chad tilbury - sans.org · the year of memory forensics? 64 bit support volatile registry analysis...
TRANSCRIPT
CHAD TILBURY 0 Former: Special Agent with US Air
Force Office of Special Investigations
0 Current: Incident Response and Computer Forensics Consultant
0 Over 12 years in the trenches
0 SANS Digital Forensics and Incident Response Instructor & Author [email protected]
http://ForensicMethods.com
@chadtilbury
The Year of Memory Forensics?
64 bit support
Volatile Registry Analysis
Memory Timelining
Mac OS X Analysis
Linux Analysis
Live Memory Analysis
Whitelisting
Old School vs. New School
vs.
Mac and Linux Memory Forensics
Mac Memory Reader
0 Runs on Mac OS X 10.4-10.8, PowerPC, Intel, x86, x64
0 Generates a Mach-O file or raw dump of memory (-P)
0 Optional image hashing (-H)
0 Load kernel extension to fake /dev/mem only (-k)
0 Simple and effective!
“There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.”
-Mac Memory Reader help file
“There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.”
-Mac Memory Reader help file
Mac Memoryze
0 Dump memory 0 sudo macmemoryze dump –f mem.dmp
0 Analysis (just the basics): 0 proclist
0 proclist –w (similar to lsof)
0 proclist –c (carve for processes)
0 kextlist
0 kextlist –c (carve for kernel extensions)
0 Enumerate System Call Table and Mach Trap Table
0 Live analysis capable (do not include –f option)
Mac Memoryze Proclist
Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell
Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters
Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp
https://code.google.com/p/volatility/wiki/MacMemoryForensics
Volatility + Mac
Linux Memory Acquisition 0 Old School:
0 dd if=/dev/kmem
0 Fmem kernel module
0 Redhat Crash Dump Utilities
0 New School
http://code.google.com/p/lime-forensics/
Volatility + Linux =
System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell
Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof
Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier
Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
linux_yarascan
linux_bash
Memory Timelining
What is Timeliner?
0 Set of Volatility plugins to collect time information from memory artifacts
0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files
0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs
0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format
Memory Timelining timeliner
• Timeliner collects timestamps from memory artifacts and outputs them in a timeline format
Purpose
• Send output to a delimited file (--output-file=file_name) v2.1 • Create output in body file format (--output=body) v2.3 • Log2Timeline output format (pending) v2.4??
Important Parameters
• Compatible with XP and Win7: automatically adjusts helper plugins • Output can voluminous; best practice is to use “--output-file” • The output is not currently compatible with other timeline formats • Timeliner can take hours to run – be patient! • The “-h” help information currently lists many incorrect options
Investigative Notes
Example Output: Timeliner Processes
Column Header Column Header
1 Creation Time 5 Parent Process ID
2 Artifact Type (PROCESS) 6 Exit Time
3 Process Name 7 EPROCESS Offset
4 Process ID
Timeliner Example
Redline Time Wrinkles™
Live Response &
Live Memory Analysis
Old School Batch Scripts
Mandiant Redline “Collector”
Redline Portable Collector
Live Memory Analysis Who Cares?
0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory
0 Verification done using file certificates stored on-disk
0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files
0 Must have access to file system
0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries
0 Requires access to Page File
Narrowing Your Focus with Live Analysis
0 ID “known good hashes” from live memory analysis
0 Redline Options Whitelist Management
Whitelist Filtering
169 vs. 12 Items
Live Memory Analysis with Volatility
0 Winpmem
0 Raw, crash dump, and output to stdout
0 Direct analysis of running kernel (-l switch)
0 Optional write support!
0 https://code.google.com/p/volatility/downloads/list
0 Volatility Technology Preview Branch
0 https://code.google.com/p/volatility/wiki/TechPreviewBranch
0 Includes interactive shell (similar to volshell) -> the future of Volatility?
Live Analysis with winpmem
Live Response with Volatility
Good Day or Bad Day?
Old School doskey
Memory Carving
Typed Commands: cmdscan & consoles
• Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue
Purpose
• None
Important Parameters
• Gathering command history and console output can give insight into user / attacker activities
•cmdscan provides information from the command history buffer
•consoles prints commands (inputs) + screen buffer (outputs)
• Plugins can identify data from active and closed sessions
Investigative Notes
Typed Commands: cmdscan & consoles
cmd
sca
n
Old School pclip
Find pcclip.exe at http://unxutils.sourceforge.net/ (or just get infected with Zeus)
Clipboard Contents: clipboard
• Extract contents of windows clipboard
Purpose
• Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard)
Important Parameters
• Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.)
• Works on both XP/2003 and Windows 7/2008 systems • In some cases, the clipboard only holds a pointer to the
“clipped” content – (i.e. the full path for a copied file)
Investigative Notes
Clipboard Contents: clipboard
Vo
lati
lity
Additional References
0 http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html
0 http://gleeda.blogspot.com/2012/09/week-3-of-month-of-volatility-plugins.html
0 http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html
0 http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader
0 https://www.mandiant.com/blog/unibody-memory-analysis-introducing-mac-memoryze/
0 http://memoryforensics.blogspot.com/2013/06/final-week-of-month-of-volatility.html
0 http://volatility-labs.blogspot.com/2013/05/movp-ii-32-linuxandroid-memory.html
0 http://holisticinfosec.blogspot.com/2013/03/toolsmith-redline-apt1-and-you-were-all.html
0 http://media.blackhat.com/bh-us-11/Butler/
BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf
0 DFIROnline Memory Forensics with Michael Cohen :
http://www.youtube.com/watch?v=9aC7yIYwvAY
0 http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html
0 http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html