EMPOWERING INVESTIGATORS

VOLATILE SYSTEMS

Upping the ‘Anti’:

Using Memory Analysis to Fight Malware

SANS Incident Response and Forensics Summit

October 13, 2008

AAron Walters

2 VVVV LATILESYSTEMS

About Volatile Systems

• We provide the solutions and knowledge to address volatile memory analysis needs:• Software customizations, integrity assessments, incident response, malware analysis, training

• Proven technology• 5 yrs of published university research • Technology licensed (commercial, government, etc)• Volatility (contributors: experts/organizations) • LEO/investigators worldwide

• Field experienced analysts• Focused on volatile memory analysis (5 yrs)• Universities, government, military, LE, commercial• Thousands of memory images/malware

VVVV LATILESYSTEMS

State of Malware

• Volume of new malware increasing (2007)– Symantec: 2/3 of malware (711,912)– F-Secure: 1/2 of malware (20 yrs)

• A/V detection ineffective (Bailey, 2007)

– 6 weeks worth of malware/ 5 A/V vendors

– 1 month later → 56% detected

– ~6 months later → 66% detected

Malware Detected by Year(Source: Security Fix)

010000002000000

3000000

40000005000000

6000000

1985

1987

1989

1991

1993

1995

1997

1999

2001

2003

2005

2007

VVVV LATILESYSTEMS

Malware Trends

• Targeted Attacks• Financially/politically motivated• Zero-day vulnerabilities (documents)

• Proliferation of stealth technology (memory)• Kernel rootkits (Storm)• Code injection (DLLs, etc)

• Commercialization of malware• Quality assurance• Performance guarantees

• Evolving malware• Refining methods → successes/failures• Tactics escalation

• Upping the “Anti”• Anti-detection, Anti-debugging, Anti-forensics

5 VVVV LATILESYSTEMS

Incidents: Defense Industry

• Attacks• Government contractors• Upper management• Sophisticated spear phishing

• Agent• Undetected (AV/anti-rootkit)• Quickly evolving variants (weeks)• Small system footprint

• Command and Control• Messages: steganography/encoded• Channel: protocols/ports/servers

• Lay dormant ......

VVVV LATILESYSTEMS

Incidents: Financial Industry

• Attacks• Targeting online money

• Bank accounts, online payment, CCNs

• Multi-platform (Windows, Linux)

• Clients• Undetected (AV/anti-rootkits)

• Stealth technology (i.e. rootkits, packers)

• Exfiltrating data• Usernames, passwords, etc (browser)• Process memory (i.e. Canvas)

• Servers• Hijacking servers

• User-mode rootkits (i.e. code injection)

• Hiding artifacts in memory

VVVV LATILESYSTEMS

Now what?

• Detection is just the beginning!

• Actionable data

• Identify other systems involved (triage)• Determine how they gained entry• Elucidate intent• Evaluate capabilities• Assess damage• Quantify current state/measure improvement

• Across the enterprise!

VVVV LATILESYSTEMS

Opaque Enterprise

• Opaque components of information infrastructure• What is running? (patches,malware,etc)

9 VVVV LATILESYSTEMS

Consistent Picture

VVVV LATILESYSTEMS

Digital Crime Scene

11 VVVV LATILESYSTEMS

Runtime State

• Order of Volatility (RFC 3227)• Data life expectancy

• Volatile state/active objects

• Ceases to exist when power is removed

• Valuable data (context)

• Volatile media “trusted” (pswds, keys, malware)

• Goals (Carrier, 2003):

• Minimize obtrusiveness

• Minimize trust

• Understand effects

12 VVVV LATILESYSTEMS

Live Response

• Quickly collect information from live machine

• Response tookits & agents

• Antivirus/rootkit detectors

• SysAdmin tools (WFT,COFEE) /APIs (Guidance)

• Limitations

• Depend on OS (trust, information)

• Obtrusive (substantial and complex: >30% (Walters,2007))

• Unverifiable (3rd Party)

• Unable to clarify or expand (pigeon holed)

• Best evidence? (relative)

13 VVVV LATILESYSTEMS

Volatile Memory Analysis

• Entire contents of physical memory (RAM)

• Direct analysis of raw bit “image”

• Artifact persistence/unallocated memory (Chow,2005)

• Advantages:

• Analysis does not depend on OS (trust)

• Reduce and simplify obtrusiveness (acquisition)

• Removes the active adversary (freeze state)

• Verifiable (3rd Party: data and tools)

• Unconstrained analysis (raw data)

• Challenges

• Acquisition/Temporal proximity

VVVV LATILESYSTEMS

In the beginning…..

• Old school memory analysis• dd, crash dumps, kcores, swap• Printable character sequences• strings, less, grep, hexedit, text editor

• Investigative leads• Passwords, email addresses, IP addresses, commands, domain names, file names, URLs

• Large quantity of data• 2GB Memory → 818MB

• Context free data• Spatial proximity (paging, unallocated, etc)• 259621376:Netcat network data redirector.• 259621376 [2936:412200 ] Netcat network data redirector.

