28
Recent Advances in Memory Forensics ZISC 2010 September 13, 2010 Andreas Schuster

Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Embed Size (px)

Citation preview

Page 1: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Recent Advancesin

Memory Forensics

ZISC 2010

September 13, 2010

Andreas Schuster

Page 2: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

The Most Important Advancement...

Page 3: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Memory Analysis has made its way into well-known digital forensic tools!

The Most Important Advancement ...

Page 4: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Takahiro Haruyama has ported Volatility to EnCase

The Most Important Advancement ...

Page 5: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Takahiro Haruyama, Blog post "PsEntropyPEB Matching Mode", August 5, 2010http://cci.cocolog-nifty.com/blog/files/MemoryForensicToolkit_Ver1.83.zip

The Most Important Advancement ...Rererences

Page 6: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Apple Mac OS X

Page 7: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Retrieval of symbols from binaries

Translation between virtual and physical addresses:

assume KPA = KVA

retrieve IdlePDPT, IdlePDPT64, IdlePML4, and IdlePTD at known address to reconstruct kernel address space

Apple Mac OS XGetting started

Page 8: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Apple Mac OS XRefresher: VA to PA translation

!"#$$$%&'($)

*+*,-.$/0123,-1,40-$5%-0%3-6

!"#$%&'()(*''+,-.&/)0&1&2'3&#"-.&%-'456'74.4'+.%$8.$%&-'"5'9:);(&'<=6&

!"#$%&'()#*+,-"*.$/%(&0!'.1

234235236237

238 9%"/$%&'()#*+,-"*.$/%(&09'.1

:;-(**<,-&'()#*+,-"*.$/%(&0:'.1

:'.3

9'.3

:;-(**<,-&9$-(

.*$,&9$-(

!'.&'()#=

.>>&'()#=

2"?(>-$#@

2"?(>-$#@

2"?(>-$#@

2<**(;-&.>>2"?(

>-$#@

:;-(**=&A$;?%(*

:;-(**<,-&A$;?%(*

BC#(,-+";&A$;?%(*

D*"-(#-(?&D*"#(?<*(

.3

2$%%E9$-(>(FG(;-&>(%(#-"*

!+;($*&H??*())

DI!7

DI!7=

!+;($*&H??*())&>,$#(

!+;($*&H??*=

8

>(F=&'()#=>(FG(;-&>(%=

2"?(J&'$-$&"*&>-$#@&>(FG(;-&0K$)(&L81

:;-(**<,-M(#-"*

>(F=&'()#=

>(F=&'()#=

NO!!

2$%%&9$-(

.$)@E>-$-(>(FG(;-&0.>>1

>(F=&'()#=

NO!!

NO!!

>(FG(;-&>(%(#-"*

!+;($*&H??*())

.$)@&3(F+)-(*

236P

D$F(

!'.3

.Q+)&,$F(&G$,,+;F&(C$G,%(&+)&R"*&7ESKT-(&,$F()$;?&78E/+-&,QT)+#$%&$??*())&)+U(=

3(F+)-(*

PDQT)+#$%&H??*())

DQT)+#$%&H??*())

23V2";-*"%&3(F+)-(*

3W!H9>

XRR)(-.$/%('+*(#-"*T

D$F(&.$/%(

B;-*T

DQT)+#$%H??*=D$F(&./%

B;-*T

D$F(&'+*=DF=&'+*=&D-*=&

DI!7 '+*=&D"+;-(*

DF=&'+*=B;-*T

:;-(**<,-&9$-(:>.

Y238&0YWBI1

Image: Intel

Page 9: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Machine informationCPUs, memory, kernel version

Kernel modulesunexpected/suspicious extensions?

System callshooks, redirection

BSD Processesparent-child relation, ownership, timestamp

Mounted file systemstype, mount point, media

Apple Mac OS XIn-depth analysis

Page 11: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Linux kmem_cache

Page 12: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Cache facility to support system memory allocator

Provides quick access to data structures of the same size

Example:

task_struct_cachep = kmem_cache_create("task_struct",sizeof(struct task_struct), ARCH_MIN_TASKALIGN, SLAB_PANIC, NULL);

Linux kmem_cacheUsage

Page 13: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Uniform access to in-memory data of terminated objects

Processes

File handles (meta-data)

Memory mappings (shared memory, file contents)

Filesystem inode cache

Sockets (meta-data)

Socket buffers (contents)

Netfilter NAT table

Linux kmem_cacheForensic value

Page 14: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III, Treasure and tragedy in kmem_cache mining for live forensics investigation, Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010, pp. S41-S47, ISSN 1742-2876, DOI:10.1016/j.diin.2010.05.006

http://www.dfrws.org/2010/proceedings/2010-305.pdf (Paper)

http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)

Linux kmem_cacheReferences

Page 15: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Robust Signatures

Page 16: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Robust SignaturesList walking

flinkblink

PsActiveProcessHead

smrss

flinkblink

rk

flinkblink

explorer

Page 17: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Robust SignaturesList walking

flinkblink

flinkblink

PsActiveProcessHead

smrss

flinkblink

rk explorer

flinkblink

rk

Page 18: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Describe an object by a set of constraintsconstantsrange/set of valuescomplex conditions

Scan whole memory imagefinds active and „visible“ objectsfinds active and hidden objectsfinds terminated objects

