Memory Forensics

  • View

  • Download

Embed Size (px)


null Mumbai Chapter Meet - December 2013

Text of Memory Forensics

  • 1. Memory ForensicsVarun Nair @w3bgiant

2. #whoami O Security enthusiast. O For food and shelter, I work with ZEE TV O For living, I learn 4N6, Malwares and ReverseEngineering O Recent developments: O Chapter lead at Null, Mumbai chapter. 3. If you listen!!!!! O Forensics Fundamentals O Action Plan O Order of Volatility O Methodologies O Dead ForensicsO Live Forensics O Demo 4. ELSE!!!! 5. Forensics Fundamentals O Digital forensics (sometimes known as digital forensicscience) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.O "Gathering and analysing data in a manner as free fromdistortion or bias as possible to reconstruct data or what happened in the past on a system [or a network] -Dan Farmer / Wietse Venema 6. Action Plan- First Response Arrive on Crime sceneMachine state = OFFDEAD FORENSICSMachine state = ONLIVE FORENSICS 7. Order of Volatility MOST .. LEAST CPU, cache and register content Routing table, ARP cache, process table, kernel statistics Memory Temporary file system / swap space Data on hard disk Remotely logged data Raw Disk Blocks 8. Forensics Methodologies O LIVE ForensicsO DEAD Forensics 9. DEAD FORENSICS O The dead analysis is more common to acquire data. O A dead acquisition copies the data without theassistance of the suspects (operating) system. O Analysing a dead system that has had its powercord pulled. 10. DEAD FORENSICS O During data acquisition an exact (typically bitwise)copy of storage media is created. O Least chance of modifying data on disk, but livedata is lost forever. 11. LIVE FORENSICS O Focuses on extracting and examination of thevolatile forensic data that would be lost on power off O A live acquisition copies the data using thesuspects (operating) system O Live forensics is not a pure forensic response asit will have minor impacts to the underlying machines operating state The key is the impacts are known 12. LIVE FORENSICS O Often used in incident handling to determine if anevent has occurred O May or may not proceed a full traditional forensicanalysis O If you work on a suspects system you shouldboot/use trusted tools (e.g. CD, USB stick): 13. LIVE FORENSICSTHE IMAGE WILL HAVE NO AUTHENTICITY No two images can have the same hash value 14. Forensic Response Principles Maintain forensic integrity Require minimal user interaction Gather all pertinent information to determine if an incident occurred for later analysis - Enforce sound data and evidence collection 15. Methodology ACQUIRECONTEXTANALYSECapture RAM MemoryFind Memory Offsets and establish contextsAnalyse data and recover evidence 16. In MEMORY data?? O Current running processes and terminatedprocesses. O Open TCP/UDP ports/raw sockets/active connections. O Caches O -Web addresses, typed commands, passwords,clipboards, SAM databases, edited files. O Memory mapped files O -Executable, shared, objects(modules/drivers), textfiles. 17. DEMO O Collecting Memory dumps:DUMPIT by MOONSOLSO Analysing Memory dumps:WinHex and Volatility Framework 2.3 18.