process is stored in: – <proc_structure>.task.map.pmap.pm_cr3 • user_stack and p_argslen are used to recover where the args and environment arrays are
Recovering Memory Maps • The mac_proc_maps plugin recovers per-task memory maps – Mimics vmmap or Linux’s /proc/<pid>/map • For each mapping, it lists: – Starting and ending address – The mapped file (if any) • Makes spotting shared library injection easy • A starting point to malware/unknown binary analysis
mac_proc_maps output python vol.py --profile=Mac32 --profile_file=10.7.2.zip - f 32bit.dump mac_proc_maps –p 1 … 1059cb000 1059ce000 r-x libauditd.0.dylib 1059ce000 1059cf000 rw- libauditd.0.dylib 1059cf000 1059d2000 r-- libauditd.0.dylib …
Dumping Memory Maps • The mac_dump_map plugin is able to dump the contents of memory mappings inside of particular processes • Common usages: – Check against virus DBs – Binary Analysis – Further forensics analysis (strings, file carving, etc)
Open Files • The mac_lsof plugin lists the files that are opened for each process – Similar to /proc/<pid>/fd on Linux • Walks the proc.p_fd.fd_ofiles array • Checks the vnode type, if DTYPE_VNODE, then it’s a regular file and reported • Useful to determine file system activity, log files, etc
Mount Points • The mac_mount plugin recovers all mounted devices and their mount points • Mimics the mount command • Very useful when integrating disk and memory analysis during an investigation • The mount flags can are also good artifacts (read only, no exec, no atime, etc)
Dmesg • mac_dmesg recovers the kernel’s debug buffer • Contains a wide range of useful information • Viewed on the live machine with the dmesg binary that reads /var/log/kernel.log • The contents are very easy to manipulate on disk – not so in memory
Network Connections • mac_netstat emulates the netstat command • Lists each connection along with relevant information (src/dst IP address & port, state, etc) • Also walks the list of open files and acts on DTYPE_SOCKET entries • Obviously useful when investigating network traffic and connections
Ifconfig • mac_ifconfig emulates the ifconfig command • Walks the dlil_ifnet_head list in memory to get each interface, which are represented by ifnet structures • For each interface it recovers: – The interface name (en0, en1, etc) – Any IP addresses – MAC Address
ARP Table • Found in the llinfo_arp list • Recovers the ARP table out of memory • Useful in IR scenarios to determine which networked devices the investigated machine recently contacted
Routing Cache • When researching the routing table, I noticed that Mac has a very interesting routing cache • Keeps track of connections made to remote IP addresses • Statistics about these connections are kept as well including the start time and total packets & bytes
Entry Expiry • Entries in the cache expire based on the value in net.inet.ip.rtexpire for IPv4 and net.inet6.ip6.rtexpire for IPv6 • This time is in seconds • The countdown timer starts when there is no more references to the connection – So if the memory capture fits in this window, we can recover it
What are the expiry times? • I asked Mac users for their sysctl value & OS version on twitter and G+ • Got about 20 responses, but wasn’t conclusive • For IPv4: – People with the same exact OS version had widely different values – Range was from 10 seconds (bad!) up to an hour • IPv6 was always 3600 (one hour)
Uses of the Routing Cache • Malware Analysis & Data Exfil Investgations – You know when the current session started – You know how much data was sent • Beating Rootkits – How many rootkits hide from netstat/lsof and other tools using easily detectable techniques? – vs how many manipulate the kernel’s routing cache? • Hint: 0
Loaded Kernel Modules • The mac_lsmod plugin lists all of the loaded kernel modules (extensions) active on the system • This replicates the output of the kextstat command • This can lead to further investigation by dumping the executable in memory [14]
I/O Kit [3] • I/O Kit is the framework that allows for development of device drivers as well as the OS’es tracking and handling of hardware devices • Provides the ability for programmers to hook into a wide range of hardware events and actions
The I/O Registry [2] • The I/O registry tracks devices that are attached to the computer as well as the classes that represent them • The ioreg binary can list all of the registry contents • The mac_ioreg plugin provides similar functionality to ioreg
Rootkit Detection • Most rootkit discussions, whether offensive or defensive, make a distinction between userland (unprivileged) and kernel (fully privileged) rootkits • Mac blurs this line with its micro-kernel design • When referring to “kernel” rootkit detection, I mean core parts of the OS and not individual userland applications or services
Types of Rootkits • Static – Alters data that is set at compile-time and never changes – Examples: modifying system call table entries, code (.text) instructions, global data structure function pointers – These are generally boring from a research perspective and already covered by other projects (Volafox [7], Phrack article [8], etc)