Is the signature based on essential data?

kd> dt 812927c0 nt!_DISPATCHER_HEADER +0x000 Type : 0x3 // „process“ +0x001 Absolute : 0 +0x002 Size : 0x1b +0x003 Inserted : 0

Robust SignaturesPower and weakness of scanners

Page 19: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Dolan-Gavitt (2009): Fuzzing of EPROCESS221 member fields in structure nt!_EPROCESS32 were never accessed (bad candidates)72 were accessed for every examined application (good candidates)fuzzing: manipulating field, waiting for process to crashthe more crashes there are, the harder is it to temper with the field

Robust SignaturesFuzzing

Image: Dolan-Gavitt et al. (2009)

Page 20: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J. 2009. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA, November 09 - 13, 2009). CCS '09. ACM, New York, NY, 566-577. DOI:10.1145/1653662.1653730

Robust SignaturesReferences

Page 21: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

The List of Lists

Page 22: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

nt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : Ptr32 _KPCR +0x020 Prcb : Ptr32 _KPRCB +0x024 Irql : UChar +0x028 IRR : Uint4B +0x02c IrrActive : Uint4B +0x030 IDR : Uint4B +0x034 KdVersionBlock : Ptr32 Void +0x038 IDT : Ptr32 _KIDTENTRY +0x03c GDT : Ptr32 _KGDTENTRY +0x040 TSS : Ptr32 _KTSS +0x044 MajorVersion : Uint2B +0x046 MinorVersion : Uint2B +0x048 SetMember : Uint4B +0x04c StallScaleFactor : Uint4B +0x050 DebugActive : UChar +0x051 Number : UChar +0x052 Spare0 : UChar +0x053 SecondLevelCacheAssociativity : UChar +0x054 VdmAlert : Uint4B +0x058 KernelReserved : [14] Uint4B +0x090 SecondLevelCacheSize : Uint4B +0x094 HalReserved : [16] Uint4B +0x0d4 InterruptMode : Uint4B +0x0d8 Spare1 : UChar +0x0dc KernelReserved2 : [17] Uint4B +0x120 PrcbData : _KPRCB

The List of ListsKernel Processor Control Region

Page 23: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

nt!_KPRCB +0x000 MinorVersion : Uint2B +0x002 MajorVersion : Uint2B +0x004 CurrentThread : Ptr32 _KTHREAD +0x008 NextThread : Ptr32 _KTHREAD +0x00c IdleThread : Ptr32 _KTHREAD +0x010 Number : Char +0x011 Reserved : Char +0x012 BuildType : Uint2B +0x014 SetMember : Uint4B +0x018 CpuType : Char +0x019 CpuID : Char +0x01a CpuStep : Uint2B +0x01c ProcessorState : _KPROCESSOR_STATE... +0x8c0 CallDpc : _KDPC +0x8e0 ChainedInterruptList : Ptr32 Void +0x8e4 LookasideIrpFloat : Int4B +0x8e8 SpareFields0 : [6] Uint4B +0x900 VendorString : [13] UChar +0x90d InitialApicId : UChar +0x90e LogicalProcessorsPerPhysicalProcessor : UChar +0x910 MHz : Uint4B +0x914 FeatureBits : Uint4B +0x918 UpdateSignature : _LARGE_INTEGER +0x920 NpxSaveArea : _FX_SAVE_AREA +0xb30 PowerState : _PROCESSOR_POWER_STATE

The List of ListsKernel Processor Control Block

Page 24: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Windows XP (and earlier versions): KPCR is at a fixed kernel virtual address (0xffdff000)

Vista (and later versions):Address space layout randomization (ASLR)

Damien Aumaitre (2009): KPCR is self-refencing

kd> dt ffdff000 _KPCRnt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : 0xffdff000 _KPCR +0x020 Prcb : 0xffdff120 _KPRCB...

The List of ListsHow to locate the KPCR?

Page 25: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Zhang et al. (2010)

proposed a KPCR signature

• [x + 0x1c] == x

• [x + 0x20] == x + 0x120

proposed combination of scanning for KPCR, followed by walking of thread/process lists

Schatz (2010) wrote a plug-in for Volatility to scan for KPCR structures and adopted other plug-ins to use values from the KPCR.

The List of ListsCombination of scanning and list-walking

Page 26: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Damien Aumaitre, "A little journey inside Windows memory", Journal in Computer Virology, pp. 105-117, 2009http://archive.hack.lu/2008/2008-hack.lu-aumaitre.pdf

Ruichao Zhang, Lianhai Wang, Shuhui Zhang, "Windows Memory Analysis Based on KPCR", International Symposium on Information Assurance and Security, pp. 677-680, 2009 Fifth International Conference on Information Assurance and Security, 2009

Bradley Schatz, Blog post "Finding Object Roots in Vista (KPCR)", July 7, 2010 http://blog.schatzforensic.com.au/2010/07/finding-object-roots-in-vista-kpcr/

The List of ListsRererences

Page 27: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Questions and Answers

Page 28: Recent Advances in Memory Forensics - …computer.forensikblog.de/files/...Recent_Advances_in_Memory_Foren… · tragedy in kmem_cache mining for live forensics investigation,

Thank You for Your Attention!

Andreas Schuster

[email protected]://computer.forensikblog.de/