Memory Forensics analysis
-
Upload
prasadcolleges -
Category
Documents
-
view
35 -
download
2
description
Transcript of Memory Forensics analysis
-
Presented by:-
Anishka Singh
-
Everything in OS traverse RAM:-
Network Sockets and URLs
Windows Registry keys
Hardware Configuration
Password,caches and clipboards
User generated contents
MALWARE
CPU
Cache
RAM
Virtual Memory
Disk
-
DIGITAL FORENSIC ANALYSIS
Goals of Digital Forensics
Identify Digital Evidence
Generally only a part of crime investigation
Examples
computer intrusion
unauthorized use of corporate computers
any physical crime whose suspect had a computer
Three major phases:
Acquisition
Analysis
Presentation
-
Acquisition Phase
Which data as digital evidence ????????
Goal is to save the state of digital system for analysis.
Similar to taking photographs, fingerprints, blood samples, from a crime scene.
The allocated and unallocated areas of a hard disk are copied known as image.
Tools are used to copy data from the suspect storage device to a trusted device.
Tools must modify the suspect device as little as possible and copy all data.
Capture the acquired data for identifying pieces of evidence.
-
Acquistion : MoonSols Kit for obtaining memory
image Advanced toolkit for Windows physical memory snapshot management.
Designed to deal with :- A) Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 both 32-bits and 64-bits (x64) Editions). B)Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions). C)Raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare.
Contains new version of win32dd and win64dd.
-
C:\win32dd.exe /l /f mem1.vmem
-
Identify Context
Find KPCR
Parse Memory Structure
Executive Process Blocks
Process Environment Blocks
Track loaded DLLs
Virtual Address Descriptor
Process Memory Sections
Kernel Modules
Drivers
Scan For outliers
Unlinked Process DLLs,sockets and threads
Unmapped page with execute privelage
Hook Detection
Know Heuristics and signatures
-
Analysis of Memory through volatility
Open collection of tools. Python implemented under GNU General Public License for the extraction
of digital artifacts from volatile memory (RAM).
Extraction performed are independent of system being investigated but offer unprecedented visibilty into the runtime state of system.
Intended to introduce people:-
Techniques and complexities associated with extracting digital artifacts from volatile memory samples
Work into this exciting area of research.
-
Volatility Supports x86 Windows versions
Windows XP SP 2, 3
Windows 2003 Server SP 0, 1, 2
Windows Vista SP 0, 1, 2
Windows 2008 Server SP 1, 2
Windows 7 SP 0, 1
-
Running Process
Image Date and Time
Open Network Sockets & connections
DLLs Loaded For Process Open Registry Handles
Processs addressable Memory
OS Kernel Modules
Mapping Physical offset to virtual address
Virtual address Descriptor Information
Scanning Process , threads, modules
Extract Executables From Memory Samples
-
Static RAM analysis from an image or
against a live system Enumerate all running processes, including those hidden by
rootkits, and display associated DLLs, network sockets and handles in context.
Dump a process and associated DLLs for further analysis in third-party tools.
Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
Volatility provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.
-
Image Name
Legitimate process? Spelled correctly? Matches system
context
Full Path
Appropriate path for system executable?
Running from
a user or temp directory
Parent Process
Is the parent
Process what you would expect?
Command Line
Executable
matches image
name?
Do arguments
make sense?
Start Time
Was the process
started at boot
(with other system
processes)?
Processes started
near time of known
attack.
Analyzing Processes
-
Volatility Commands
a)Spot hidden processes psxview
b)List all processes pslist, psscan
c)Show a registry key printkey -K key
d)Extract process image procexedump
e)Extract process memory memdump, vaddump
f)List open handles, files, DLLs
and mutant objects
handles, filescan, dlllist,
mutantscan
g)List services, drivers and
kernel modules
svcscan, driverscan, modules,
modscan
h)View network activities connscan, connections,
sockets, sockscan, netscan
i)View activity timeline timeliner, evtlogs
j)Find and extract malware malfind, apihooks
-
Imageinfo
Used for Knowing what type of system your image came from.
