CHAD TILBURY 0 Former: Special Agent with US Air

Force Office of Special Investigations

0 Current: Incident Response and Computer Forensics Consultant

0 Over 12 years in the trenches

0 SANS Digital Forensics and Incident Response Instructor & Author chad@forensicmethods.com

http://ForensicMethods.com

@chadtilbury

The Year of Memory Forensics?

64 bit support

Volatile Registry Analysis

Memory Timelining

Mac OS X Analysis

Linux Analysis

Live Memory Analysis

Whitelisting

Old School vs. New School

vs.

Mac and Linux Memory Forensics

Mac Memory Reader

0 Runs on Mac OS X 10.4-10.8, PowerPC, Intel, x86, x64

0 Generates a Mach-O file or raw dump of memory (-P)

0 Optional image hashing (-H)

0 Load kernel extension to fake /dev/mem only (-k)

0 Simple and effective!

“There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.”

-Mac Memory Reader help file

“There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.”

-Mac Memory Reader help file

Mac Memoryze

0 Dump memory 0 sudo macmemoryze dump –f mem.dmp

0 Analysis (just the basics): 0 proclist

0 proclist –w (similar to lsof)

0 proclist –c (carve for processes)

0 kextlist

0 kextlist –c (carve for kernel extensions)

0 Enumerate System Call Table and Mach Trap Table

0 Live analysis capable (do not include –f option)

Mac Memoryze Proclist

Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell

Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters

Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp

https://code.google.com/p/volatility/wiki/MacMemoryForensics

Volatility + Mac

Linux Memory Acquisition 0 Old School:

0 dd if=/dev/kmem

0 Fmem kernel module

0 Redhat Crash Dump Utilities

0 New School

http://code.google.com/p/lime-forensics/

Volatility + Linux =

System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell

Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof

Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier

Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache

https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

linux_yarascan

linux_bash

Memory Timelining

What is Timeliner?

0 Set of Volatility plugins to collect time information from memory artifacts

0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files

0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs

0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format

Memory Timelining timeliner

• Timeliner collects timestamps from memory artifacts and outputs them in a timeline format

Purpose

• Send output to a delimited file (--output-file=file_name) v2.1 • Create output in body file format (--output=body) v2.3 • Log2Timeline output format (pending) v2.4??

Important Parameters

• Compatible with XP and Win7: automatically adjusts helper plugins • Output can voluminous; best practice is to use “--output-file” • The output is not currently compatible with other timeline formats • Timeliner can take hours to run – be patient! • The “-h” help information currently lists many incorrect options

Investigative Notes

Example Output: Timeliner Processes

Column Header Column Header

1 Creation Time 5 Parent Process ID

2 Artifact Type (PROCESS) 6 Exit Time

3 Process Name 7 EPROCESS Offset

4 Process ID

Timeliner Example

Redline Time Wrinkles™

Live Response &

Live Memory Analysis

Old School Batch Scripts

Mandiant Redline “Collector”

Redline Portable Collector

Live Memory Analysis Who Cares?

0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory

0 Verification done using file certificates stored on-disk

0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files

0 Must have access to file system

0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries

0 Requires access to Page File

Narrowing Your Focus with Live Analysis

0 ID “known good hashes” from live memory analysis

0 Redline Options Whitelist Management

Whitelist Filtering

169 vs. 12 Items

Live Memory Analysis with Volatility

0 Winpmem

0 Raw, crash dump, and output to stdout

0 Direct analysis of running kernel (-l switch)

0 Optional write support!

0 https://code.google.com/p/volatility/downloads/list

0 Volatility Technology Preview Branch

0 https://code.google.com/p/volatility/wiki/TechPreviewBranch

0 Includes interactive shell (similar to volshell) -> the future of Volatility?

Live Analysis with winpmem

Live Response with Volatility

Good Day or Bad Day?

Old School doskey

Memory Carving

Typed Commands: cmdscan & consoles

• Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue

Purpose

• None

Important Parameters

• Gathering command history and console output can give insight into user / attacker activities

•cmdscan provides information from the command history buffer

•consoles prints commands (inputs) + screen buffer (outputs)

• Plugins can identify data from active and closed sessions

Investigative Notes

Typed Commands: cmdscan & consoles

cmd

sca

n

Old School pclip

Find pcclip.exe at http://unxutils.sourceforge.net/ (or just get infected with Zeus)

Clipboard Contents: clipboard

• Extract contents of windows clipboard

Purpose

• Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard)

Important Parameters

• Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.)

• Works on both XP/2003 and Windows 7/2008 systems • In some cases, the clipboard only holds a pointer to the

“clipped” content – (i.e. the full path for a copied file)

Investigative Notes

Clipboard Contents: clipboard

Vo

lati

lity

Additional References

0 http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html

0 http://gleeda.blogspot.com/2012/09/week-3-of-month-of-volatility-plugins.html

0 http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html

0 http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader

0 https://www.mandiant.com/blog/unibody-memory-analysis-introducing-mac-memoryze/

0 http://memoryforensics.blogspot.com/2013/06/final-week-of-month-of-volatility.html

0 http://volatility-labs.blogspot.com/2013/05/movp-ii-32-linuxandroid-memory.html

0 http://holisticinfosec.blogspot.com/2013/03/toolsmith-redline-apt1-and-you-were-all.html

0 http://media.blackhat.com/bh-us-11/Butler/

BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf

0 DFIROnline Memory Forensics with Michael Cohen :

http://www.youtube.com/watch?v=9aC7yIYwvAY

0 http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html

0 http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html

Thank You!

chad@forensicmethods.com

computer-forensics.sans.org/blog ForensicMethods.com

@chadtilbury