Memory forensics with volatility

  • View
    3.765

  • Download
    1

Embed Size (px)

DESCRIPTION

2014년 2월, 3월 월간 안 원고 "볼라틸리티를 이용한 메모리 분석 사례" 초안

Text of Memory forensics with volatility

  • 1. Memory Forensics with Volatility ASEC(AhnLab Security Emergence response Center) Senior Advanced Threat Researcher CISSP, CHFI
  • 2. Contents 01 Memory Forensics 02 Windows Memory 03 Windows Memory Dump and Analysis 04 What is Volatility 05 Installing Volatility on Windows and BackTrack 06 Memory analysis using Volatility 07 Case Study and Hands-on Lab 08 Conclusion
  • 3. 01 Memory Forensics
  • 4. Memory Forensic Memory Forensic Memory Computer CPU Memory Data Computer Data Memory Memory Forensic Memory Memory 1) Process Threads Memory 2) Modules libraries Process Modules libraries 3) Open Files sockets Network Socket 4) Various Data Structures Memory Data Memory Forensic Data Memory Forensic AhnLab, Inc. All rights reserved.
  • 5. 02 Windows Memory
  • 6. 32Bit Windows Virtual Memory 32Bit Windows Process 4GB Virtual Memory 4GB Virtual Memory 2GB User Mode 2GB Kernel Mode Process A 0x00000000 ~ 0x0000FFFF 64KB 0x00010000 ~ 0x7FFEFFFF User Mode 2 GB 0x7FFF0000 ~ 0x7FFFFFFF 64KB 0x80000000 ~ 0xFFFFFFFF Kernel Mode 2 GB AhnLab, Inc. All rights reserved.
  • 7. Virtual Memory Physical Memory Process Virtual Address Physical Memory Virtual Memory Disk Paging Process A 0x00000000 ~ 0x0000FFFF 64KB Physical Memory A A B B 0x00010000 ~ 0x7FFEFFFF User Mode 2 GB C C D 0x7FFF0000 ~ 0x7FFFFFFF 64KB 0x80000000 ~ 0xFFFFFFFF Kernel Mode 2 GB AhnLab, Inc. All rights reserved. Page File Memory Dump Memory Forensic
  • 8. 03 Windows Memory Dump and Analysis
  • 9. win(32/64)dd.exe Memory Dump Win(32/64)dd.exe Memory Dump 2007 Mattthieu Siuche , 32/64 Bit 2008 Moonsols (http://www.moonsols.com) MoonSols Windows Memory Toolkit (http://www.moonsols.com/resources/) AhnLab, Inc. All rights reserved.
  • 10. DumpIt.exe Memory Dump DumpIt.exe 2007 Mattthieu Siuche Win(32/64)dd.exe , 32/64 Bit 2010 Moonsols (http://www.moonsols.com) MoonSols DumpIt (http://www.moonsols.com/resources/) dumpit.exe Memory Dump AhnLab, Inc. All rights reserved.
  • 11. FTK Imager Lite Memory Dump FTK Imager Lite AccessData (http://www.accessdata.com/) Digital Forensic FTK(Forensic Toolkit) (http://www.accessdata.com/support/product-downloads) Capture Memory, Create Disk Image Image Mounting AccessData 3.1.1.8 , 75MB USB AhnLab, Inc. All rights reserved.
  • 12. Volatility Memory Dump Volatility Python Memory Forensic Memory Volatility Volatile Systems (https://www.volatilesystems.com/) Volatility Framework Open Source (https://code.google.com/p/volatility/) Plugin Pentest BackTrack Kali Linux AhnLab, Inc. All rights reserved.
  • 13. Mandiant Redline Memory Dump (1) Mandiant Redline (https://www.mandiant.com/resources/download/redline) Windows GUI Memory , Memory Dump , .NET Framework 4.0 (http://www.microsoft.com/kokr/download/details.aspx?id=24872 ) AhnLab, Inc. All rights reserved.
  • 14. Mandiant Redline Memory Dump (2) MRI(Mandiant for Intelligent Response) TimeLine Memory AhnLab, Inc. All rights reserved.