Output shows suggested profile that you should pass as the parameter to --profile=PROFILE.
$ volatility f imagename imageinfo For most accurate and fastest results supply the profile and KDBG to other Volatility commands.
-
Pslist
Use to list the processes of a system. Walks doubly-linked list pointed by PsActiveProcessHead. Does not detect hidden or unlinked processes.
Syntax:- $ volatility f --profile=profilename mem1.vmem pslist
-
Pstree
Used for viewing the process listing in tree form. Enumerates processes using the same technique
as pslist. Child process are indicated using indention and
periods. $ volatility profile=profilename f imagename pstree
-
Psscan
To enumerate processes using pool tag scanning, use this command.
Finds processes that are previously terminated (inactive) and hidden or unlinked by a rootkit.
$ volatility f imagename psscan
-
Connscan
Used for finding connection structures using pool tag scanning.
Finds artifacts from previous connections that have been terminated.
It may find false positives sometimes, you also get the benefit of detecting as much information as possible.
$ volatility f imagename connscan
-
Malfind
Used for:- Finding hidden or injected code/DLLs in user mode memory,
based on characteristics such as VAD tag and page permissions.
Locating sequence of bytes, regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.
$ volatility f imagename malfind D directoryname
-
Apihook
Used for finding API hooks in user mode or kernel mode. It finds IAT, EAT, Inline style hooks, and several special types of
hooks. For Inline hooks, it detects CALLs and JMPs to direct and
indirect locations, and it detects PUSH/RET instruction sequences.
Special types of hooks that it detects include syscall hooking in ntdll.dll and calls to unknown code pages in kernel memory.
$ volatility f imagename apihook
-
Dlllist
For displaying a process's loaded DLLs, use this command. It walks the doubly linked list of LDR_DATA_TABLE
_ENTRY structures pointed by PEB's InLoad Order Module
List. DLLs are automatically added to this list when a process calls
LoadLibrary and they aren't removed until FreeLibrary is called and the reference count reaches zero.
$ volatility f imageinfo dlllist
-
Dlldump
For extracting a DLL from a process's memory space and dump it to disk for analysis, use this command. We can: Dump all DLLs from all processes . Dump all DLLs from a specific process (with --pid=PID) . Dump all DLLs from a hidden/unlinked process (with --
offset=OFFSET) . Dump a PE from anywhere in process memory (with --
base=BASEADDR), this option is useful for extracting hidden DLLs.
$ volatility f imagename dlldump D directoryname
-
Handles
Used for displaying the open handles in a process. Process obtains a file handle by calling functions such as
CreateFile, and the handle will stay valid until CloseHandle is called. This concept applies for registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of objects.
$ volatility f imagename handles
-
Getsids
For viewing the SIDs (Security Identifiers) associated with a process, use this command.
It helps you to identify processes which have maliciously escalated privileges.
$ volatility f imageinfo getsids
-
Memmap
For a brief inspection of the addressable memory pages in a process use this command. $ volatility f imagename p PID memmap
-
Memdump
To extract all data from the various memory segments in
a process and dump them to a single file, use the
memdump command.
$ volatility --profile=Win7SP0x86 -f imagename p PID memdump D directoryname/
-
Procmemdump
o For dumping a process's executable (including the slack space), use the procmemdump command.
o Optionally, pass the --unsafe or -u flags to bypass certain sanity checks used when parsing the PE header.
o Some malware will intentionally forge size fields in the PE header so that memory dumping tools fail.
$ volatility --profile=Win7SP0x86 -f imagename -p PID procmemdump -D memory/
-
Procexedump
To dump a process's executable (not including the slack space), use the procexedump command. $ volatility --profile=Win7SP0x86 -f imagename -p PID procmemdump -D memory/
-
Vadinfo
The vadinfo command displays extended information about a process's VAD nodes. In particular, it shows: The address of the MMVAD structure in kernel memory. The starting and ending virtual addresses in process memory. The VAD Tag. The name of the memory mapped file (if one exists) . The memory protection constant (permissions). $ volatility --profile=Win7SP0x86 -f imagename -p PID vadinfo
-
Modules
To view the list of kernel drivers loaded on the system, use the modules command.