Types of Rootkits Cont. • Dynamic – Alters data that is only created and referenced at runtime – Generally includes manipulating live data structures (lists, hash tables, trees) used by the operating system for accounting or for core operations – Much more interesting from a research perspective
Logkext [4] • Logkext is a rootkit that uses the I/O Kit framework to log keystrokes • It accomplishes this by adding a 'gIOPublishNotification' callback that filters on the 'IOHIKeyboard' service. • This effectively gives the rootkit control everytime a key is pressed.
Detecting logkext • Enumerate the gNotifications hash table – Keyed by the type of notification: (gIOPublishNotification, gIOFirstPublishNotification, gIOMatchedNotification, gIOFirstMatchNotification, gIOTerminatedNotification) – Each element is a IOServiceNotifier • The handler member of IOServiceNotifier points to the callback function • We verify that each callback is either: 1. In the kernel 2. In a known kernel module
IP Filters [8] • Part of the Network Kernel Extension framework • Allows for kernel extension programmers to easily hook incoming and/or outgoing network packets • These hooks have built-in support for modifying packets in-place! – Done with ipf_inject_input and ipf_inject_output
IP Filter Rootkits [9] • The potential for abuse of these filters is pretty obvious and existing rootkits take advantage of it in different ways • We can detect these rootkits by verifying that every IP hook is in a known location – Implemented in mac_ip_filter
Detecting IP Filter Rootkits • We walk the ipv4_filters & ipv6_filters lists • These lists are of type ipfilter_list whose elements are ipfilter structures • ipfilter structures hold the name of the filter (might be empty) as well as pointers to the input, output, and detach functions • All three of these functions need to be in the kernel or in a known module if set
TrustedBSD [17, 18] • The TrustedBSD framework provides hooks into a large number of functions in the kernel related to processes, memory, networking, and much more • These hooks are meant to be used to enforce security polices & access control • From my testing, it seems all Macs have “SandBox”, “Quarantine”, and “TMSafetyNet” loaded by default
Abusing TrustedBSD • As you can imagine, having an “official” way to hook the kernel is an attractive feature for rootkits • The author of the http://reverse.put.as blog was the first to think of this method and implemented a POC rootkit named rex that does it [10, 11] • Works by adding malicious “trusted” policies that allow userland processes to call into the policies in order to gain root privileges
Detecting Rex • All policies are stored in the global mac_policy_list • Each element is of type mac_policy_list_element • Name of the policy - <element>.mpc.mpc_name • Function pointers - <element>.mpc.mpc_ops • We verify that every function pointer is either in the kernel, a known kernel module, or NULL – This finds Rex as well as any other malicious policies
Volafox Comparison • Based on Volatility, but does not use the profile/object system – So it only supports a small number of OS versions and adding support for a new version is difficult • Only a few plugins: – Process list, netstat, lsof, mount – Only rootkit detection is syscall hooking (static) • SVN version supports 32 bit Mac Memory Reader but no 64 bit support
Conclusion • Volatility now has proper Mac support • Everything talked about today exists in the open source repository – Instructions on how to access can be found at [15] • Much more new functionality will be added over the next couple months – Check [12 & 13] for updates
Questions? Comments? • Speaker contact: – andrew@memoryanalysis.net – @attrc • My Blog: – http://memoryforensics.blogspot.com/ • Volatility Blog: – http://volatility.tumblr.com/
References [1] http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader [2] https://developer.apple.com/library/mac/#documentation/devicedrivers/conceptual/IOKitFundamentals/TheRegistry/TheRegistry.html [3] https://developer.apple.com/library/mac/#documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html#//apple_ref/doc/uid/TP0000012-TP [4] http://code.google.com/p/logkext/ [5] https://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf [6] http://www.phrack.org/issues.html?issue=66&id=16#article [7] volafox - http://code.google.com/p/volafox/ [8] https://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/NKEConceptual/ip_filter_nke/ip_filter_nke.html#//apple_ref/doc/uid/TP40001858-CH2 [9] http://www.ruxcon.org.au/assets/Presentations/2011/Defiling-Mac-OS-X-Ruxcon.pdf [10] http://reverse.put.as/2011/09/18/abusing-os-x-trustedbsd-framework-to-install-r00t-backdoors/ [11] http://reverse.put.as/2011/09/26/fixes-for-the-trustedbsd-backdoor-rex-the-wonder-dog-v0-2/ [12] http://volatility.tumblr.com/ [13] http://memoryforensics.blogspot.com/ [14] www.trailofbits.com/resources/advanced_macosx_rootkits_paper.pdf [15] http://code.google.com/p/volatility/wiki/MacMemoryForensics [16] https://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf [17] http://securityevaluators.com/files/papers/apple-sandbox.pdf [18] http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123

