1

Computer Forensics - 101

Cosmin Anghel

Security Systems Sr Advisor @ Dell Secureworks

What is Digital Forensics?

• Emerging discipline in computer security - “voodoo science” • Investigation that takes place after an incident has happened • Standards:

ISO/IEC FDIS 27037RSS Information technology - Security techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence

ISO/IEC 27041 - Guidance on assuring suitability and adequacy of investigation methods ISO/IEC 27042 - Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043 - Investigation principles and processes

• Determine the incident “characteristics” and help you to respond to: Who?/What?, When?, Why?, Where?, How?.

• Internal investigation

– Should be based on IR policy

– May lead to criminal investigation

• Criminal investigation

• Support for “real world” investigations

Types of investigations

• Criminal Prosecutors

– Rely on evidence obtained from a computer to prosecute suspects and use as evidence

• Civil Litigations

– Any data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases

• Private Corporations

– Digital evidences from employee computers can be used as evidence in harassment, fraud, and embezzlement cases

• Law Enforcement Officials

– Rely on computer forensics to backup search warrants and post-seizure handling

• Individual/Private Citizens

– Obtain the services of professional computer forensic specialists

to support claims of harassment, abuse, or wrongful termination from employment

Who Uses Computer Forensics?

Forensics Methodology

Acquisition

Recover as much evidence without altering the crime

scene

Recovery

extract data from the acquired evidence

Analysis

depending on the objectives of the

investigation

Presentation

a report or presentation may be

required

Identification of System

Securing the Scene

System Description

Remote or Local System Access

(Memory / Drives)

IDENTIFICATION INVESTIGATION and ANALYSIS

Be prepared

Pack everything imaginable and take at least two of everything!

Toolkits.

Digital camera

Network cross-over cables

Portable field imaging computer

Hub or switch

Storage hard drives

Tags, labels, bags, antistatic bags

Field logbook or notebook

Adapters: IDE to SATA, USB to SATA, etc

Tableau hardware write-blocking device

Forensically sound bootable Linux distributions and network cables

System Description

In general, describe the system you are analyzing

Where did you acquire the system?

What is/was it used for?

What is the confguration of the system (OS, network)?

Include any other information you feel may be necessary

Preservation

Risk Assessment

Securing the Scene: provide ongoing security and perimeter control throughout the search-and-seizure operation

Seizing Computer Evidence

Physical Evidence

Volatile Digital Evidence: protecting and capturing the physical memory

Bagging and Tagging

• Proper evidence handling means that evidence must be identified, documented,

collected, and protected.

• Once the evidence item(s) has been collected, the identity of the person(s) locating

and collecting the item should be logged along with the date and time of collection

• Logging and tracking of the item(s) should be maintained: when the item(s) is being

transferred into the possession of another person, placed into evidence holding,

removed from evidence holding, returned to the custodian, etc.

• Maintaining a secure storage area.

Chain-of-custody and storage of the evidences

Scenarios

• Target systems are switched off

• Hard Drive and Hibernation File (hiberfil.sys)

Offline acquisition

• Target system is turned on

• Capture the contents of RAM

Live Acquisition*

• Memory is collected remote via dedicated channels or mechanisms.

Remote

Based on the incident type and the logistics you should choose the proper type of acquisition.

• Tableau features:

Write-blocked

Computer forensic software recognition

Plug and Play (No new drivers)

USB 2 support

Various models depending on interfaces

FastBloc/Tableau Acquisitions (offline)

• LinEn utility is a Linux version of the industry-standard DOS-based EnCase acquisition

tool.

• Steps to acquiare drives with LinEnL:

1. Make a bootable USB with LinEn (Linux distribution). You find LinEn in the instalation

folder of Encase Examiner.

2. Boot your target system with the USB

3. Check to see what devices are available: fdisk -l

4. Mount your storage drive: mount /dev/xxx /mnt/ewf

5. Launch LinEn: ./LinEn

6. Select the options for acquisition.

Also, you have the option to acquire via network cable: connect your Linux

imaging machine (lab or suspect) to a Windows machine running EnCase using a

network crossover cable. In EnCase in “Add Evidence” menu you can choose

“Add Crossover Preview”.

LinEn Acquisitions (offline)

1. Comercial solution: dumpIT - MoonSols.

2. Free tool: winpmem.exe [usefull options]

-o </path/to/file>, --output </path/to/file> - Output file to write to

-c <zlib, snappy, none> - Type of compresion to use

-i </path/to/file/or/device> - File to image

• You can run it from a USB stick.

Memory Acquisition

Incident

Responder

Enterprise Network

Remote Acquisition

• Read-only Access to Remote System

RAID disks

Physical drives

Logical volumes

Physical Memory

• Single executable (“exe”) that requires no drivers or installation components

• Does not require a reboot.

• Are two USB drives paired for life: plug USBs devices into subject and examiner

machines, execute, and then they will fin each other (in they are in the same network).

After that the examiner will see all physical and logical drives and RAM on the subject

machine.

F-Response Tactical

Memory Forensics Why?

CPU

Virtu

al M

em

ory

Cache RAM Disk

Everything in the OS traverses RAM

Running processes and the system

objects/resources with which they interact. Portions of nonvolatile sources of evidence such as the registry, event log, and Master File Table.

Active network connections Malware

Remnants of previously executed console commands.

Open Files

Loaded drivers Encryption keys and clear-text data that is otherwise encrypted on disk.