This walks the doubly-linked list of LDR_DATA_TABLE _ENTRY structures pointed to by
PsLoadedModuleList. It cannot find hidden/unlinked
kernel drivers.
$ volatility --profile=Win7SP0x86 -f imagename modules
-
modscan
For scanning physical memory for kernel modules, use this command.
It can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits.
$ volatility --profile=Win7SP0x86 -f win7.dmp modscan
-
Ssdt
To list the functions in the Native and GUI SSDTs, use the ssdt command. It displays the index, function name, and owning driver for each entry in the SSDT. Some important points:- Windows has 4 SSDTs by default (you can add more with
KeAddSystemServiceTable), but only 2 of them are used - one for Native functions in the NT module, and one for GUI functions in the win32k.sys module.
Multiple ways to locate the SSDTs in memory:- o Some tools do it by finding the exported KeServiceDescriptorTable
symbol in the NT module. o Volatility scans for ETHREAD objects and gathers all unique
ETHREAD.Tcb.ServiceTable pointers.It is more robust and complete, as it can detect when rootkits make copies of the existing SSDTs and assign them to particular threads.
$ volatility --profile=Win7SP0x86 -f imagename ssdt
-
Driverscan
For scaning DRIVER_OBJECTs in physical memory, use this command.
The DRIVER_OBJECT contains the 28 IRP (Major Function) tables.
$ volatility --profile=Win7SP0x86 -f imagename driverscan
-
To detect listening sockets for any protocol (TCP, UDP, RAW, etc), use the sockets command.
It walks a singly-linked list of socket structures which is pointed to by a non-exported symbol in the tcpip.sys module.
It works for Windows XP and Windows 2003 Server only.
$ volatility f imagename --profile=WinXPSP3x86 sockets
-
Volatility is the only memory forensics framework with the ability to carve registry data. Variour registry commands are:- a) Hivescan b) Hivelist c) Printkey
-
Hivescan
To find the physical addresses of CMHIVEs (registry hives) in memory, use the hivescan command. $ volatility --profile=Win7SP0x86 -f imagename hivescan
-
Hivelist
To locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use this command. $ volatility --profile=Win7SP0x86 f imagename hivelist
-
Printkey
For displaying the subkeys, values, data, and data types contained within a specified registry key, use this command.
By default it will search all hives and print the key information (if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.
$ volatility --profile=Win7SP0x86 -f imagename printkey -K "Microsoft\Security Center\Svc"
-
Idt
To print the system's IDT (Interrupt Descriptor Table), use the idt command.
It displays the purpose of the interrupts, along with the current address and owning module.
Some rootkits hook the IDT entry for KiSystemService, but point it at a routine inside the NT module (where
KiSystemService should point). However, at that
address, there is an Inline hook detected by Idt.
$ volatility idt -f imagename
-
Gdt
To print the system's GDT (Global Descriptor Table), use the gdt command.
It is useful for detecting rootkits like Alipop that install a call gate so that user mode programs can call directly into kernel mode (using a CALL FAR instruction).
$ volatility -f imagename gdt
-
Volatility is a very powerful tool, which is able to detect even the most advanced rootkits if its being used properly.
The analyst should have good windows knowledge to
combine the different functions in a smart way and draw the right conclusions
False positives could be caused by security software like HIPS, AV or personal firewalls, as they act in a very similar way malware does. The only way to be 100% sure if the code is malicious or not the investigator has to disassemble the dumped code .
Conclusion
-
Other tools Mandiant Redline:- Mandiant Redline is an interesting tool which can analyse all the processes running on your PC, and then attempt to highlight any which might be malicious.