Recomendados

Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 

Recomendados

Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O SchedulersRajKumar Rampelli
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIXBioinformatics and Computational Biosciences Branch
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Linux IO
Linux IOLinux IO
Linux IOLiran Ben Haim
 
Intro to Python programming and iPython
Intro to Python programming and iPython Intro to Python programming and iPython
Intro to Python programming and iPython Bioinformatics and Computational Biosciences Branch
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernelMorteza Nourelahi Alamdari
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentPriyank Kapadia
 
Hta w22
Hta w22Hta w22
Hta w22SelectedPresentations
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsPrince Boonlia
 

Mais conteúdo relacionado

Mais procurados

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]RootedCON
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - publicSandro Suffert
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device DriverGary Yeh
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel DevelopmentPriyank Kapadia
 

Mais procurados (20)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
Jaime Peñalba - Kernel exploitation. ¿El octavo arte? [rooted2019]
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics(120513) #fitalk an introduction to linux memory forensics
(120513) #fitalk an introduction to linux memory forensics
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry AnalysisSANS Forensics 2009 - Memory Forensics and Registry Analysis
SANS Forensics 2009 - Memory Forensics and Registry Analysis
 
Linux IO
Linux IOLinux IO
Linux IO
 
Intro to Python programming and iPython
Intro to Python programming and iPython Intro to Python programming and iPython
Intro to Python programming and iPython
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Hta w22
Hta w22Hta w22
Hta w22
 

Destaque

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Operating Systems: A History of MacOS
Operating Systems: A History of MacOSOperating Systems: A History of MacOS
Operating Systems: A History of MacOSDamian T. Gordon
 
Operating Systems and Memory Management
Operating Systems and Memory ManagementOperating Systems and Memory Management
Operating Systems and Memory Managementguest1415ae65
 
Operating System Mac OS X
Operating System Mac OS XOperating System Mac OS X
Operating System Mac OS Xmirazhosain
 
Dal checco Dezzani, Digital Evidence Digital Forensics
Dal checco Dezzani, Digital Evidence Digital ForensicsDal checco Dezzani, Digital Evidence Digital Forensics
Dal checco Dezzani, Digital Evidence Digital ForensicsAndrea Rossetti
 
