Scribd Logo
Upload

Welcome to Scribd!

  • Introduction To Memory Forensics

    Uploaded by

    it20250560 Rajapaksha R.M.P.S
    28 views47 pages

    Original Title

    Introduction to Memory Forensics

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views47 pages

    Introduction To Memory Forensics

    Uploaded by

    it20250560 Rajapaksha R.M.P.S

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 47

    Volatile Memory Forensics

    By
    Chirath De Alwis
    What is volatile memory forensics?
    Identification, preservation, extraction, analysis and representation of
    volatile memory artifacts

    Simplest term “forensics investigation in volatile memory”


    Why volatile memory forensics?
    • Everything in the OS travels through memory

    • Best way to detect & analyze memory-resident malware


    Eg: Slammer worm

    • Data encrypted in transport layer is available in plain text format

    • Private browsing data is only available in volatile memory


    History of File-less Malware

    A Bot that Powerliks, PowerSniff,


    Code Red and Duqu 2.0,
    installed the Angler, Phase PowerWare, POSHSPY
    SQL Slammer Kovter
    Lurk Trojan Bot August

    • 2001-2003 • 2012 • 2014 • 2014-2015 • 2016 • 2017


    Why volatile memory forensics?

    CPU Cache RAM Hard Disk


    Recent usage
    WannaCry "does not erase the prime numbers from memory before
    freeing the associated memory," says Guinet (May, 2017).

    Based on this finding, Guinet released a WannaCry ransomware


    decryption tool, named WannaKey

    Complete article: http://thehackernews.com/2017/05/wannacry-ransomware-decryption-tool.html


    Process Management - Processes
    • A process is an instance of a program executing in memory

    • Multiprogramming allows many processes to appear to execute


    simultaneously

    • New process is created with its own ID (process ID) and address space

    • Memory analysis involves enumerating the processes that were executing on


    a system and analyzing the data stored within their address spaces, including
    passwords, URLs, encryption keys, e‑mail, and chat logs
    Process Management – Processes

    A high-level diagram showing basic process resources


    Process Management - Processes
    • _EPROCESS is the name of the structure that Windows uses to represent a
    process

    • Each process has one or more threads that execute code

    • Each process has a table of handles (or file descriptors) to kernel objects
    such as files and network sockets
    Process Management - Processes
    • The process address space contains;
    • process executable
    • its list of loaded modules (DLLs or shared libraries)
    • Stacks
    • Heaps
    • allocated memory regions containing everything from user input to application-specific data
    structures
    Process Management - Threads
    • A thread is the basic unit of CPU utilization and execution

    • Often characterized by a thread ID, CPU register set, and execution stack(s), which
    help define a thread’s execution context

    • A process with multiple threads can appear to be simultaneously performing multiple


    task

    • Thread data structures often contain timestamps and starting addresses


    Process Management - Handles
    • Reference to an open instance of a kernel object, such as a file, registry key, mutex,
    process, or thread

    • Before a process can access an object, it first opens a handle to the object

    • When a process is finished using an object, it should close the handle by calling the
    appropriate function
    Process Management – VAD Tree
    • Processes are stored in Windows in Virtual Address Descriptor (VAD) tree

    • It describes memory ranges used by currently-running processes

    • Most information about processes can be retrieve from walking VAD tree

    • Possible to recover all of the memory-mapped files associated with specific processes
    Acquisition
    Acquisition
    • Converting volatile memory into non-volatile state for future analysis

    Acquisition

    Hardware Software
    Based Based
    Acquisition
    • Hardware-based acquisition

    • Involves suspending the computer’s processor and using direct memory


    access (DMA) to obtain a copy of memory

    • Do not rely on OS and software

    • More reliable

    • Expensive
    Acquisition
    • Software-based acquisition

    • Need trusted software

    • Some tools available in OS (eg: memdump or dd on Unix systems)

    • Need OS

    • Execution can overwrite some data


    Memory Dump Formats
    • RAW memory dump

    • Widely used

    • Does not contain any headers, metadata, or magic values for file type
    identification

    • Typically includes padding for any memory ranges that were intentionally
    skipped (i.e., device memory) or that could not be read by the acquisition tool
    Memory Dump Formats
    • Windows crash dump

    • When Windows OS crashes (Blue Screen of Death or BSOD) it dumps all the
    memory information into a file on disk

