• Home

  • Documents

  • Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional...
36
Memory Forensics Dmitry Vostokov Software Diagnostics Institute Facebook LinkedIn Twitter Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest www.volgactf.ru

Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Embed Size (px)

Citation preview

Page 1: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Memory Forensics

Dmitry Vostokov Software Diagnostics Institute Facebook LinkedIn Twitter

Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest

www.volgactf.ru

http://www.facebook.com/DumpAnalysis
http://www.linkedin.com/in/vostokov
http://twitter.com/DumpAnalysis
http://www.volgactf.ru/
Page 2: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Forensics

A discipline studying past structure and behavior.

© 2014 Software Diagnostics Institute

Page 3: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Memory Forensics

A discipline studying past structure and behavior in acquired computer memory.

© 2014 Software Diagnostics Institute

Page 4: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

We Have A Problem Proliferation of computer

architectures, operating systems, and tools

Different memory analysis narratives

Need to measure analysis quality

© 2014 Software Diagnostics Institute

Page 5: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Solution

Empirical patterns

A pattern language

Pattern orientation

© 2014 Software Diagnostics Institute

Page 6: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Forensic Pattern

A common recurrent identifiable set of indicators (signs) together with a set of recommendations to apply in a specific context.

© 2014 Software Diagnostics Institute

Page 7: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Memory Forensics revised

A discipline studying past structure and behavior of software in acquired memory using pattern-oriented analysis methodology.

© 2014 Software Diagnostics Institute

Page 8: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Software Forensics

Software execution artefacts

Memory forensics

© 2014 Software Diagnostics Institute

Page 9: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Software Forensics

A discipline studying past structure and behavior of software in execution artifacts using systemic and pattern-oriented analysis methodologies.

© 2014 Software Diagnostics Institute

Page 10: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Structure and Behavior

Memory snapshots (dumps)

Traces and logs

Source code

Digital data (media)

© 2014 Software Diagnostics Institute

Page 11: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Diagnostics and Forensics

Diagnostics (present and past)

Forensics (past)

Prognostics (future)

© 2014 Software Diagnostics Institute

Page 12: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Software Diagnostics A discipline studying signs of software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using systemic and pattern-oriented analysis methodologies.

© 2014 Software Diagnostics Institute

Page 13: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Forensic Analysis Patterns

Software Diagnostics Patterns

Software Forensic Analysis Patterns

© 2014 Software Diagnostics Institute

Memory Forensic Analysis Patterns

Page 14: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

A Pattern Language

The same detection and analysis language for different computer architectures, operating systems, and tools

The same memory analysis narratives

Measured analysis quality

Predicting unknown © 2014 Software Diagnostics Institute

Page 15: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Pattern Orientation 1. Pattern-driven Finding patterns in memory

Using checklists and pattern catalogs

2. Pattern-based Pattern catalogue evolution

Catalog packaging and delivery

© 2014 Software Diagnostics Institute

Page 16: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Structural Memory Patterns

… Memory Region Region Boundary Anchor Region Linked List Value References Regular Data String Value Small Value Data Structure …

Main Pattern Catalogues

Memory Analysis Patterns … Wait Chain Execution Residue Spiking Thread Local Buffer Overflow Shared Buffer Overwrite Dynamic Memory Corruption …

© 2014 Software Diagnostics Institute

Malware Analysis Patterns

… Raw Pointer String Hint Out-of-Module Pointer Hooksware Hidden Process Deviant Module Namespace …

Disassembly, Deconstruction, Reversing Patterns

Memory Acquisition Patterns

Page 17: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Pattern Classification

… Dynamic Memory Corruption Patterns Stack Overflow Patterns Stack Trace Patterns Symbol Patterns Exception Patterns Meta-Memory Dump Patterns Module Patterns Optimization Patterns Thread Patterns Process Patterns …

© 2014 Software Diagnostics Institute

Page 18: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Memory Acquisition Patterns http://www.dumpanalysis.org/memory-acquisition-patterns

Structural space patterns

… Process Memory Dump Kernel memory Dump Physical Memory Dump Fiber Bundle Dump …

© 2014 Software Diagnostics Institute

Acquisition strategy patterns

… External Dump Self Dump Conditional Dump Dump Sequence …

http://www.dumpanalysis.org/memory-acquisition-patterns
Page 19: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

