You suck at Memory Analysisgive it up, it’s not worth it

Disclaimer

• Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers.

• You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place.

• Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.

Who?

• Francisco da Gama Tabanez Ribeiro

• Penetration Testing @ Portugal Telecom

• Certificates that I don’t have:

MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP

Agenda• Intro:

• Who? Why? How?

• 1) Memory Acquisition

• 2) Memory Analysis

• Windows:

• memory acquisition

• process reconstitution

• malware analysis

• Java:

• JMX

• Web

• Breaking safes (Truecrypt)

• Hardware:

• printers

• cold boot attack

• Conclusion: where next?

Some of the real experts here.

• Michael Cohen

• Brendan Dolan-Gavitt

• Jesse Kornblum

• Mark Russinovich

• Mike Auty

• Michael L. Hale

• Harlan Carvey

• Dmitry Vostokov

Dinner @ RIT’s meet-up

Why?

• OS & process behavioral tracing

• app debugging & profiling

• malware analysis (Rootkit Paradox)

• mining raw data artifacts

• low level monitoring

• plays well with Social Engineering

• supports the Cloud, VM’s & mobile’s

Why?

• OS & process behavioral tracing

• app debugging & profiling

• malware analysis (Rootkit Paradox)

• mining raw data artifacts

• low level monitoring

• plays well with Social Engineering

• supports the Cloud, VM’s & mobile’s

suggested reading:Exploiting the Rootkit

Paradox with Windows

Memory AnalysisJesse D. Kornblum

1) Memory Acquisition

Memory Acquisition Techniques(Software)

• Crash Dumps

• Hibernation files

• Virtual Machine Imaging/Suspend

• Physical memory device objects:

• Windows (\\Device\PhysicalMemory, \\Device\DebugMemory)

• Linux (/dev/mem, /proc/kcore, /dev/crash)

• Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory)

• Inferential

Memory Acquisition Tools

• MoonSols tools, mdd, dd

• memdump, userdump

• nigilant32, KNTTools, WMFT

• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)

Memory Acquisition Tools

• MoonSols tools, mdd, dd

• memdump, userdump

• nigilant32, KNTTools, WMFT

• Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)

suggested reading:Tools: Memory Imaging

Forensics WiKi

Memory Acquisition Gotchas

• memory images taken live may come “blurred”

• time required increases with memory size

• for faster scans, reduce kernel space size (/3G switch)

Memory Acquisition Gotchas

• memory images taken live may come “blurred”

• time required increases with memory size

• for faster scans, reduce kernel space size (/3G switch)

suggested reading:Acquisition and analysis of

volatile memory from android devices

Digital Investigation

/3GB Startup Switch in 32-bit Win

0x00000000

0xFFFFFFFF

0xC0000000

0x00000000

0xFFFFFFFF

0x80000000

KernelSpace

UserSpace

KernelSpace

UserSpace

Default /3GB

boot.ini file

/3GB Startup Switch in 32-bit Win

suggested reading:How to Set the /3GB Startup

Switch in Windows

Technet, Microsoft0x00000000

0xFFFFFFFF

0xC0000000

0x00000000

0xFFFFFFFF

0x80000000

KernelSpace

UserSpace

KernelSpace

UserSpace

Default /3GB

boot.ini file

Memory Acquisition Techniques(Hardware)

• Firewire/DMA

• PCI Card (“Tribble”)

• Debug ports (JTAG)

• Inferential

Memory Acquisition Techniques(Hardware)

• Firewire/DMA

• PCI Card (“Tribble”)

• Debug ports (JTAG)

• Inferential

suggested reading:Tools: Memory Imaging

Forensics WiKi

Piezo-Acoustic iPod Hack

Piezo-Acoustic iPod Hack

flickr photo by guanix

Piezo-Acoustic iPod Hack

• iPod 4G

• firmware dump by playing sounds

• ARM code that can read addresses 0 through 65535

• one sound to represent a 1 bit, another for a 0 bit

• 64 kb file at 5 bytes/sec

• sound recognition/ error detection & correction

• iPod-Linux project

2) Memory Analysis

How?