Mac OS(Operating System)
Mac OS(Operating System)Mac OS(Operating System)
Mac OS(Operating System)Faizan Shaikh
 

Destaque (8)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
 
Operating Systems: A History of MacOS
Operating Systems: A History of MacOSOperating Systems: A History of MacOS
Operating Systems: A History of MacOS
 
Operating Systems and Memory Management
Operating Systems and Memory ManagementOperating Systems and Memory Management
Operating Systems and Memory Management
 
Operating System Mac OS X
Operating System Mac OS XOperating System Mac OS X
Operating System Mac OS X
 
Dal checco Dezzani, Digital Evidence Digital Forensics
Dal checco Dezzani, Digital Evidence Digital ForensicsDal checco Dezzani, Digital Evidence Digital Forensics
Dal checco Dezzani, Digital Evidence Digital Forensics
 
Mac OS(Operating System)
Mac OS(Operating System)Mac OS(Operating System)
Mac OS(Operating System)
 

Semelhante a Mac Memory Analysis with Volatility

Chap1_Part2.pptx
Chap1_Part2.pptxChap1_Part2.pptx
Chap1_Part2.pptxNMohd3
 
cs-intro-os.ppt
cs-intro-os.pptcs-intro-os.ppt
cs-intro-os.pptinfomerlin
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh Naik
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
unixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdfunixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdfIxtiyorTeshaboyev
 
Mca i-fundamental of computer-u-3-functions operating systems
Mca i-fundamental of computer-u-3-functions operating systemsMca i-fundamental of computer-u-3-functions operating systems
Mca i-fundamental of computer-u-3-functions operating systemsRai University
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsRai University
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & ApplicationsMaulen Bale
 
Linux操作系统01 简介
Linux操作系统01 简介Linux操作系统01 简介
Linux操作系统01 简介lclsg123
 
Bsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systemsBsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systemsRai University
 
Bsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systemsBsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systemsRai University
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentalsBimal Jain
 
Uc14 chap05
Uc14 chap05Uc14 chap05
Uc14 chap05ayahye
 

Semelhante a Mac Memory Analysis with Volatility (20)

macospptok.pptx
macospptok.pptxmacospptok.pptx
macospptok.pptx
 
WEEK6_COMPUTER_ORGANIZATION.pptx
WEEK6_COMPUTER_ORGANIZATION.pptxWEEK6_COMPUTER_ORGANIZATION.pptx
WEEK6_COMPUTER_ORGANIZATION.pptx
 
Unit 4
Unit 4Unit 4
Unit 4
 
Chap1_Part2.pptx
Chap1_Part2.pptxChap1_Part2.pptx
Chap1_Part2.pptx
 
cs-intro-os.ppt
cs-intro-os.pptcs-intro-os.ppt
cs-intro-os.ppt
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Chapter 6 os
Chapter 6 osChapter 6 os
Chapter 6 os
 
Os concepts
Os conceptsOs concepts
Os concepts
 
unixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdfunixoperatingsystem-130327073532-phpapp01.pdf
unixoperatingsystem-130327073532-phpapp01.pdf
 
Mca i-fundamental of computer-u-3-functions operating systems
Mca i-fundamental of computer-u-3-functions operating systemsMca i-fundamental of computer-u-3-functions operating systems
Mca i-fundamental of computer-u-3-functions operating systems
 
Bca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systemsBca i-fundamental of computer-u-3-functions operating systems
Bca i-fundamental of computer-u-3-functions operating systems
 
Operating Systems & Applications
Operating Systems & ApplicationsOperating Systems & Applications
Operating Systems & Applications
 
Linux操作系统01 简介
Linux操作系统01 简介Linux操作系统01 简介
Linux操作系统01 简介
 
Bsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systemsBsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systems
 
Bsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systemsBsc cs 1 fit u-3 operating systems
Bsc cs 1 fit u-3 operating systems
 