ADDR Patterns http://www.dumpanalysis.org/addr-patterns

… Potential Functionality Function Skeleton Function Call Call Path Local Variable Static Variable Pointer Dereference Function Prologue Function Epilogue Variable Initialization

© 2014 Software Diagnostics Institute

Memory Copy Call Prologue Call Parameter Call Epilogue Call Result Control Path Function Parameter Structure Field Last Call …

http://www.dumpanalysis.org/addr-patterns
Page 20: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Pattern Implementation By OS vendor (Windows, Mac OS X, Linux, …)

By tool (WinDbg, Volatility, IDA, GDB, LLDB, …)

By CPU architecture (x86, x64, ARM, …)

By digital media (memory, volume, file, blob, …)

© 2014 Software Diagnostics Institute

Page 21: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Pattern-Driven Analysis

Memory Checklists Patterns Action

© 2014 Software Diagnostics Institute

Pattern Pattern Pattern Pattern Pattern

1. Tool-specific checklist: http://www.dumpanalysis.org/windows-memory-analysis-checklist

2. Pattern catalogue checklists: http://dumpanalysis.org

http://www.dumpanalysis.org/windows-memory-analysis-checklist
http://www.dumpanalysis.org/windows-memory-analysis-checklist
http://dumpanalysis.org/
Page 22: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Pattern-Based Analysis

Memory

New Pattern

Discovery

Pattern Catalog

+

Usage

© 2014 Software Diagnostics Institute

Page 23: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Systems Approach

Narratology Trace

Analysis Patterns

Memory Analysis

© 2014 Software Diagnostics Institute

Page 24: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Native Memory Forensics

Using native OS debuggers such as WinDbg from Debugging Tools for Windows or GDB (Linux) or GDB/LLDB (Mac OS X).

© 2014 Software Diagnostics Institute

Page 25: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Practical Examples

WinDbg session…

© 2014 Software Diagnostics Institute

Page 26: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Patterns for Example A Tampered Dump Exception Stack Trace Stored Exception Lateral Damage Execution Residue Hidden Exception NULL Data Pointer

© 2014 Software Diagnostics Institute

Page 27: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Patterns for Example B Heap Corruption Stack Trace Collection RIP Stack Trace Hooksware Patched Code Hidden Module Deviant Module String Hint Fake Module No Component Symbols Namespace

© 2014 Software Diagnostics Institute

Page 28: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Example C

Pattern correspondence Process Dump Physical (Complete) Dump Kernel Dump

© 2014 Software Diagnostics Institute

Page 29: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Further Reading (Patterns)

The Timeless Way of Building (by Christopher Alexander)

A Pattern Language: Towns, Buildings, Construction (by Christopher Alexander, et al.)

© 2014 Software Diagnostics Institute

Page 30: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Further Reading (MDA)

Cloud Memory Dump Analysis

Fundamentals of Physical Memory Analysis

Victimware

Pattern-Oriented Software Forensics

Debugging TV

© 2014 Software Diagnostics Institute

http://www.patterndiagnostics.com/CMDA-materials
http://www.patterndiagnostics.com/FPMA-materials
http://www.patterndiagnostics.com/Victimware-materials
http://www.patterndiagnostics.com/pattern-oriented-software-forensics-materials
http://www.patterndiagnostics.com/pattern-oriented-software-forensics-materials
http://www.patterndiagnostics.com/pattern-oriented-software-forensics-materials
http://www.debugging.tv/
Page 31: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Further Reading (SD)

Software Diagnostics Institute

Pattern-Driven Software Diagnostics

Systemic Software Diagnostics

Pattern-Based Software Diagnostics

Philosophy of Software Diagnostics

© 2014 Software Diagnostics Institute

http://www.dumpanalysis.org
http://www.patterndiagnostics.com/Introduction-Software-Diagnostics-materials
http://www.patterndiagnostics.com/Introduction-Software-Diagnostics-materials
http://www.patterndiagnostics.com/Introduction-Software-Diagnostics-materials
http://www.patterndiagnostics.com/Introduction-Software-Diagnostics-materials
http://www.patterndiagnostics.com/Introduction-Software-Diagnostics-materials
http://www.patterndiagnostics.com/systemic-diagnostics-materials
http://www.patterndiagnostics.com/systemic-diagnostics-materials
http://www.patterndiagnostics.com/systemic-diagnostics-materials
http://www.patterndiagnostics.com/pattern-based-diagnostics-materials
http://www.patterndiagnostics.com/pattern-based-diagnostics-materials
http://www.patterndiagnostics.com/pattern-based-diagnostics-materials
http://www.patterndiagnostics.com/pattern-based-diagnostics-materials
http://www.patterndiagnostics.com/pattern-based-diagnostics-materials
http://www.patterndiagnostics.com/philosophy-diagnostics-materials
http://www.patterndiagnostics.com/philosophy-diagnostics-materials
http://www.patterndiagnostics.com/philosophy-diagnostics-materials
Page 32: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Current Reference