• Static

• Dynamic

Memory Analysis Tools

• Volatility

• Memoryze

• Windbg

• Redline

• Volafox

Volatility

• an advanced memory forensics framework

• extraction of digital artifacts from volatile memory (RAM) samples

• plugin based architecture

• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)

• Python

Volatility

• an advanced memory forensics framework

• extraction of digital artifacts from volatile memory (RAM) samples

• plugin based architecture

• major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch)

• Pythonsuggested reading:

Volatility,Memory Forensics

Volatile Systems

suggested reading:An advanced memory forensics framework

Volatility

Google Wiki pages

Windows - things you can analyze• processes, threads, sockets, connections, modules

• files & DLLs loaded for each process

• the hive (registry handles)

• process' addressable memory & executables extraction

• OS kernel modules

• mapping physical offsets to virtual addresses (strings to process)

• security access tokens

• more, much more...

mimikatz - getting clear text passwords in Windows

SSPI Digest SSP

Client Application

Digest SSP

Local Security Authority SubSystem(LSASS)

Server

LSA Server Service

mimikatz - getting clear text passwords in Windows

SSPI Digest SSP

Client Application

Digest SSP

Local Security Authority SubSystem(LSASS)

Server

inject sekurlsa.dll 

LSA Server Service

LSA Server Service

mimikatz - getting clear text passwords in Windows

SSPI Digest SSP

Client Application

Digest SSP

Local Security Authority SubSystem(LSASS)

Server

inject sekurlsa.dll 

TsPkgWdigestLiveSSP

LsaProtectMemory /LsaUnprotectMemory

LSA Server Service

LSA Server Service

mimikatz - getting clear text passwords from Windows

• Traitement du Kiwi - injects sekurlsa.dll (LSASS)

• TsPkg & Wdigest store encrypted (not hashed) passwords

• used for Kerberos, NTLM/LM, HTTP Digest authentication

• function LsaUnprotectMemory retrieves clear text password

• pass the word > pass the hash

Windows - Process reconstitution

• OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist)

• pool tags (psscan)

• others..

Windows - _EPROCESS structure• image filename

• process id, parent process id

• create/exit times

• base priority

• exit status

• next/prev process block

• image base address

• ...

Windows - _EPROCESS structure• image filename

• process id, parent process id

• create/exit times

• base priority

• exit status

• next/prev process block

• image base address

• ...

suggested reading:struct EPROCESS

NirSoft

Windows - process reconstitution

EPROCESS EPROCESS EPROCESS

PsActiveProcessHead

Windows - process reconstitution

EPROCESS

LIST_ENTRY

Flink

Blink

EPROCESS

LIST_ENTRY

Flink

Blink

EPROCESS

LIST_ENTRY

Flink

Blink

DKOM (Direct Kernel Object Manipulation)

EPROCESS

Flink

Blink

EPROCESS

Flink

Blink

EPROCESS

Flink

Blink

detectable by Volatility psscan plugin

Process hollowing

• legitimate process loaded into memory to act as a code container

• host process is created into a suspended mode

• antivirus bypassing

• meterpreter ‘-m’ flag

• detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)

Process hollowing

• legitimate process loaded into memory to act as a code container

• host process is created into a suspended mode

• antivirus bypassing

• meterpreter ‘-m’ flag

• detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading:

Eternal Sunshine on the Spotless RAM

SecurityStreet, Rapid7

Process hollowing

Process(suspended)

Process(running)

If in doubt, it's an APT.@explanoit

Java Management Extensions (JMX)

• monitor and manage any Java based applications

• automatically exposed by JMX agents

• clients like Java Visual VM can connect to it locally and remotely

• supports MBeans

• tools: Java Visual VM, JConsole, MAT (Eclipse),

JmxCli

Java Management Extensions (JMX)

• monitor and manage any Java based applications

• automatically exposed by JMX agents

• clients like Java Visual VM can connect to it locally and remotely

• supports MBeans

• tools: Java Visual VM, JConsole, MAT (Eclipse),

JmxCli

suggested reading:Monitoring and

Management Using JMX Technology

Java SE Monitoring and Management Guide

Java Management Extensions (JMX)

Java Management Extensions (JMX)

• no default port but...