Unix fundamentals
Unix fundamentalsUnix fundamentals
Unix fundamentals
 
Uc14 chap05
Uc14 chap05Uc14 chap05
Uc14 chap05
 

Mais de Andrew Case

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 

Mais de Andrew Case (7)

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data Exfiltration
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 

Último

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Último (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Mac Memory Analysis with Volatility

  • 1. Mac Memory Analysis with Volatility Andrew Case / @attrc Digital Forensics Researcher Terremark
  • 2. Who Am I? • Digital Forensics Researcher @ Terremark • Volatility Developer & Registry Decoder Co- Developer • Former Blackhat, SOURCE, DFRWS, BSides, and SANS @Night speaker • GIAC Certified Forensics Analyst (GCFA)
  • 3. Motivation for this Research • There is a good tool for acquisition of memory from Mac machines [1], but no tools for deep analysis of the captured memory • Matthieu Suiche did initial research but no tool [16] • Only one public tool, Volafox [7], supports Mac analysis, but not as robustly or as thoroughly as we would like • To fix this, we added full Mac support to Volatility
  • 4. Agenda • Introduction to Memory Analysis • Overview of the Volatility architecture • Mac Memory Acquisition • Analysis with Volatility • Conclusions/Q&A
  • 6. Introduction • Memory analysis is the process of taking a memory capture (a sample of RAM) and producing higher-level objects that are useful for an investigation • A memory capture has the entire state of the operating system as well as running applications – Including all the related data structures, variables, etc 6
  • 7. The Goal of Memory Analysis • The higher level objects we are interested in are in-memory representations of C structures, custom data structures, and other variables used by the operating system • With these we can recover processes listings, filesystem information, networking data, etc • This is what we will be talking about throughout this presentation 7
  • 8. Volatility • Most popular memory analysis framework – Written in Python – Open Source – Supports Windows {XP, Vista, 7, 2003, 2008} – Supports Linux on Intel and ARM – And now supports Mac! • Allows for analysis plugins to be easily written • Used daily in real forensics investigations 8
  • 9. Volatility Terminology - Vtypes • A representation of structures used in the OS, such as size, names, members, types, and offsets • Example: '_IMAGE_EXPORT_DIRECTORY': [ 0x28, { 'Base': [ 0x10, ['unsigned int']], 'NumberOfFunctions': [ 0x14, ['unsigned int']], 'NumberOfNames': [ 0x18, ['unsigned int']], 'AddressOfFunctions': [ 0x1C, ['unsigned int']],
  • 10. Volatility Terminology - Profiles • A profile is set of vtypes and (optionally) symbol addresses that are used to model a particular OS version • This is what allows Volatility plugins to be generic to all the different versions of Windows, Linux, Mac, etc
  • 11. Volatility Terminology – Address Spaces • Address spaces are used to translate virtual addresses into physical offsets • They also prevent the need to convert all memory captures to a linear format
  • 12. Current Address Spaces • Memory Management Address Spaces – x86 / x64 – Arm (Android) • Interface (File) Address Spaces – Firewire – Windows Hibernation Files – Crash Dumps – EWF Files – Lime – And a new one for this talk! 12
  • 13. Mac Profiles • Mac profiles are built in two steps: • The addresses of symbols are gathered from the system’s mach_kernel • The types are gathered by running dwarfdump on the debug mach_kernel ― This is contained in the KernelDebugKit ― This output is then converted into a proper vtype
  • 15. No Native Software Support • Modern versions of Mac do not support /dev/ mem or /dev/kmem • This means that 3rd party software must be used to access physical memory
  • 16. Mac Memory Reader [1] • Main memory acquistion tool – Free, but not open source • Supports capture from 32 and 64 bit systems running on native hardware as well as from Parallels and VirtualBox guests – Does not work with VMware Fusion guests • Loads a driver to recreate /dev/mem and captures from it
