Memory Forensics: The means for rapid triage
and accomplishing assignments via active actor analysis North Texas Cyber Security Group
Mark McCurdy & Jeff Beley
December 8, 2016
“The Fonz” for our younger audience members
Mark McCurdy
Computer Science: Texas A&M
Linux/Solaris IT -‐ 16 years
Forensic Analyst: HP Enterprise DIS
Trail Runner, Bike rider, Child-‐like wonder for DFIR
Jeff Beley (At last minute customer engagement)
Forensic Analyst with FusionX
Nerd, DFIR addict, Linux aficionado
Digital Forensics as a whole is comprised of many components Hard skills • Memory forensics • Network forensics • Filesystem forensics • Malware triage • Log analysis • Intelligence analysis • Attacker methodology • SW Development Soft skills • Investigative process • Operational security • Communication / Report Writing • Team cooperation
Memory forensics is the process of acquiring and analyzing physical memory (RAM) in order to find artifacts and evidence.
• Analysis does not depend on OS • Unconstrained analysis (entire state of OS/historical) • Removes a possible active adversary • Contains data not on disk • Bypasses packers and rootkits (hiding tools) • Allows for fast triage. Pulling the disk may not be necessary. • All-‐in-‐one shop for whole system analysis. One executable. One image. No hunting for files in the OS
• Memory dumps are small and easier to transport compared to a disk image.
• Shutting off a system can be a beacon of acknowledgement to an advanced actor.
What are typical goals for analyzing memory? 1. Fast Triage of a not-‐well-‐known problem 2. Determine user activity (acceptable use policy)
• Browser activity • Executed applications • Activity on removable storage
3. Find malicious malware • Find malware payloads • Determine the persistence method • Find malicious actor activity • Look for callouts to Command and Control (CC, C2)
What exists in memory?
Current technology allows the retrieving of a list of running processes from memory and… • Processes running, closed, and hidden • Binaries executed • Documents opened • Files currently mapped in memory • DLL's used • Devices attached (USB and other) • Services running and hidden services • Registry keys with an undelete possibility • Software installed • Reboot times • Network connections and opened sockets • Browser histories • Passwords: cleartext and hashes
Don’t notify the customer yet! It might be a fake
• Sometimes a segment of memory is in flux at the time of collection. This can cause oddities in the analysis results.
• Dates and times might lie (tools and maliciousness) • False positives can and do exist
• Anti-‐virus programs in memory look bad because they contain what bad looks like.
• Administrator or forensic tools might look like hacker tools
What is our confidence in memory artifacts? 1. Artifacts pulled from the Windows kernel structures have a high
level of confidence. These actions do not step outside the bounds of what is addressed in memory
2. Scanned memory carves the image looking for signatures that indicate both current and historic indicators. Confidence is lower. A process ID of a historic process could have been used in a more recent running process.
3. Extracting strings from memory is unreliable, but with context, it often exposes IP’s, hostnames, and words. Those strings aren’t always a smoking gun but can be a bridge to more solid evidence. Note: malware names or malicious internet IP’s in strings pulled from an antivirus process will return a false positive in most situations.
How does the request for analysis reach a Digital Forensic Incident Response (DFIR) Team? • A call came in from the SOC based on alerts or from active hunting activities
• Strange behavior noticed by the customer • References to this host was found in an existing investigation • Suspicion of an employee doing bad things
As a first responder, what do you do? a. Call the CISO? b. Pull the power cord? c. Pull the network cable? d. Image the disks? e. Pull memory?
Incident Response (IR) Extras
Follow the order of volatility when on a live system • Registers, cache, routing table, process table, memory, temporary file systems, disk, archival media
• References • RFC3227 • ISO/IEC 27037:2012
Artifacts that exist on the disk are complementary to a memory pull. They are often under 1GB. • Registries: system, software, security, and per user NTUSER hives
• Master File Table (MFT) and USN journal for each partition • Event logs whose usefulness is dictated by their retention • AV logs and other locally stored logs for applications
Let’s ride deeper into a typical IR order of operations 1. Adhere to forensically sound evidence taking and don’t assume
this presentation is complete. 2. Live system triage or interaction means more noise and more
overwritten data. Pull memory before triage if you known the system is infected.
3. For physical servers and optionally for VM guests, run a memory acquisition tool. Pull straight to a USB drive or across the network to avoid writing to the system disk
4. VMware guests acquisition technique: 1. Ask for downtime 2. Suspend the VM, pull VMSS/VMEM 4. If the system must be brought back online, clone it.
5. Encrypt the data if an unsecure transport is used to reach the forensic lab
Acquiring memory
Memory collection can require planning. Changes in OS releases makes this a moving target. • Newer versions of Windows (8+ and 2012+) utilize memory encryption and obfuscation as a security measure. Great for the end-‐user, but it impacts our work.
• Windows 10 Memory compression and Virtual Secure Mode (VSM) • Each Linux kernel version requires a kernel-‐specific module and profile to be generated in order for acquisition and analysis to occur.
FTK Imager Access Data Windows
Dumpit Comae Windows
Fastdump HBGary Windows
LiME 504ensicsLabs Linux
Threat Protection of Linux Forcepoint (formerly Secondlook) Linux
Let’s get to the meat of memory forensics: the tools
The two main tools for performing memory forensics: 1. Volatility by the Volatility Foundation
• First to market • Community involvement • Authors wrote the 800 page “Art of Memory Forensics”
2. Rekall by Google
• Will have an end-‐point agent in 1.6 to allow for centralized querying and retrieval of in-‐memory artifacts
• Integrated into GRR Rapid Response (GRR) for threat hunting
We will focus on Volatility. It gets the most community exposure.
Memory mapped modules Scanning modules Dumping modules
PROCESSES pslist, pstree, psxview psscan procdump
NETWORK connections, sockets netscan, sockscan
SERVICES servicediff, tasks, joblinks svcscan
FILES mftparser filescan dumpfiles
DLL dlllist, ldrmodules dlldump
DRIVERS modscan, driverscan moddump
VAD'S vadwalk, vadtree vaddump
COMMANDS cmdhistory, consoles cmdscan
SYSTEM devicetree
HANDLES handles mutantscan (mutex)
SIDS getsids, getservicesids
REGISTRY printkey dumpregistry
REGISTRY ARTIFACTS amcache, shimcache, shellbags, userassist, iehistory lsasecrets hashdump
EVENT LOGS evtlogs, shutdowntime
PATTERN SCAN strings, yarascan yarascan
FIND EVIL malfind malfind -‐D
ALL ARTIFACTS timeliner
COMMUNITY EXTRA EXAMPLES
shimcachemem, prefetchparser, uninstallinfo, firefoxhistory, chromehistory, hollowfind
Volatility modules eye chart sorted by functionality
Demonstration! 1. Detonate Locky ransomware in a VM 2. Suspend the VM and pull the memory 3. Find the indicators of compromise
Insert cliché demo god reference here:
Top Related