Memory Forensics With Volatility

  • View

  • Download

Embed Size (px)


A presentation which was given at the Digital Forensics and Research Workshop 2012 in D.C.

Text of Memory Forensics With Volatility

Memory Forensics With VolatilityMichael CohenSoftware Engineer - Google Inc.

AcknowledgementsMany great researchers in the memory forensics field (and Volatility Contributors): Aaron Walters. Brendan Dolan-Gavitt. Andreas Schuster. Michael Hale Ligh. Andrew Case. Jamie Levy. Mike Auty. ... and many others!

ReferencesMalware Analyst's Cookbook Michael Hale Ligh, Steven Adair, Blake Hartstein, Matthew Richard

Module 1 - Introduction Why memory forensics? What can Volatility do for me? Symbols and debugging information. How does Volatility support multiple operating systems and versions.

Memory imaging Linux. Windows.

Memory Forensics - Why? Live response. Can quickly triage a system.

Capture of memory freezes system state. As memory is volatile we can minimize interference with memory. Analysis does not use the system APIs.

Memory analysis technology evolves with time. We used to only have grep :-) NIST reference image: xp-laptop-2005-06-25.img: Registry dump Passwords Screenshots

The Volatility Memory Forensics Framework. Current release on google code: Supports 64 bit windows up to windows 7.

Volatility technology preview (TP): Major refactoring/code rewriting - lots of new features. Ease of use as a library. Interface uses IPython - interactive console. Memory acquisition drivers included.

We will be using both but mainly Volatility TP. Check with the volatility site for an upcoming release.

A short Volatility Demo

Types and debugging Information. Operating systems are generally written in Ctypedef unsigned char uchar; enum { It is generally not possible to predict the memory layout of a C struct without knowing OPT1, external factors: Alignment OPT2 Endianess Bit size } options; Compiler Optimizations etc

struct foobar { enum options flags; short int bar; uchar *foo; }

Unless packed structs.

Types and debugging Information DWARF.$ readelf --debug-dump=info module.ko: Abbrev Number: 28 (DW_TAG_structure_type) DW_AT_name DW_AT_byte_size DW_AT_decl_file DW_AT_decl_line DW_AT_sibling DW_AT_name DW_AT_decl_file DW_AT_decl_line DW_AT_type : (indirect string, offset: 0x7d7e): task_struct : 5864 : 17 : 7 : : (indirect string, offset: 0x254): state : 18 : 1221 : (DW_OP_plus_uconst: 0)

: Abbrev Number: 32 (DW_TAG_member)

DW_AT_data_member_location: 2 byte block: 23 0 DW_AT_name DW_AT_decl_file DW_AT_decl_line DW_AT_type

: Abbrev Number: 32 (DW_TAG_member) : (indirect string, offset: 0xb200): stack : 18 : 1222 : (DW_OP_plus_uconst: 8)

DW_AT_data_member_location: 2 byte block: 23 8

Types and debugging Information PDB.

Types and debugging Information The Volatility Type system - Profiles. A compilation unit is a self consistent unit of compiledcode which uses the same memory layout for structs. For example, a .obj file or a dll. It is important to note that the same struct may have different layout in different dlls. For example: 32 bit processes running on a 64bit operating system have different definitions for integers. Microsoft exports _EPROCESS in the kernel and in userspace but these are different. VTypes is a special language for specifying memory layout of structs and other objects using python data structures.

User Space/Kernel Space

Types and debugging Information The Volatility Type system - Profiles.Struct Name'_EPROCESS' : [ 0x4d0, {

Struct Size Member Offset Member Type

'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']],

'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned 'CommitCharge' : [ 0x1b8, ['unsigned long long']],

'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], .....

Special support for array and pointers long long']]], (legacy).

Types and debugging Information The Volatility Type system - Profiles. VTypes are autogenerated from debugging symbols: Linux: a special module is compiled with debugging symbols and the DWARF information is extracted. Uses pyelftools or dwarfdump. Windows: the pdb files are downloaded from the microsoft symbol server and parsed. Uses pdbdump by Brendan Dolan-Gavit.