  • 17. The Capture File • Mac Memory Reader creates a mach-o file of captured memory – Mach-o is the standard Mac exe format • RAM is not contiguous in physical memory so a linear capture would be much bigger than actual RAM size – Too big to deal with on 64 bit
  • 18. Mach-O Address Space • To handle Mac Memory Reader captures, a mach-o address space was developed • Supports 32 and 64 bit captures • It parses mach-o files and for each segment gathers: – The offset into the file – The size of the segment – Its mapped address, which is its physical address
  • 20. Runtime Information • This rest of this session is focused on orderly recovery of data that was active at the time of the memory capture • We will be discussing how to find key pieces of information and then use Volatility to recover them 20
  • 21. Information to be Recovered • Processes • Memory Maps • Open Files • Network Connections • Network Data • Loaded Kernel Modules • Rootkit Detection 21
  • 22. Mach Overview • No split address space • (Almost?) Micro-kernel – Only the components that need hardware access run in ring 0 – Everything else runs as a userland process – Mach is the only mainstream kernel like this – The mechanisms needed to make this work tend to be annoying as a memory analysis researcher
  • 23. Mach Processes & Tasks • A process (proc) represents a BSD process – Its threads are called uthreads • A task (task) represents a Mach task – Its threads are called “Mach Threads” and represented by the thread structure
  • 24. Recovering Processes • The list of processes is stored in the allproc list • Each element of the list is of type struct proc – The p_comm member stores the ASCII name of the binary that was executed – The p_pid member stores the process ID – Other members you would expect: • p_uid, p_gid, p_ppid • The mac_pslist plugin enumerates this list and prints out the per-process information
  • 25. Recovering Command Line Arguments • mac_pslist only recovers the name of the binary that was executed • mac_psaux recovers the command line args (**argv) and optionally the env variables • The CR3 value for each process is stored in: – <proc_structure>.task.map.pmap.pm_cr3 • user_stack and p_argslen are used to recover where the args and environment arrays are
  • 26. Recovering Memory Maps • The mac_proc_maps plugin recovers per-task memory maps – Mimics vmmap or Linux’s /proc/<pid>/map • For each mapping, it lists: – Starting and ending address – The mapped file (if any) • Makes spotting shared library injection easy • A starting point to malware/unknown binary analysis
  • 27. mac_proc_maps output python vol.py --profile=Mac32 --profile_file=10.7.2.zip - f 32bit.dump mac_proc_maps –p 1 … 1059cb000 1059ce000 r-x libauditd.0.dylib 1059ce000 1059cf000 rw- libauditd.0.dylib 1059cf000 1059d2000 r-- libauditd.0.dylib …
  • 28. Dumping Memory Maps • The mac_dump_map plugin is able to dump the contents of memory mappings inside of particular processes • Common usages: – Check against virus DBs – Binary Analysis – Further forensics analysis (strings, file carving, etc)
  • 29. Open Files • The mac_lsof plugin lists the files that are opened for each process – Similar to /proc/<pid>/fd on Linux • Walks the proc.p_fd.fd_ofiles array • Checks the vnode type, if DTYPE_VNODE, then it’s a regular file and reported • Useful to determine file system activity, log files, etc
  • 30. Mount Points • The mac_mount plugin recovers all mounted devices and their mount points • Mimics the mount command • Very useful when integrating disk and memory analysis during an investigation • The mount flags can are also good artifacts (read only, no exec, no atime, etc)
  • 31. Dmesg • mac_dmesg recovers the kernel’s debug buffer • Contains a wide range of useful information • Viewed on the live machine with the dmesg binary that reads /var/log/kernel.log • The contents are very easy to manipulate on disk – not so in memory
  • 32. Network Connections • mac_netstat emulates the netstat command • Lists each connection along with relevant information (src/dst IP address & port, state, etc) • Also walks the list of open files and acts on DTYPE_SOCKET entries • Obviously useful when investigating network traffic and connections
