Memory Forensics - is Computer Forensics? Mobile Device Forensics Network Forensics Memory & Data Forensics

  • View

  • Download

Embed Size (px)

Text of Memory Forensics - is Computer Forensics? Mobile Device Forensics Network Forensics Memory &...

  • Memory Forensics

    Kevin Larson

  • What is Computer Forensics?

    Mobile Device ForensicsNetwork ForensicsMemory & Data Forensics Offline

    Hard drives Memory Snapshot analysis

    Online Live memory techniques

  • Why do We Care about Forensics?

    Administrative & Engineering Just to know an attack or compromise

    occurred Understand how it happened Know what needs to be fixed or cleaned Understand how to prevent it in the futureLegal Proof and accountability

  • Recent Attacks on SCADA and the Power Grid

    "The discovery is a rootkit called Rootkit.TmpHider that came with a trojan that infects systems via USB drives. ... the driver files that make up the rootkit have a legitimate digital signature from ... an embeded device maker Realtek. Worse, it appears to (be) targeted at SCADA control systems." -Greg Feezel

    "A German power utility specialising in renewable energy was hit by a serious cyber-attack two weeks ago that lasted five days, knocking its internet communications systems offline, in the first confirmed digital assault against a European grid operator."

    "Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings - OASyS SCADA - a product that helps energy firms mesh older IT assets with more advanced "smart grid" technologies."-

  • Forensics in SCADA

    Continuous operation hinders most traditional techniquesEmbedded systems and remote locations often limit physical access to machines"It is still unclear how to acquire live data on a SCADA system in a way that minimizes risk to the systems services." -Ahmed et al

  • Forensics in the cloud

    Vast quantities of machines makes manual inspection infeasibleRedundancy allows for flexibility in the inspection process

  • Memory & Data Forensics

    Offline Forensics Hard drives Memory snapshot analysis

    Shortcomings Slow Misses volatile data Incompatible with critical systems

  • Memory & Data Forensics

    Online Extract data from a running computer

    Faster Some data only available online

    Shortcomings Still imposes overhead Quality concerns - blurriness Many techniques subject to attack

  • Data Storage

    In order of increasing speed Magnetic tape and peripherals

    Floppies, CDs, Magnetic tape, etc Hard drives

    Magnetic disks Solid State

    Memory Faster Volatile - loses contents if powered off

    However, this doesn't happen immediately!

  • Memory

    Information available only in memory (DRAM in this case)

    Encryption keys Data on encrypted hard drives useless

    Passwords Malicious programs

  • Memory Remanence

    RAM still contains data after powered off. Capacitors take long enough to discharge that data can often be recovered. Limited lifespan Many factors

    Temperature Type of RAM Manufacturer (design/construction)

    Limitations Potentially short lifespans Certain hardware overwrites some/all memory

  • Memory Remanence

    There are many ways to manipulate remanence Cooling memory

    Cheap and easy - canned air Can extend lifespan by a significant factor

    Circumvent incompatible hardware Move RAM chips to other systems

  • Remanence Attacks

    Pioneered by Halderman et al [5] Thoroughly investigated remanence

    Tested many systems/DRAM for compatibility Measured lifespan in various environments

    Found Vulnerabilities Extracted various keys Modeled decay and reconstructed partial keys

  • Remanence Attacks

    Privilege escalation through remanence Restart machine Find critical system elements Jump start and enjoy full priviledges

  • Forenscope

    Built off Bootjacker - Take control of machine Forensics platform

    Use priviledge to investigate Doesn't rely on existing system Multiple forensic payloads Can be interactive

  • Forenscope

    Leverages memory remanence to build a forensics platform Freshly rebooted machine

    No persistent infections Full copy of memory

    High quality Extremely low taint Minimal blurriness

  • Forenscope

    Extremely Low Taint Conventional tools have memory footprints

    Reside in extended memory Where most important data resides

    Are large Clobber potentially valuable information Leave a trace of their own

    Forenscope Resides in conventional memory (lowest 640kb)

