Windows Memory Forensic Analysis Windows Memory Forensic Analysis

-- -- Aashish KunteAashish KunteClubClubHackHack20102010

Security Incident

• A secured company’s network gets a port 5548 traffic on the Null (SinkHole) Router !

• The activity seems to be a suspicious Service Scan !

• Source Computer is a Windows Web Server ….

Security Incident Response

• Set of procedures to examine a computer security incident.

• The process involves figuring out what was happened

• Helps mitigate security risk through proactive measures and world-class defensive tactics

Digital Forensics• In depth Analysis & Complex Techniques • The goal of computer forensics is to explain

the current state of a digital artifact• The scope of a forensic analysis can vary

from simple information retrieval to reconstructing a series of events.

Technique

• Preparation

• Acquisition• Enumeration• Analysis • Recovery• Presentation

Windows Memory• live activities from the contents of RAM on a

Windows Machine. • During a post-mortem analysis: specifically

encrypted, compressed or hidden processes. • RAM constituted "electronically stored

information" under rule 34(a) of the Federal Rules of Civil Procedure.

What Information ???Processes

Open Files & Registry Handles

Network Information

Passwords & Cryptographic Keys

Unencrypted Content

Hidden Data

Malicious Code

DLL’s

Analysis

Sit Back …

… Relax !!

• How Volatile Memory Works ?

• Acquisition of Windows Memory

• Volatile Memory Organized ?

• Processes

• What is Process Memory ?

• Process Enumeration

• How to find Suspicious Files and Suspicious Keys ?

• Open Files

• Windows Registry

• Loaded DLL’s

Video : HBGary Responder Pro & Digital DNA -identifying malware

• Network Information

• Why from Volatile Memory ?

• Open Sockets

• Open Ports

• Open TCP Connections

• What the heck is VAD Tree ?

• Passwords and Encryption Keys

• SSDT

Video : To find out Passwords and Encryption Keys from Windows Memory

Video : To Analyze SSDT using : Python and Volatility Framework

• Anti-Forensic Attack (DKOM)

• Static & Dynamic Analysis

• Reverse Engineering

• Files of Unknown Origin

Quick Bites• Suspicious Log Entries

• Suspicious Processes and Services• Suspicious Files and Registry Keys

• Suspicious Network Usage• Suspicious Scheduled Tasks

• Suspicious Accounts

Tools• Basic Tools

• Memdump, KnTTools• FATKit

• WMFT• Procenum

• Idetect

• The Volatility Framework

• VAD Tools • Commercial

Tools

• Memoryze

Future

Questions ???

ClubClubHackHack20102010