© 2014 Software Diagnostics Institute

Memory Dump Analysis Anthology: 7 volumes + 3 colour volumes Volume 8 is planned for 2015/2016

Page 33: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Forthcoming Transcript

© 2014 Software Diagnostics Institute

Pattern-Oriented Memory Forensics: A Pattern Language Approach (ISBN: 9781908043764)

Page 34: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Forthcoming Reference

© 2014 Software Diagnostics Institute

A Pattern Language for Software Diagnostics, Forensics, and Prognostics: Memory, Traces, Deconstruction (10 volumes)

Page 35: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Q&A

Please send your feedback using the contact form on DumpAnalysis.org

© 2014 Software Diagnostics Institute

http://www.dumpanalysis.org/
Page 36: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification

Thank you for attendance!

Facebook LinkedIn Twitter © 2014 Software Diagnostics Institute

http://www.facebook.com/DumpAnalysis
http://www.linkedin.com/in/vostokov
http://twitter.com/DumpAnalysis

Computer Forensics Network Protocols Overview for Network Forensics

Computer Forensics Network Protocols Overview for Network Forensics

Documents
COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

COE589: Digital Forensics - ccse.kfupm.edu.saahmadsm/coe589-122/00_Overview_Logisti… · Digital Forensics computer forensics mobile forensics network forensics ... COE589 - Ahmad

Documents
COEN 252 Computer Forensics Challenges of Network Forensics

COEN 252 Computer Forensics Challenges of Network Forensics

Documents
Windows Memory Dump Analysis - Software Diagnostics …...Windows Memory Dump Analysis . Dmitry Vostokov . Software Diagnostics Services . Version 4.0

Windows Memory Dump Analysis - Software Diagnostics …...Windows Memory Dump Analysis . Dmitry Vostokov . Software Diagnostics Services . Version 4.0

Documents
Is Mobile Device Forensics Really Forensics?

Is Mobile Device Forensics Really Forensics?

Documents
© The Forensics Files Lincoln-Douglas Debate The Forensics Files The Forensics Files

© The Forensics Files Lincoln-Douglas Debate The Forensics Files The Forensics Files

Documents
Implementation of Forensic Analysis Procedures for ...Android Forensics, Instant Messenger Forensics, Viber Forensics, WhatsApp Forensics. 1. INTRODUCTION ... communication medium

Implementation of Forensic Analysis Procedures for ...Android Forensics, Instant Messenger Forensics, Viber Forensics, WhatsApp Forensics. 1. INTRODUCTION ... communication medium

Documents
Fundamental Limits in Multimedia Forensics and Anti-Forensics

Fundamental Limits in Multimedia Forensics and Anti-Forensics

Documents
Preventive Digital Forensics: Creating Preventive Digital Forensics

Preventive Digital Forensics: Creating Preventive Digital Forensics

Documents
Professionisti a tutela della verità - P&P Investigazioni...Digital & Mobile Forensics Digital Forensics Network Forensics Embedded & Software Forensics Metodologia d’Intervento

Professionisti a tutela della verità - P&P Investigazioni...Digital & Mobile Forensics Digital Forensics Network Forensics Embedded & Software Forensics Metodologia d’Intervento

Documents
Pattern-Driven Software DiagnosticsPattern-Driven Software Diagnostics . Dmitry Vostokov . Memory Dump Analysis Services . Version 1.0

Pattern-Driven Software DiagnosticsPattern-Driven Software Diagnostics . Dmitry Vostokov . Memory Dump Analysis Services . Version 1.0

Documents
Acquisizione Laboratorio Disk forensics Network forensics

Acquisizione Laboratorio Disk forensics Network forensics

Documents
Forensics & Anti- Forensics - Power Of Communitypowerofcommunity.net/poc2007/casper.pdf · Anti-Forensics • Wipe can reply all Host Forensics Tools • Counterfeit Evidence •