  • 15. VMWare Memory Dump (1) 2008 Brett Shavers Computer Forensic Virtual Forensics : A Discussion of Virtual Machines Related to Forensics Analysis (http://www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf) VMWare 1) .Log Virtual Machine 2) .VMDK Guest OS Virtual Hard Drive 3) .VMEM Guest OS Virtual Paging File 4) .VMSN VMWare Snapshot , Guest OS 5) .VMSD VMWare Snapshot Metadata 6) .NVRAM Guest OS BIOS 7) .VMX Guest OS 8) .VMSS Guest OS Suspend , Guest OS VMWare Guest OS Memory Forensic .VMEM AhnLab, Inc. All rights reserved.
  • 16. VMWare Memory Dump (2) Guest OS Memory Forensic Guest OS Suspend Guest OS Suspend Virtual Paging File .VMEM Memory Forensic AhnLab, Inc. All rights reserved.
  • 17. VMWare Memory Dump (3) 2009 Carnegie Mellon LiveView (http://liveview.sourceforge.net/) Disk Image VMWare Guest OS LiveView Disk Image VMware Guest OS Memory Forensic Live Response LiveView 1) VMware Workstation 5.5 (http://www.vmware.com/products/workstation/workstation-evaluation) 2) Virtual Disk Development Kit 5.5 (http://www.vmware.com/support/developer/vddk/) 3) Java Runtime Environment (http://www.java.com/getjava/) AhnLab, Inc. All rights reserved.
  • 18. 04 What is Volatility
  • 19. Volatility Project History 2006 AAron Walters FATKit Project Volatools Project FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory (http://www.4tphi.net/fatkit/papers/dfrwswip.pdf) Volatools: Integrating Volatile Memory Forensics into the Digital Investigation Process (http://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf) 2007 AAron Walters Volatile Systems (https://www.volatilesystems.com/) Volatility Framework Open Source (https://code.google.com/p/volatility/) 2008 Open Memory Forensics Workshop (https://www.volatilesystems.com/default/omfw) AAron Walters Volatility 1.3 (https://www.volatilesystems.com/volatility/omfw/Walters_OMFW_2008.pdf) Volatile Systems Volatility Framework Plugins AhnLab, Inc. All rights reserved.
  • 20. Volatility Framework & Plugins (1) Volatility Framework 2.2 (https://code.google.com/p/volatility/wiki/Release22) Memory Dump 1) Windows (x86) Windows XP Service Pack 2 and 3 Windows 2003 Server Service Pack 0, 1, 2 Windows Vista Service Pack 0, 1, 2 Windows 2008 Server Service Pack 1, 2 Windows 7 Service Pack 0, 1 2) Windows (x64) Windows XP Service Pack 1 and 2 Windows 2003 Server Service Pack 1 and 2 Windows Vista Service Pack 0, 1, 2 Windows 2008 Server Service Pack 1 and 2 Windows 2008 R2 Server Service Pack 0 and 1 Windows 7 Service Pack 0 and 1 3) Linux 32-bit Linux kernels 2.6.11 to 3.5 64-bit Linux kernels 2.6.11 to 3.5 Note : Volatility Framework 2.3 Beta (https://code.google.com/p/volatility/wiki/Release23) OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva 32-bit 10.5.x, 10.6.x Snow Leopard, 10.7.x Lion 64-bit 10.6.x Snow Leopard, 10.7.x Lion, 10.8.x Mountain Lion AhnLab, Inc. All rights reserved.
  • 21. Volatility Framework & Plugins (2) Volatility Framework 2.2 CommandReferance22 (https://code.google.com/p/volatility/wiki/CommandReference22) 5 1) Windows Core Image Identification - imageinfo, kdbgscan, kpcrscan Processes and DLLs - pslist,pstree, psscan, psdispscan, dlllist, dlldump, handles, getsids, cmdscan, consoles, envars, verinfo, enumfunc Process Memory - memmap, memdump, procmemdump, procexedump, vadinfo, vadwalk, vadtree, vaddump, evtlogs Kernel Memory and Objects - modules, modscan, moddump, ssdt, driverscan, filescan, mutantscan, symlinkscan, thrdscan