15 VVVV LATILESYSTEMS

Memory Analysis Types

Physical Memory Analysis

Virtual Memory Analysis

Application Analysis

Physical Address Space

Kernel Address Space

Application Address Space

User Address Space

Swap

Context

16 VVVV LATILESYSTEMS

VOLATILITY

VVVV LATILESYSTEMS

Volatility

• Volatile memory forensics framework• Completely open source (Python)• Cross platform analysis: Windows, Linux

• No MS DLLs! (Windows, Linux, OS X, etc)• 32-bit XP SP2/SP3* (PAE/NOPAE)

• Extendable to other hardware/operating systems

• Command-line tools• Places you can find Volatility

• PyFlag, DFlabs PTK, VolShell, PlainSight, SIFT, Helix

• Powerful modular architecture!• Practitioners, trainers, researchers

18 VVVV LATILESYSTEMS

Community: Order of Volatility

• Code Contributers:• Michael Cohen• David Collett

• Brendan Dolan-Gavitt

• Blake Matheny

• Andreas Schuster

• Research Collaborators:

• Jide Abu

• Jose Nazario

• Doug White

• Matthieu Suiche

• Testing/Bugs:

• Joseph Ayo Akinyele

• Testing/Bugs (Cont)

• Tommaso Assandri

• Harlan Carvey

• Eoghan Casey

• Jim Clausing

• Jon Evans

• Robert Guess

• Jesse Kornblum

• Jamie Levy

• Eugene Libster

• Erik Ligda

• Tony Martin

• Golden G. Richard III

• Sam F. Stover

Credits

VVVV LATILESYSTEMS

Volatility

• Types of information (live response)• Running processes• Strings to process mappings• Open network connections• Process to files (DLLs)• Process to port mappings• System time

• Techniques• Data structure traversal (list walking, table crawling, tree climbing)

• Fixed offsets (symbols)• Linear scanning

• Object oriented scanning framework (Schuster, Cohen)

VVVV LATILESYSTEMS

Volatility 1.3: Highlights

• Data view modules ( > 13 new modules!)• raw2dmp• rejobjkeys• procdump

• Dynamic plugin support• VolShell (Dolan-Gavitt)• ssdt (Dolan-Gavitt), getsids (Dolan-Gavitt)• 11 Linux modules

• Address Spaces• PrivacyPreservingAddressSpace (experimental)

• Only stores necessary data

• WindowsCrashDumpSpace32 (Schuster)

• Microsoft’s crash dump format (full dumps)

• HiberfilSpace32 (Suiche, Dolan-Gavitt)

VVVV LATILESYSTEMS

Volatility 1.3: Hibernation File

• Microsoft’s hibernation file format (hiberfil.sys)• SandMan project (Matthieu Suiche)

• http://sandman.msuiche.net

• Microsoft Interoperability Initiative• [MS-DRSR] DecompressWin2k3()

• Compressed chunks of physical memory (Xpress)• xpress.py (Dolan-Gavitt)

• Maps physical address to decompressed offset

• Limitations

PrivacyAddrSpaceStore

HiberfilSpace32

IA32PagedMemoryPae

FileAddressSpace

VVVV LATILESYSTEMS

Integrating Memory

• DFRWS 2008 Forensics Challenge• Evidence fusion: memory, hard disk, network• PyFlag/Volatility (Cohen, Collet, Walters)

• Role of memory forensics• Carving memory image

• Exfiltration script• Encryption keys

• SSL decryption• Volatile targeting

• Network traffic/open files• Attribution

• User activity (strings)• Temporal information

• Time zone/timestamps

23 VVVV LATILESYSTEMS

Temporal Reconstruction

• It’s about time…… (timeline)

• "the most potentially valuable forensic tool in your digital detective toolkit" (Farmer,2000)

• Temporal relationships between artifacts

• Volatile Time: absolute vs. relative

• Temporally link disparate events

• Visualization• Presentation

• Instantaneous events, duration events• Knowledge discovery

24 VVVV LATILESYSTEMS

Temporal Reconstruction

VVVV LATILESYSTEMS

Component Age Diagrams

• Visualize anomalies in component timestamps (Vostokov, 2008)

12/6/1999

4/19/2001

9/1/2002

1/14/2004

5/28/2005

10/10/2006

2/22/2008

Modules

Date

26 VVVV LATILESYSTEMS

Integrity Matters

• Evaluate the runtime state of machine (audit)• Trusted, suspicious, compromised

• Deriving trust (Petroni, 2008)• Immutability (roots of trust)

• Kernel/user text (executable instructions)• Control flow integrity

• Static function tables (IDT,SSDT,IAT, etc.)• Dynamic data structures (heap, stack, etc.)