User credentials (hashed, obfuscated, clear text)

Important data structures within the kernel that provide insight into process accounting, behavior, and execution.

Memory Forensics Advantages

• Best place to identify malicious software activity

Study running system

Identify inconsistencies in system

Bypass packers, binary ofuscations, rootkits.

• Analyze recent activity on the system

Identify all recent activity in context

Profile user or attacker activities

• Collect evidence that cannot be found anywhere else

Memory-only malware

Chat threads

Internet activities

Finding the First “HIT”

• Identify rogue processes 1

• Analyze process DLLs and handles 2

• Review network artifacts 3

• Look for code injections 4

• Search for rootkits 5

• Dump suspicious processes and drivers 6

Analyzing Processes

• Legitimate process?

• Spelled correctly?

• Matches system context?

Image Name

•Appropriate path for system executables?

•Running from a user or temp directory?

Full Path • Is the parent process

what you would expect?

Parrent Process

• Executable matches image name?

• Do arguments make sense?

Command Line

• Was the process started at boot?

• Processes started near time of known attack

Start Time • Do the security

identifiers make sense?

• Why would a system process use a user account SID?

Security IDs

Rapid Memory Search

• You can find:

IP Addresses/Domain Names

Malware file names

Usernames

Email addresses

• Step 1: Create ASCII and Unicode strings files

srch_strings –t d –a memory.img > memory.asc

srch_strings –t d –a –e l memory.img > memory.uni

• Step 2: Search for indicators

grep -i string memory.asc

Rootkit/Malware hunting - volatility

• Volatility is one of the best framework analysing memory images

• It is a command line based and is written completely in Python

• Has a lot of plugins: malfind, apihooks, orphanthreads, etc.

• Supports:

Volatility Plugins (examples)

Volatility plugins

apihooks Find API hooks procexedump Dump a process to an executable

file sample

connections Print list of open connections procmemdump Dump a process to an executable

memory sample

dlllist Print list of loaded dlls for each process

pslist print all running processes by following the EPROCESS lists

dlldump Dump a DLL from a process

address space orphanthread Locate hidden threads

files Print list of open files for each

process mutantscan Scan for mutant objects

KMUTANT

getsids Print the SIDs owning each

process pstree Print process list as a tree

malfind Find hidden and injected code sockets Print list of open sockets

Complete list: https://code.google.com/p/volatility/wiki/Plugins

How to use volatility

• vol.py –f [image] [plugin] --profile=[PROFILE]

• you can set an environment variable to replace –f [image]

export VOLATILITY_LOCATION=file://<file path>

vol.py pslist --profile=[PROFILE]

Image identification

• Imageinfo

Recover metadata from a memory image

vol.py –f memory.img imageinfo

Identitfy suspect processes psscan vs pslist

Scan physical memory for EPROCESS pool allocations

Hidden processes may be identified

Identify processes no longer running pslist did not found the dllhost.exe process

psscan found the dllhost.exe process most likely

because it was terminated but lingering in

unallocated memory space.

What process is suspicious???

Winppr32.exe

Rootkit Detection Psxview

• Performs a cross-view analysis using six different process listing plugins to visually identify hidden

processes.

• It is important to know the output differences between each source:

• An entry not found by pslist is often a hidden process

• Processes terminated may only show in psscan column

Analyzing Process Objects Dlllist

• Display the loaded DLLs and the command line used to start each process

• Show information for specific process IDs

• The command line displayed for the process provides full path information of where the executables

was located and what parameters were used to load it

• The base offset provided can be used to extract a specific DLL with dlldump.

Hint???

Running path

Analyzing Process Objects getsids

• Display security identifiers (SIDs) for each process

• Can be useful to determine how a process was spawned and with what permissions.

The suspicious process has 2

user SIDs associated with it and

this tell us that the process was

likely spawned from a user

context and hence is unlikely to

be a true system process.

Analyzing Process Objects malfind

• Scans process memory sections looking for indications of code injection and extract them for further

analysis.

• You may see multiple injected sections within the same process

• Dumped sections can be reverse engineered or sent to A/V

Six injected sections in this image memory

Acquiring DLLs dlldump

• Extract DLL files belonging to a specific process or group of processes

• Use – p (PID), -r (DLLs matching a REGEX name pattern) or –b (specific offset) to limit the number of

DLLs extracted.

• Since many processes point to the same DLLs you may encounter multiple copies of the same DLL

extracted.

Acquiring Processes and Drivers procdump

• Dump a process to an executable memory sample

• Why?

• Anti-virus scanning engines

• Malware analysis sandboxes

• Dynamic malware analysis

• Static malware debugging and disassenbly

Network Artifacts connections & connscan

• Walk linked list of TCP connections (connections plugin) • Scan memory image to find closed or unlinked TCP connection structures (connscan plugin) • Run both plugins and compare results to identify active and closed connections • Pay attention to the PID attached to the connection.

• Understanding of relevant laws

• Knowledge of file systems, OS, and applications

– Where are the logs, what is logged?

– What are possible obfuscation techniques?

– What programs and libraries are present on the system and how are they used?

• Know what tools exist and how to use them

• Be able to explain things in simple terms

DF Investigator Profile

Thank you for your attention!

Cosmin Anghel

Books: • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory by Michael Hale Ligh,

Andrew Case, Jamie Levy, AAron Walters • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski, Andrew Honig • Incident Response & Computer Forensics, by Jason T. Luttgens (Author), Matthew Pepe (Author), Kevin Mandia (Author