  • 33. Ifconfig • mac_ifconfig emulates the ifconfig command • Walks the dlil_ifnet_head list in memory to get each interface, which are represented by ifnet structures • For each interface it recovers: – The interface name (en0, en1, etc) – Any IP addresses – MAC Address
  • 34. ARP Table • Found in the llinfo_arp list • Recovers the ARP table out of memory • Useful in IR scenarios to determine which networked devices the investigated machine recently contacted
  • 35. Routing Cache • When researching the routing table, I noticed that Mac has a very interesting routing cache • Keeps track of connections made to remote IP addresses • Statistics about these connections are kept as well including the start time and total packets & bytes
  • 36. Entry Expiry • Entries in the cache expire based on the value in net.inet.ip.rtexpire for IPv4 and net.inet6.ip6.rtexpire for IPv6 • This time is in seconds • The countdown timer starts when there is no more references to the connection – So if the memory capture fits in this window, we can recover it
  • 37. What are the expiry times? • I asked Mac users for their sysctl value & OS version on twitter and G+ • Got about 20 responses, but wasn’t conclusive • For IPv4: – People with the same exact OS version had widely different values – Range was from 10 seconds (bad!) up to an hour • IPv6 was always 3600 (one hour)
  • 38. Uses of the Routing Cache • Malware Analysis & Data Exfil Investgations – You know when the current session started – You know how much data was sent • Beating Rootkits – How many rootkits hide from netstat/lsof and other tools using easily detectable techniques? – vs how many manipulate the kernel’s routing cache? • Hint: 0
  • 39. Loaded Kernel Modules • The mac_lsmod plugin lists all of the loaded kernel modules (extensions) active on the system • This replicates the output of the kextstat command • This can lead to further investigation by dumping the executable in memory [14]
  • 40.
  • 41. I/O Kit [3] • I/O Kit is the framework that allows for development of device drivers as well as the OS’es tracking and handling of hardware devices • Provides the ability for programmers to hook into a wide range of hardware events and actions
  • 42. The I/O Registry [2] • The I/O registry tracks devices that are attached to the computer as well as the classes that represent them • The ioreg binary can list all of the registry contents • The mac_ioreg plugin provides similar functionality to ioreg
  • 43. Rootkit Detection • Most rootkit discussions, whether offensive or defensive, make a distinction between userland (unprivileged) and kernel (fully privileged) rootkits • Mac blurs this line with its micro-kernel design • When referring to “kernel” rootkit detection, I mean core parts of the OS and not individual userland applications or services
  • 44. Types of Rootkits • Static – Alters data that is set at compile-time and never changes – Examples: modifying system call table entries, code (.text) instructions, global data structure function pointers – These are generally boring from a research perspective and already covered by other projects (Volafox [7], Phrack article [8], etc)
  • 45. Types of Rootkits Cont. • Dynamic – Alters data that is only created and referenced at runtime – Generally includes manipulating live data structures (lists, hash tables, trees) used by the operating system for accounting or for core operations – Much more interesting from a research perspective
  • 46. Logkext [4] • Logkext is a rootkit that uses the I/O Kit framework to log keystrokes • It accomplishes this by adding a 'gIOPublishNotification' callback that filters on the 'IOHIKeyboard' service. • This effectively gives the rootkit control everytime a key is pressed.
  • 47. Detecting logkext • Enumerate the gNotifications hash table – Keyed by the type of notification: (gIOPublishNotification, gIOFirstPublishNotification, gIOMatchedNotification, gIOFirstMatchNotification, gIOTerminatedNotification) – Each element is a IOServiceNotifier • The handler member of IOServiceNotifier points to the callback function • We verify that each callback is either: 1. In the kernel 2. In a known kernel module