• Semantic integrity • Semantic relationships in dynamic data• Policy enforcement (ports, registry, exe versions, etc)

• Statistics/clustering• Measured integrity• Cluster machines

27 VVVV LATILESYSTEMS

Deriving Trust: Stack

0x22c000

sp

0xb0618a

0xb000000x22c844

0x230000

0x22c6e4 0xb00000

0x22c83c

0x22ca1c

0x10000000

0x10000000

ext783937.dll

metsrv.dll

24

22metsrv.dll

ext783937.dll

0xb00000

28 VVVV LATILESYSTEMS

Delta Detective™

• Automated malware analysis (real systems)• State changes in memory (semantic model)

• Objects (committed/free)• Data structures (i.e., VAD Tree, Loaded DLLs)• Control flow changes (hooking, text changes)

• Semantic Diff™• Persistant changes to volatile storage• Automatically generate a malware profile

• Malware library (global collection)• Volatile Intelligence Network• Crawling, spam traps, honeypots (updated daily)• Threat reports/profiles

29 VVVV LATILESYSTEMS

Automated Malware Analysis

Malware Database

Report Database

Malware Cluster

Delta Detective

Malware Installed

Acquire RAM + Swap

Acquire RAM + Swap

30 VVVV LATILESYSTEMS

Objects: Set Difference

After \ Before = { x : x∈∈∈∈After and x∉∉∉∉Before}

31 VVVV LATILESYSTEMS

Data Structures (VAD)

32 VVVV LATILESYSTEMS

Control Flow Changes

33 VVVV LATILESYSTEMS

Extracting Malware

Header

reloc

text

idata

Header Header

edata

▲▲

▲ ▲▲

▲

Disk Memory Extract

VVVV LATILESYSTEMS

2.03Extend Your Arsenal

VVVV LATILESYSTEMS

What is F-Response?

• F-Response is a small, largely self contained application that provides read-only,authenticated network access to a remote computer’s Physical Disk and Physical Memory.

• Minimal system impact (obtrusiveness)

• F-Response 1.18 (Physical Disk Only)

• Windows (2000, XP, 2003, Vista, 2008)

• Linux, OS X Intel (10.4. 10.5)

• F-Response 2.03 (Physical Disk + Physical Memory) - Beta

• Windows (2000, XP, 2003, Vista, 2008)

VVVV LATILESYSTEMS

How does F-Response work?

• F-Response is based on the well documented

iSCSI standard to create a secure, read-only

connection between the examiner’s computer

and the computer under inspection.

• F-Response makes the storage devices and

physical memory on the computer under

examination completely accessible to the

examiner’s computer where they appear as

local, raw, physical storage devices.

VVVV LATILESYSTEMS

F-Response in Deployment

VVVV LATILESYSTEMS

F-Response & Volatility

• Joint project between F-Response and

Volatility to extend the framework with

real-time remote access capability.

• Months of development and testing.

• Both products will continue to work

separately, however the two combined

give you....

VOLTAGE

VVVV LATILESYSTEMS

Voltage

• Real-time read-only access to runtime state• Physical memory• pagefile.sys

• Combine detection with response • Temporal proximity• Acquisition capabilities

• Continuous independent monitoring• Visibility into the enterprise• Verify the state of systems

40 VVVV LATILESYSTEMS

Voltage Demo

41 VVVV LATILESYSTEMS

Conclusions

• Volatile state is a critical component of the digital crime scene

• Memory analysis “Ups the Anti”

• Columbia Pictures et al. v. Justin Bunneli

• RAM is Electronically Stored Information

according to the Federal Rules of Evidence

Download Volatility 1.3http://www.volatilesystems.com/

Join the community!

VVVV LATILESYSTEMS

For more information

• Web: http://www.f-response.com

• Email: mshannon@f-response.com

• Phone: 1-800-317-5497

43 VVVV LATILESYSTEMS

Questions?

Feedback, questions, comments...awalters [at] volatilesystems [dot] com

44 VVVV LATILESYSTEMS

Resources

• Acquisition• Open source:

• mdd: https://sourceforge.net/projects/mdd/• win32dd: http://win32dd.msuiche.net/

• Commercial• F-Response 2.0: http://www.f-response.com/• Kntdd: http://gmgsystemsinc.com/knttools/

• Conferences• Open Memory Forensics Workshop (OMFW)• Digital Forensics Research Workshop (DFRWS)

• Mailing Lists• www.volatilesystems.com/mailman/listinfo

• Research References• www.4tphi.net/fatkit

45 VVVV LATILESYSTEMS

Resources (Cont.)

• Blogs• http://volatility.tumblr.com/• http://volatilesystems.blogspot.com/• http://moyix.blogspot.com• http://computer.forensikblog.de/en/• http://windowsir.blogspot.com/• http://jessekornblum.livejournal.com/

• Books• Malware Forensics (Aquilina, Casey, and Malin)• Windows Forensic Analysis (Harlan Carvey)• Forensic Discovery (Farmer and Venema)