Embed Size (px)
Citation preview
Memory Analysis UpdateTools & Techniques 2011
Andreas [email protected]
http://computer.forensikblog.de/en/
1
Research
2
ResearchValidation of a Memory Imager
!Inue, Adelstein and Joyce, 2011
Paper: http://www.dfrws.org/2011/proceedings/10-342.pdf
Slides: http://www.dfrws.org/2011/proceedings/HINOUE-DFRWS2011-Visualizing.pdf
!How can you verify the correctness of a memory imager?
!Metrics: Speed, Completeness, Accuracy, Non-interference
!Approach: Dotplot
many physical memory pages per pixel
color-coded similarity: black (0%) ! white (100%)
blue: all pages are zero
ResearchValidation of a Memory Imager
Source: H. Inue
ResearchMicrosoft Windows Command Line
!Stevens and Casey, 2010
Paper: www.dfrws.org/2010/proceedings/2010-307.pdf
Slides: http://www.dfrws.org/2010/proceedings/stevens.pdf
!DOSKEY data not stored in cmd.exe process, but in csrss.exe
!Developed signature for command history descriptor
!Able to find data from closed consoles
!Found that DOSKEY /REINSTALL clears data and restores descriptor to default
Research Microsoft Windows File System Cache
!Butler and Murdock, 2011
Paper: https://media.blackhat.com/bh-us-11/Butler/BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf
!Re-analysed Honeynet Challenge no. 3 and solution by Smith et al.
Misattribution: data of PDF exploit found in virtual address space of AcroRd32.exe, but also in VMwareTray.exe
Missing code: reconstruction of executable files from memory did not yield optimal results
!Improved method, based on kernel file objects and cache
yield for executable files improved by ~ 30%
ResearchAutomatic Generation of Memory Analysis Plugins
!Brendan Dolan-Gavitt et al., 2011
Paper: http://www.cc.gatech.edu/~giffin/papers/oakland11/DLZ+11.pdf
Slides: http://amnesia.gtisc.gatech.edu/~moyix/OMFW_Virtuoso.pdf
!Learn about undocumented data structures through run-time analysis of live analysis tools and API
trace execution of „training program“ in QEMU
remove unwanted data (interrupts)
translate x86 instructions to Python code
!Result is a Volatility plugin
Volatility
8
Volatility 2.0Project Management
!Development team established:AAron Walters („Labarum_x“)Brendan Dolan-Gavitt („moyix“)Michael Cohen („scudette“)Jamie Levy („gleeda“)Mike Auty („ikelos“)Michael Hale Ligh Andrew Case („attrc“)
!Project moved to Google Code (SVN repository, wiki, bug tracker)http://code.google.com/p/volatility/
!Support:development and users mailing lists see http://lists.volatilesystems.com/mailman/listinfo/IRC: #volatility @ Freenode
Volatility 2.0Expanded Operating Systems Support
!Currently supported:32bit Windows XP Service Pack 2 and 332bit Windows 2003 Server Service Pack 0, 1, 232bit Windows Vista Service Pack 0, 1, 232bit Windows 2008 Server Service Pack 1, 232bit Windows 7 Service Pack 0, 1
!To do:64bit versions of WindowsLinux integrationMac OS X and BSD?
Volatility 2.0New Functions
!More than 40 plugins, 3rd party plugins were incorporated into distribution
!Housekeeping/internal use (inspectcache, testsuite)
!Enumerate handles to all kind of kernel objects
!Vista (and later) network objects (netscan)
!Scanners for KPCR and KDBG block
!Interactive shell (volshell)
!Patch memory images (patcher)
Volatility 2.0Caching
!Time-consuming, recurring tasks:locating the KPCRenumerating processesmapping between virtual and physical addresses
!Data can be cached in a hierarchical registry
!Storage options:directories and filesZIP archive
Inspired by Volatility Linux
!Volatilituxhttp://code.google.com/p/volatilitux/architectures: ARM, x86 (with and without PAE)
!Commands:pslistmemmapmemdmpfilelistfiledmp
Inspired by Volatility Mac OS X
!Volafoxby and Korean DFRChttp://code.google.com/p/volafox/Based on Research by Matthieu Suiche
!CommandsMachine InformationMounted FilesystemProcess ListKEXT informationenumerate system calls and detect hooksdump processes and kernel extensions
Graphical User Interfaces
15
User InterfaceOSVAC
!Cyber Forensics India: OSVAC 1.0 (Open Source Volatilty Addendum by C-DAC)
!http://www.cyberforensics.in/showdownloads.aspx?id=12
!Prerequisites:
Python 2.5
NET Framework
!Incorporates Volatility 1.3
User InterfaceOSVAC
Osvac version 1.0
C-DAC, Resource Centre for Cyber Forensics- Trivandrum, INDIA 26
4.2.1.1 Process List Selecting Process List shows the list of running/killed/hidden process that could be extracted from the dump. And selecting each process will show the details of files,
Figure 4.2.1.1.1 –Here from the main list RouterNT.exe selected to view the artifacts related to the process. On selection the sub details tabbed view shows the details of artifacts related to the process RouterNT.exe.
For viewing the artifacts related to the selected process, select the corresponding tab views. Here are five tab views for showing the process related artifacts. i.e. Files, Dlls ,Socket(s),Connection(s),Registry. Files – Show the opened files related to the process.
Source: C-DAC
User InterfaceOSVACOsvac version 1.0
C-DAC, Resource Centre for Cyber Forensics- Trivandrum, INDIA 45
Figure 4.2.1.8.3 –Report with appended information before clearing
Source: C-DAC
Guided Memory Analysis MANDIANT Redline
!MANDIANT Redline, v1.0.1
!http://www.mandiant.com/products/free_software/redline/
!Method:1.Review processes with high Malware Rating Index,
known-bad mutant name, injected code, hijacked DLL2.Review network connections3.Review memory sections4.Review untrusted handles5.Review hooks6.Review drivers
!Nice GUI
!Detailed reports (e.g. driver stack)
!MRI scoring needs improvement
Guided Memory Analysis MANDIANT Redline
Guided Memory AnalysisMANDIANT Redline
Questions?
22