VTypes are not enough though! Debug information fails to convey semantic meaning. PDB files may be incomplete or not exist - then we need to reverse engineer the struct members.

Types and debugging Information The Volatility Type system - Profiles. The volatility object system is built on the vtypesdefinition language to present an object oriented, automatic parsing system. Everything is an object extending obj.BaseObject() Definitions are layered: Object classes Overlays VType definition.

Types and debugging Information The Volatility Type system - Profiles. An Overlay is a partial vtype structure with "holes"signified by None which overlays on top of the original VType definition. This is used to "correct" the original vtype, while allowing some aspect of the previous definitions to come through.'_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, '_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], ..... }], '_EPROCESS' : [ None, { 'CreateTime' : [ None, ['WinTimeStamp', {}]]], 'ExitTime' : [ None, ['WinTimeStamp', {}]], ..... }],



Types and debugging Information The Volatility Type system - Profiles. The overlay can apply to wide range of operatingsystem versions The exact offsets are controlled by the debugging symbols, but the semantic meaning is given by the overlay.'_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, '_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], ..... }], '_EPROCESS' : [ None, { 'CreateTime' : [ None, ['WinTimeStamp', {}]]], 'ExitTime' : [ None, ['WinTimeStamp', {}]], ..... }],



Types and debugging Information The Volatility Type system - Profiles. Behaviors can be attached to objects via definingspecialized classes. The VType system instantiates a named class with the given arguments when a struct member is dereferenced. The class instance can provide extra methods.'_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, '_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], ..... }], '_EPROCESS' : [ None, { 'CreateTime' : [ None, ['WinTimeStamp', {}]]], 'ExitTime' : [ None, ['WinTimeStamp', {}]], ..... }],



Types and debugging Information The Volatility Type system - Profiles.This is an object representing the _EPROCESS struct. In [1]: task = session.profile._EPROCESS(0xFA8000ACAB30) Out[1]: [_EPROCESS _EPROCESS] @ 0xFA8000ACAB30 There is a CreateTime member which is an instance of the WinTimeStamp class. In [2]: type(task.CreateTime) Out[2]: volatility.plugins.overlays.basic.WinTimeStamp The WinTimeStamp class knows how to print itself nicely. In [3]: print task.CreateTime 2012-02-22 11:28:59 The WinTimeStamp class offers more functionality related to timestamp conversions. In [4]: print task.CreateTime.as_windows_timestamp() 129743837397084000

Types and debugging Information The Volatility Type system - Profiles. A Profile is an internally consistent collection of vtypesand definitions. Strictly a profile represents a single compilation unit. Volatility 2.0 has one global profile Can not represent multiple, contradictory compilation units (e.g. 32bit process on 64bit OS).

Volatility TP has domain specific profiles. A profile therefore represents an internal implementation of a specialized parser. For example the registry parser consists of vtypes, overlays and classes together forming an API for handling the windows registry.

Supporting multiple operating system versions. For windows we have pre-computed profiles from different versions of ntoskrnl.exe. Must specify the correct profile to use using the session.profile variable. (or --profile command line).

For linux we must generate vtypes to specific kernel version we are analysing. This is because the struct layouts vary depending on kernel configuration. (There are #ifdefs in the middle of the structs). We generate a profile_file which is a zip containing: A special module.ko built with symbols.

Memory Imaging.Take a permanent copy of physical memory: Lots of techniques to do this: Hardware based Firewire. Cold Boot attack. Tribble Software base Hibernation Crash dumps Inserting a special driver. Debugger APIs.

Hibernation When a system hibernates it copies its memory state to disk. Volatility can analyse this image. Pros Easy to obtain image. No prior preparation needed. Cons Prior to hibernation, an ACPI pnp event is transmitted to all drivers: Network sockets are removed. Malware may cleanup.

Windows only copies in use pages to the hibernation file.

Crashdump - Windows BSOD. A crashdump is a standard mechanism for windows debugging. Pros: The system s