Memory forensic analysis (aashish)
-
Upload
clubhack -
Category
Technology
-
view
3.080 -
download
0
Transcript of Memory forensic analysis (aashish)
Windows Memory Forensic Analysis Windows Memory Forensic Analysis
-- -- Aashish KunteAashish KunteClubClubHackHack20102010
Security Incident
• A secured company’s network gets a port 5548 traffic on the Null (SinkHole) Router !
• The activity seems to be a suspicious Service Scan !
• Source Computer is a Windows Web Server ….
Security Incident Response
• Set of procedures to examine a computer security incident.
• The process involves figuring out what was happened
• Helps mitigate security risk through proactive measures and world-class defensive tactics
Digital Forensics• In depth Analysis & Complex Techniques • The goal of computer forensics is to explain
the current state of a digital artifact• The scope of a forensic analysis can vary
from simple information retrieval to reconstructing a series of events.
Technique
• Preparation
• Acquisition• Enumeration• Analysis • Recovery• Presentation
Windows Memory• live activities from the contents of RAM on a
Windows Machine. • During a post-mortem analysis: specifically
encrypted, compressed or hidden processes. • RAM constituted "electronically stored
information" under rule 34(a) of the Federal Rules of Civil Procedure.
What Information ???Processes
Open Files & Registry Handles
Network Information
Passwords & Cryptographic Keys
Unencrypted Content
Hidden Data
Malicious Code
DLL’s
Analysis
Sit Back …
… Relax !!
• How Volatile Memory Works ?
• Acquisition of Windows Memory
• Volatile Memory Organized ?
• Processes
• What is Process Memory ?
• Process Enumeration
• How to find Suspicious Files and Suspicious Keys ?
• Open Files
• Windows Registry
• Loaded DLL’s
Video : HBGary Responder Pro & Digital DNA -identifying malware
• Network Information
• Why from Volatile Memory ?
• Open Sockets
• Open Ports
• Open TCP Connections
• What the heck is VAD Tree ?
• Passwords and Encryption Keys
• SSDT
Video : To find out Passwords and Encryption Keys from Windows Memory
Video : To Analyze SSDT using : Python and Volatility Framework
• Anti-Forensic Attack (DKOM)
• Static & Dynamic Analysis
• Reverse Engineering
• Files of Unknown Origin
Quick Bites• Suspicious Log Entries
• Suspicious Processes and Services• Suspicious Files and Registry Keys
• Suspicious Network Usage• Suspicious Scheduled Tasks
• Suspicious Accounts
Tools• Basic Tools
• Memdump, KnTTools• FATKit
• WMFT• Procenum
• Idetect
• The Volatility Framework
• VAD Tools • Commercial
Tools
• Memoryze
Future
Questions ???
ClubClubHackHack20102010