  • 48. IP Filters [8] • Part of the Network Kernel Extension framework • Allows for kernel extension programmers to easily hook incoming and/or outgoing network packets • These hooks have built-in support for modifying packets in-place! – Done with ipf_inject_input and ipf_inject_output
  • 49. IP Filter Rootkits [9] • The potential for abuse of these filters is pretty obvious and existing rootkits take advantage of it in different ways • We can detect these rootkits by verifying that every IP hook is in a known location – Implemented in mac_ip_filter
  • 50. Detecting IP Filter Rootkits • We walk the ipv4_filters & ipv6_filters lists • These lists are of type ipfilter_list whose elements are ipfilter structures • ipfilter structures hold the name of the filter (might be empty) as well as pointers to the input, output, and detach functions • All three of these functions need to be in the kernel or in a known module if set
  • 51. TrustedBSD [17, 18] • The TrustedBSD framework provides hooks into a large number of functions in the kernel related to processes, memory, networking, and much more • These hooks are meant to be used to enforce security polices & access control • From my testing, it seems all Macs have “SandBox”, “Quarantine”, and “TMSafetyNet” loaded by default
  • 52. Abusing TrustedBSD • As you can imagine, having an “official” way to hook the kernel is an attractive feature for rootkits • The author of the http://reverse.put.as blog was the first to think of this method and implemented a POC rootkit named rex that does it [10, 11] • Works by adding malicious “trusted” policies that allow userland processes to call into the policies in order to gain root privileges
  • 53. Detecting Rex • All policies are stored in the global mac_policy_list • Each element is of type mac_policy_list_element • Name of the policy - <element>.mpc.mpc_name • Function pointers - <element>.mpc.mpc_ops • We verify that every function pointer is either in the kernel, a known kernel module, or NULL – This finds Rex as well as any other malicious policies
  • 54.
  • 55. Volafox Comparison • Based on Volatility, but does not use the profile/object system – So it only supports a small number of OS versions and adding support for a new version is difficult • Only a few plugins: – Process list, netstat, lsof, mount – Only rootkit detection is syscall hooking (static) • SVN version supports 32 bit Mac Memory Reader but no 64 bit support
  • 56. Conclusion • Volatility now has proper Mac support • Everything talked about today exists in the open source repository – Instructions on how to access can be found at [15] • Much more new functionality will be added over the next couple months – Check [12 & 13] for updates
  • 57. Questions? Comments? • Speaker contact: – andrew@memoryanalysis.net – @attrc • My Blog: – http://memoryforensics.blogspot.com/ • Volatility Blog: – http://volatility.tumblr.com/
  • 58. References [1] http://www.cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader [2] https://developer.apple.com/library/mac/#documentation/devicedrivers/conceptual/IOKitFundamentals/TheRegistry/TheRegistry.html [3] https://developer.apple.com/library/mac/#documentation/DeviceDrivers/Conceptual/IOKitFundamentals/Features/Features.html#//apple_ref/doc/uid/TP0000012-TP [4] http://code.google.com/p/logkext/ [5] https://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf [6] http://www.phrack.org/issues.html?issue=66&id=16#article [7] volafox - http://code.google.com/p/volafox/ [8] https://developer.apple.com/library/mac/#documentation/Darwin/Conceptual/NKEConceptual/ip_filter_nke/ip_filter_nke.html#//apple_ref/doc/uid/TP40001858-CH2 [9] http://www.ruxcon.org.au/assets/Presentations/2011/Defiling-Mac-OS-X-Ruxcon.pdf [10] http://reverse.put.as/2011/09/18/abusing-os-x-trustedbsd-framework-to-install-r00t-backdoors/ [11] http://reverse.put.as/2011/09/26/fixes-for-the-trustedbsd-backdoor-rex-the-wonder-dog-v0-2/ [12] http://volatility.tumblr.com/ [13] http://memoryforensics.blogspot.com/ [14] www.trailofbits.com/resources/advanced_macosx_rootkits_paper.pdf [15] http://code.google.com/p/volatility/wiki/MacMemoryForensics [16] https://www.blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf [17] http://securityevaluators.com/files/papers/apple-sandbox.pdf [18] http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123