    Virtually unused in modern systems Still only taints a small percent

  • Image Quality Comparison

    Difference from actual memory contents

    Tool Conventional Memory Extended Memory

    Forenscope 0.125% 0%

    dd 0% 21.665

    dd to FS mounted with sync flag

    0% 21.44%

    dd with O_DIRECT 0% 1.46%

  • System Restoration

    Hardware systems Have initialization functions Re-initialize hardware

    We have memory! Restore registers from stack Kernel structures accessible

    Page tables Stack

  • Forenscope

    Conventional tools often rely on potentially compromised components FU rootkit

    Manipulates kernel structures and corrupts process lists

    Virtualization rootkits Operate outside the scope of the running system

  • Forenscope

    Critical Systems Can not afford downtime Forenscope

    Extremely fast Can operate as quickly as system restarts ~15 seconds on many systems

    Customizable - invoke many different payloads Copy memory Rootkits Interactive platform

  • Forenscope & SCADA

    SCADA poses unique challenges for which Forenscope excels Take control of systems in unknown state Minimally intrusive system Customizable payloads unique to tasks Interactive modes can allow for interactive

    remote forensics

  • Forenscope & The Cloud

    The cloud poses unique challenges for Forenscope Customizable payloads unique to tasks Interactive modes can allow for interactive

    remote forensics

  • Shortcomings

    Forenscope provides high quality images or a platform to do forensics Much effort is still manual Interfaces, protocols, and abstractions have

    to be extracted

  • Other ways to capture memory

    Firewire Inception Libforensic 1394 Forenscope-like agent

    Virtualized Environment LibVMI and other introspection Direct Capture

  • Valgrind

    x86 memory debugging tool Virtual cpu

    Memory instrumentation Variety of different tools

    Cache/Callgrind - simulate cache and call graph Hellgrind/DRD - race detection for multithreaded Massif - heap profiler

  • Cafegrind

    Extension of Massif tool in Valgrind Collects statistics of memory usage in the heap

    Longevity of every allocated object Number of reads and writes

    Freed memory is not necessarily lost Tracks period between free and clobber

  • Cafegrind

    Type Inferencestruct *mydata;mydata = (struct datastructure *) malloc(sizeof(struct ds));mydata.f1d1 = 100;

    Maintains this information for all dynamically allocated objects

  • Requirements

    Requires programs and libraries to be c/c++ and compiled with -g and -O0

    Lots of RAM and/or swap space Used 40GB ssd for swap

    Hard disk space Generates data on the order of GB per minute of


  • Coverage

    Percent of load/stores inferred

    Application Store Coverage Load Coverage Overall

    Firefox 70.48% 88.11% 83.51%

    KWrite 85.8% 94.27% 92.66%

    Links 99.09% 99.99% 99.6%

    Tor 85.95% 96.43% 95.02%

  • Example

    Cafegrind and Konqueror web browser

  • Volatility

    The Volatility Framework is an open collection of tools

    Used for the extraction of digital artifacts from volatile memory samples

    Support for samples from Windows, Linux, and Mac OSX systems

    Profiles for a wide variety of versions Functionality to create profiles for any

    Linux system

  • Volatility Capabilities

    General info (date, time, CPU count) Running processes

    IDs Memory mappings

    Network sockets and connections File Handles Kernel Modules and objects (keys, mutexes,etc) Virtual and physical mappings

  • Beyond Volatility

    Volatility can provide basic process info Process IDs Memory offsets to the stack and heap Misc other metadata

    Cafegrind proved there was a wealth of information in the heap!

  • Exploring the Heap

    Leveraged virtual machine environment to provide memory images

    We no longer have debug symbols What is left?

  • Pointers

    Typically pretty easy to identify Point to all sorts of things

    Data Functions Other pointers Structs (a combination of the above)

  • A Quick Look at Initd

    Initd application First process started by kernel Everything else is a child of initd Handles orphaned processes

  • Some of the numbers

    Used Volatility to extract all pages identified for the heap of initd 85 pages (348kb) 21643 pointers (173kb, or 49.7%) 17852 pointers have cycles 1622 point to invalid pages or not alligned 3549 are involved in longer chains of pointers

  • Initd Visualization

  • Rsyslogd Visualization

  • Questions