आज का आहार

Memory Forensics

Varun Nair

@w3bgiant

#whoami O Security enthusiast.

O For food and shelter, I work with ZEE TV

O For living, I learn 4N6, Malwares and Reverse

Engineering

O Recent developments:

O Chapter lead at Null, Mumbai chapter.

If you listen!!!!! O Forensics Fundamentals

O Action Plan

O Order of Volatility

O Methodologies

O Dead Forensics

O Live Forensics

O Demo

ELSE!!!!

Forensics Fundamentals

O Digital forensics (sometimes known as digital forensic

science) is a branch of forensic science encompassing the

recovery and investigation of material found in digital

devices, often in relation to computer crime.

O "Gathering and analysing data in a manner as free from

distortion or bias as possible to reconstruct data or what

happened in the past on a system [or a network]“

-Dan Farmer / Wietse Venema

Action Plan- First Response

Arrive on Crime scene

LIVE

FORENSICS

DEAD

FORENSICS

Machine state = OFF Machine state = ON

Order of Volatility

MOST

• CPU, cache and register content

• Routing table, ARP cache, process table, kernel statistics

…..

• Memory

• Temporary file system / swap space

LEAST

•Data on hard disk

•Remotely logged data

•Raw Disk Blocks

Forensics Methodologies O “LIVE” Forensics

O “DEAD” Forensics

DEAD FORENSICS

O The dead analysis is more common to acquire data.

O A dead acquisition copies the data without the

assistance of the suspect’s (operating) system.

O Analysing a “dead” system that has had it’s power

cord pulled.

DEAD FORENSICS

O During data acquisition an exact (typically bitwise)

copy of storage media is created.

O Least chance of modifying data on disk, but “live”

data is lost forever.

LIVE FORENSICS

O Focuses on extracting and examination of the

volatile forensic data that would be lost on power

off

O A live acquisition copies the data using the

suspect’s (operating) system

O Live forensics is not a “pure” forensic response as

it will have minor impacts to the underlying

machine’s operating state

– The key is the impacts are known

LIVE FORENSICS O Often used in incident handling to determine if an

event has occurred

O May or may not proceed a full traditional forensic

analysis

O If you work on a suspect’s system you should

boot/use trusted tools (e.g. CD, USB stick):

LIVE FORENSICS

THE IMAGE WILL HAVE

NO

AUTHENTICITY

No two images can have the “same hash value”

Forensic Response Principles

– Maintain forensic integrity

– Require minimal user interaction

– Gather all pertinent information to

determine if an incident occurred for later

analysis

- Enforce sound data and evidence collection

Methodology

ACQUIRE

•Capture RAM Memory

CONTEXT

•Find Memory Offsets and establish contexts

ANALYSE

•Analyse data and recover evidence

In MEMORY data?? O Current running processes and terminated

processes.

O Open TCP/UDP ports/raw sockets/active

connections.

O Caches

O -Web addresses, typed commands, passwords,

clipboards, SAM databases, edited files.

O Memory mapped files

O -Executable, shared, objects(modules/drivers), text

files.

DEMO

O Collecting Memory dumps:

DUMPIT by MOONSOLS

O Analysing Memory dumps:

WinHex and Volatility Framework 2.3

और कोई सवाल