Memory forensics

  • View

  • Download

Embed Size (px)

Text of Memory forensics

PowerPoint Presentation

Memory ForensicsThe TheoryForensicsForensicscience is the scientific method of gathering and examining information about the past.Computer ForensicsIs to examine digital media in a forensically sound manner with the aim of IdentifyingPreserving RecoveringAnalyzing And presenting Facts and Opinions about the digital informationAnalysis ProcessPreparationAcquisitionIdentificationExtractionAnalysisReporting

Analysis TypesAnalysis TypesRelevent 6Forensic TechniquesCross-drive AnalysisLive AnalysisFile RecoveryStochastic Analysis Stegnograpy

SourcesPhysical DisksPacket CaptureSwap/PagefileHibernation FileFirmwareVolatile Memory

SourcesPhysical DisksPacket CaptureSwap/PagefileHibernation FileFirmwareVolatile MemoryInterested in9MemoryStorageVolatileTemporary DataFast Access


Memory AcquisitionAcquisition of Volatile Memory Contents (RAM) bit-by-bit to a Non-Volatile Storage (Image File).Hardware Based ToolsWindowsSCOPE CaptureGUARD PCIeGoldfish (Firewire/ Mac)Software Based ToolsMemoryzeKntDDFTKImagerLiMEOSXPMem Requires Kernel Mode/Physical AccessReal(Physical) MemoryActual RAM HardwareSharedDevicesKernelDriversProcessesSystem wide address spaceDefined by H/W capabilityManaged by OS Memory ManagerVirtual Memory An abstraction of Real Memory Per-process Isolation Shared if required Shared by processCodeData Per-process address spaceUser ModeKernel ModeManaged by ProcessVirtual Real MappingConversion of Virtual Address to Read AddressRAMSwap/PagefilePage : Fixed size allocation unitVirtual MemoryReal MemoryPage TableA table to convert virtual page to real pagePage DirectoryA list of page tablesLevel2 Pages

32bit Address Space

Forensic Tools0th GenerationBefore 2004stringsgrep1st Generation2004-2005Tools for structured analysisParsing OS structuresCrash dump analysisForensic Tools2nd Generation2005-2010Generic, automated toolsMultiple OS supportVolatalityRekall3rd Generation2010 & LaterEmphasis on VisualizationCloud/VM basedMoonSols LiveCloudKdMicrosoft LiveKdVolatilityA advanced memory forensics framework.Written in python.Follows modular plug-in architecture.Supports many systems and architectures.Open source.Current release 2.4.1Community plugins to automate volatility. Dump formatsAlso known as AddressSpaces in volatilityDefine organization of memory content from H/W perspectiveVirtual Real MappingLocation of PDESupportedintel (x86)amd64(x64)Crashbmp (Window Kernel Crash Dump)elfcoredump(Linux Core Dump)MachO (Mac OSX)vmem (VMWare/Vbox)

ProfilesOrganization/Location of memory content from Operating System perspective.Locations of important ObjectsKDBG_KPROCESS_EPROCESSPTESSDTIDT

KDBGKernel Debugger Block (Windows)Setup at system startup to support kernel level debugging.Contains pointers toPsActiveProcessHead All ProcessesPsLoadedModuleList All DriversHelps in identifying physical address of ntoskrnl.exe

DEMO : pslist, modules, kdbgscan_EPROCESSExecutive Process StructureLinks toPEB (User Mode Structure)_KPROCESS (Kernel Mode Structure)KDBG->PsActiveProcessHead points to a list (LIST_ENTRY) of _EPROCESS structurespslist traversed this list to discover all processes.DEMO: pslist22PEBProcess Environment BlockUser mode part of _EPROCESSExclusive process access.Pointers forLdrInInitializationOrderModuleListInLoadOrderModuleListInMemoryOrderModuleList

DEMO: dlllist p traversed these lists to discover loaded modules.HookingUser ModeIAT Inline EventVirtual MethodKernel ModeIATSSDTIRPSSDTSystem Service Dispatcher TableHandling System CallsSysemCallA request to kernel for executing privileged code.EAX System Call NumberSSDT Pointers to System Call handler routinesSystemCall Index in the tableMalware hooks(Overwrites) handler to hide itself.FilesRegistry Keys _KTHREAD/_ETHREAD points to SSTDEMO: ssdt, theads KeServiceDescriptorTableKeServiceDescriptorTableShadow

25IDTInterrupt Descriptor TableList of interrupt handlersInterrupt number indexUser Callable interruptsInt3Int4Malwares hook(overwrite) to handle interrupts themselvesIntercept debugger breakpointsDEMO: idtAnti ForensicsUnlinking PEB->Ldr.* listsHide selected DLL from Loaded Modules List.ldrmodules indicates dlls missing from lists Unlinking _EPROCESS listUnlink _EPROCESS to hide selected process from taskmanager.Defeated by correlating from Active Threads list.Unlinking PsLoadedModuleListCan hide Drivers from showing up in listDEMO: ldrmodules, psxview27ChallengesMalwares running is kernel mode can interfere with dumping processOmit selected pagesOmit selected structuresCorrupt outputFootprints of dumping process.Unavailability of Swap/Pagefile.THATSITFORNOW