“statistical” guessing: 3333,6161,9999

• authentication? encryption?

not by default!

• properties where you can fix that:

com.sun.management.jmxremote.port

com.sun.management.jmxremote.ssl

com.sun.management.jmxremote.authenticate

Java Management Extensions (JMX)

1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans

1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans

1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans

1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans

1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor?action=displayMBeans

2) run jbossify:

$ python jbossify.pyjbossify.py <host> <port> <instance_name> [<properties to extract>]jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction

<properties to extract> - can be 'conn','dd','sql' or 'all'(default is just conn)

conn->ManagedConnectionFactoryProperties,dd->deploymentDescriptorsql->SqlProperties

wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py

jbossify for JBoss

Connection Strings!

demo time!

So, Java uses Memory...tell me you were not aware of it?

Truecrypt

Truecrypt

• Virtual Encrypted Disks

• Partitions & storage devices

• Parallelization & Pipelining

• Automatic, Real-time & Transparent

• Hardware accelerated

• Plausible Deniability

• Multiple platform

Truecrypt

Truecrypt

Truecrypt

Truecrypt

Truecrypt

Truecrypt

Meanwhile... in a memory chip close, close by...

demo time!

Truecrypt

Truecrypt

DRIVER_OBJECT address

1) where?

Truecrypt

DRIVER_OBJECT address

1) where?

DriverStart DriverStart + DriverSize

2) size?

suggested reading:RAM is Key,

Extracting Disk Encryption Keys From Volatile Memory

by Brian Kaplan, Carnegie Mellon University

Truecrypt

3) what?

..on a little endian architecture..

$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#

Truecrypt

3) what?

..on a little endian architecture..

that’s a 12(passphrase length)

passphrase

$ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#

Truecrypt

3) what?

length[1..64]

passphrase ASCII printable [0x20..0x7E]

????0000 ????????..length 0x00..NULL’s

{length, passphrase} tupleswith fingerprint:

..on a little endian architecture..

Truecrypt

3) what?

length[1..64]

passphrase ASCII printable [0x20..0x7E]

????0000 ????????..length 0x00..NULL’s

{length, passphrase} tupleswith fingerprint:

..on a little endian architecture.. suggested reading:Cryptoscan plugin

Jesse Kornblum

suggested reading:TrueDecrypt plugin

Francisco Ribeiro

Cold Boot attacks on encryption keys

• explores data remanence in volatile memory

• retrieves encryption keys used to encrypt hard drivers

• Truecrypt, bitlocker, Filevault

suggested reading:Lest we remember:

Cold Boot Attacks on Encryption Keys

Princeton University

Cold Boot attacks on encryption keys

• explores data remanence in volatile memory

• retrieves encryption keys used to encrypt hard drivers

• Truecrypt, bitlocker, Filevault

MultiFunction Printers?

...stores images of all scanned, copied, printed and e-mailed documents...

1) Open it (google: “<your_MFP_model> hardrive replacement” )

MultiFunction Printers?

1) Open it (google: “<your_MFP_model> hardrive replacement” )

MultiFunction Printers?

1) Open it (google: “<your_MFP_model> hardrive replacement” )

MultiFunction Printers?

1) Open it (google: “<your_MFP_model> hardrive replacement” )

MultiFunction Printers?

2) Analyze that

MultiFunction Printers?

 V..éSODX

2) Analyze that

MultiFunction Printers?

 V..éSODX

suggested reading:Forensic analysis of digital

copiers

Svein Yngvar Willassen

suggested reading:Survey of Scanner and

Printer Forensics

Purdue University

2) Analyze that

MultiFunction Printers?