    • The default location of the dump file is %SystemRoot%memory.dmp


    or C:Windowsmemory.dmp if C: is the system drive

    • Designed for debugging purposes


    Memory Dump Formats
    • Windows crash dump

    • There are four types;

    • Complete memory dump – records all the contents of system memory when your
    computer stops unexpectedly

    • Kernel memory dump - records only the kernel memory

    • Small memory dump - records the smallest set of useful information that may help
    identify why your computer stopped unexpectedly
    Memory Dump Formats
    Memory Dump Formats
    • Windows hibernation file

    • File name is “hiberfil.sys”

    • Contains a compressed copy of memory that the system dumps to disk during
    the hibernation process

    • Need to convert into normal memory dump format before analysis


    Memory Dump Formats
    • Windows hibernation file
    Memory Dump Formats
    • Expert Witness Format (EWF)

    • EnCase proprietary

    • Need to familiar with


    • WEFAddressSpace
    • Mounting with EnCase
    • Mounting with FTK
    Memory Dump Formats
    • HPAK Format

    • Developed by HBGary

    • It allows a target system’s physical memory and page file(s) to embed in the
    same output file

    • Proprietary format
    Memory Dump Formats
    • Virtual machine memory

    • Depend on the virtual machine you use

    • Process dump

    • Small in size

    • Memory related to process


    Analysis
    Current Analysis Techniques
    • String search
    • Looks for specific stings/key words
    Current Analysis Techniques
    • File signature search

    • Specific patterns of values that are unique to the particular type of file in
    question

    • Content in between header and its corresponding footer is belongs to that


    particular file

    • Helps to carve files from memory


    Current Analysis Techniques
    • File signature search Header FFD8

    Footer FFD9
    Current Analysis Techniques
    • Recovering memory-mapped files

    • Can be recovered from walking VAD tree and pulling the objects of interest
    Challenges in Memory Forensics
    • Volatility

    • Address space randomization

    • OS changes (internal structure, memory utilization and management


    differences in multiple OS versions)

    • Cloud and VM infrastructure

    • Dependencies in file carving


    Current Tools
    • Volatility

    • Redline

    • Rekall

    • Windows SCOPE
    Sample Analysis
    # vol.py —f APT.img -profile=WinXPSP3x86 pstree
    • iexplore.exe (PID 796) was spawned from svchost.exe (pid 884)

    • Iexplore.exe should be launched from explorer.exe


    # vol.py —f APT.img -profile=WinXPSP3x86 connscan
    • PID 796 (iexplore.exe) is connecting to a remote system on port 89

    • Usually http traffic is directed on port 80 or 443 only


    # vol.py —f APT.img -profile=WinXPSP3x86 dlllist —p 796
    • The dlllist output for PID 796 (iexplore.exe) you will notice that there
    is a rogue named dll which is hard to see

    • Irykmmww.d1l is named odd because the dll is spelled with a 1 (one)


    in the second letter where an l (lower case L) should be seen

    • So it looks as though PID 796 is malware, but it is clear that it isn't


    started normally
    # vol.py —f APT.img -profile=WinXPSP3x86 svcscan
    • When we run the svcscan (Service Scan) plugin for volatility, we
    notice a driver running on the system called irykmmww which is the
    same named rogue dll spotted earlier

    • To figure out what this driver is doing, we should check driver


    hooking in apihooks and ssdt
    # vol.py —f APT.img -profile=WinXPSP3x86 ssdt | grep -v ntoskrnl | grep -v win32k
    • System Service Descriptor Table (SSDT) is an internal dispatch
    table within Microsoft Windows.

    • Hooking SSDT calls is often used as a technique in both


    Windows rootkits and antivirus software.

    • Finally we can tell the driver irykmmww.sys is a rootkit loaded in the


    system
    Course Work
    • Briefly describe Hooking SSDT calls

    Refer following URLs:


    https://resources.infosecinstitute.com/hooking-system-service-dispatc
    h-table-ssdt/
    https://www.adlice.com/kernelmode-rootkits-part-1-ssdt-hooks/
    https://archive.org/details/RootkitsDay1Part6
    Study Materials
    • Volatility Foundation
    URL: http://www.volatilityfoundation.org/

    • Forensic Focus
    URL: http://www.forensicfocus.com/

    • eForensics Magazine
    URL: https://eforensicsmag.com/

    You might also like