Forensics & Anti- Forensics - Power Of Communitypowerofcommunity.net/poc2007/casper.pdf · Anti-Forensics • Wipe can reply all Host Forensics Tools • Counterfeit Evidence •

Documents
Digital forensics track schroader-rob when forensics collide

Digital forensics track schroader-rob when forensics collide

Technology
Memory Forensics - publish.illinois.edupublish.illinois.edu/.../files/2014/03/acc-forensics.pdfWhat is Computer Forensics? Mobile Device Forensics Network Forensics Memory & Data Forensics

Memory Forensics - publish.illinois.edupublish.illinois.edu/.../files/2014/03/acc-forensics.pdfWhat is Computer Forensics? Mobile Device Forensics Network Forensics Memory & Data Forensics

Documents
Live Forensics Investigations Computer Forensics 2013

Live Forensics Investigations Computer Forensics 2013

Documents
Computer forensics - Jordan University of Science and ...tawalbeh/aabfs/presentations/computer_forensics.pdf · 29.08.2006 Computer forensics 2 Computer forensics Definitions: Forensics

Computer forensics - Jordan University of Science and ...tawalbeh/aabfs/presentations/computer_forensics.pdf · 29.08.2006 Computer forensics 2 Computer forensics Definitions: Forensics

Documents
Anti-Forensics and Anti-Anti-Forensics

Anti-Forensics and Anti-Anti-Forensics

Documents
Network Forensics PPrinciples of Network Forensics

Network Forensics PPrinciples of Network Forensics

Documents
Windows 8 Forensics & Anti Forensics

Windows 8 Forensics & Anti Forensics

Technology
History of Forensics CHS. Define Forensics Forensics is the application of science to law

History of Forensics CHS. Define Forensics Forensics is the application of science to law

Documents
Computer Forensics - Dipartimento Di Informaticaads/ads/Sicurezza_files/Presenta... · 2017-05-09 · Computer Forensics 3 Dalla digital forensics alla computer forensics Digital

Computer Forensics - Dipartimento Di Informaticaads/ads/Sicurezza_files/Presenta... · 2017-05-09 · Computer Forensics 3 Dalla digital forensics alla computer forensics Digital

Documents
Computer Forensics – Tracking the Cyber vandals Forensics

Computer Forensics – Tracking the Cyber vandals Forensics

Documents
Digital Evidence and Computer Forensics Oct 7-8 2013/Tab 02 Oct 7-8... · Digital Evidence and Computer Forensics COMPUTER FORENSICS FORENSICS FORENSICS

Digital Evidence and Computer Forensics Oct 7-8 2013/Tab 02 Oct 7-8... · Digital Evidence and Computer Forensics COMPUTER FORENSICS FORENSICS FORENSICS

Documents
iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

iPhone Forensics Methodology and Tools · Forensics methodologies, iPhone forensics, forensics tools, digital forensics evidence handling, INTRODUCTION iPhone mobile phone is becoming

Documents
Arrowhead Forensics - The Gold Standard in Forensics Crime

Arrowhead Forensics - The Gold Standard in Forensics Crime

Documents
FORENSICS JOURNAL - Stevenson Universitystevenson.edu/online/publications/forensics/documents/...FORENSICS JOURNAL 1 Welcome to the third edition of the Stevenson University Forensics

FORENSICS JOURNAL - Stevenson Universitystevenson.edu/online/publications/forensics/documents/...FORENSICS JOURNAL 1 Welcome to the third edition of the Stevenson University Forensics

Documents
Comp ter Forensics It’s NotComputer Forensics: It’s … ter Forensics It’s NotComputer Forensics: ... Computer Forensics Can be Useful with ... Solid state drives & deleted file

Comp ter Forensics It’s NotComputer Forensics: It’s … ter Forensics It’s NotComputer Forensics: ... Computer Forensics Can be Useful with ... Solid state drives & deleted file

Documents
COMPUTER FORENSICS - Boise Chapter€¦ · 3 Mobile device forensics 4 Other 5 References Computer forensics Main article: computer forensics ... 1.19 Computer Forensics Solution

COMPUTER FORENSICS - Boise Chapter€¦ · 3 Mobile device forensics 4 Other 5 References Computer forensics Main article: computer forensics ... 1.19 Computer Forensics Solution

Documents
Viktor Vostokov Tainite Tibetskata Medicina

Viktor Vostokov Tainite Tibetskata Medicina

Documents