 V..éSODX

é..VXDOS

flipping bytes

that’s BIGDOS FAT 16!

suggested reading:Forensic analysis of digital

copiers

Svein Yngvar Willassen

suggested reading:Survey of Scanner and

Printer Forensics

Purdue University

2) Analyze that

MultiFunction Printers?

 V..éSODX

é..VXDOS

flipping bytes

3) open Finderthat’s BIGDOS FAT 16!

suggested reading:Forensic analysis of digital

copiers

Svein Yngvar Willassen

suggested reading:Survey of Scanner and

Printer Forensics

Purdue University

does your company handles this properly?

STUXNET

STUXNET

STUXNET

STUXNET

STUXNET

STUXNET

STUXNET

STUXNET

• source: US-Israel

• target: Iran nuclear program

• very sophisticated cyber warfare on SCADA

• infection by USB thumb drive

• exploits Siemens Simatic S7-300 PLC

• deceives monitoring, destroys centrifuge machines

• ~10,000 lines of code

STUXNET

• source: US-Israel

• target: Iran nuclear program

• very sophisticated cyber warfare on SCADA

• infection by USB thumb drive

• exploits Siemens Simatic S7-300 PLC

• deceives monitoring, destroys centrifuge machines

• ~10,000 lines of code

suggested reading:Stuxnet's Footprint in

Memory with Volatility 2.0

MNIN Security Blog,Michael Ligh MHL

demo time!

What about searching for what you don’t know?

Codetective

• an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation

• can be used as a volatility plugin or as a generic tool

• filters (win, unix, web, win, web, db,unix or other) and level of confidence

• supports:

shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs

Codetective• relevant options:

-a (analyze)

-u (show UUIDs)

-v (verbose mode)

-t (filters)

-p (search for Process ID)

-n (search for process name)

If neither -p or -n is defined, if will search in all processes.

• git clone git://github.com/blackthorne/Codetective.git codetective

Codetective• relevant options:

-a (analyze)

-u (show UUIDs)

-v (verbose mode)

-t (filters)

-p (search for Process ID)

-n (search for process name)

If neither -p or -n is defined, if will search in all processes.

• git clone git://github.com/blackthorne/Codetective.git codetective

suggested reading:codetective plugin

github @blackthorne

Francisco Ribeiro

demo time!

Where next?

Where next?

• Networks (Remote live forensics)

• Mobiles

• Virtual Machines

• Cloud

GRR - remote live forensicshostname

pslist

volatilityplugins

status

age selector

raw disk

Memory Analysis on the Cloud

• with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland

• Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it?

• What about Dropbox and Google accounts,

how complex is your password?

Does it really matter?

Where is it stored?

My clipboard supports:•mixed case passwords •numbers•special characters and length > 20

Special thanks to:

• Michael Cohen

• Brendan Dolan-Gavitt

References:

• Tools: Memory Imaging, Forensics WiKi

• Acquisition and analysis of volatile memory from android devices, Digital Investigation

• struct EPROCESS, NirSoft

• How to Set the /3GB Startup Switch in Windows - Technet, Microsoft

• Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7

• Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide

References:

• RAM is Key,Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University

• Cryptoscan plugin, Jesse Kornblum

• TrueDecrypt plugin, Francisco Ribeiro

• Survey of Scanner and Printer Forensics , Purdue University

• Forensic analysis of digital copiers, Svein Yngvar Willassen

• Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL

References:

• codetective plugin - github @blackthorne, Francisco Ribeiro

• Volatility - Memory Forensics, Volatile Systems

• Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum

• An advanced memory forensics framework - Volatility, Google Wiki pages

childish wont-let-go nickname: blackthorne

blackthorne (geek) bthorne_daily (social)

francisco@ironik.org (PGP key: 0xBDD20CF1)

http://www.digitalloft.org (homepage)

Thank you