Presentation is loading. Please wait.

Presentation is loading. Please wait.

Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response.

Similar presentations


Presentation on theme: "Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response."— Presentation transcript:

1 Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response

2 Introduction Welcome to the Live Memory Forensics class! This is an introduction to live memory forensics It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system Copyright 2010

3 Your Instructor is Joe Riggins, Senior Director of Incidence Response for HBGary. Copyright 2010 Introductions

4 Agenda Module 1 – Live Memory Basics Module 2 – Windows Memory Model Module 3 – Live Memory Acquisition Module 4 – Introduction to FastDump Pro Lab 1 – Creating a Memory Dump File using FDPro Module 5 – Webmail Investigation Lab 2 – Creating a New Physical Memory Snapshot Project Lab 3 – Webmail Investigation

5 LIVE MEMORY BASICS Section 1 © 2010 V1.0

6 What is live memory? How to recognize it? How does it work? How is it organized? © 2010 Live Memory Basics

7 What is Live Memory? Live memory is the random access memory ( % of the time) used by the CPU to store data and programs that it manipulates. There are different types of memory… © 2010 The Basics

8 Types of Memory used? RAM (random-access memory): This is the main memory. RAM is volatile memory, which means that it requires power and refresh to maintain its contents. ROM (read-only memory): Systems usually contain some read-only memory that holds instructions for booting up the computer. ROM memory cannot be changed, it is non-volatile. PROM (programmable read-only memory): A PROM is essentially a ROM memory chip which you program out of the factory once. Like ROMs, PROMs are non-volatile. © 2010 The Basics

9 Types of Memory used? EPROM (erasable programmable read-only memory): An EPROM is a special type of PROM that can be erased by exposing it to ultraviolet light. EEPROM (electrically erasable programmable read-only memory): An EEPROM is a special type of PROM that can be erased by a special electrical charge. CMOS (Complimentary Metal Oxide Semiconductor) CMOS usually refers to the non-volatile RAM (NVRAM). © 2010 The Basics

10 Random access memory (RAM) memory is made of a transistor and a capacitor. A good jury description would be a bucket that holds water (the charge). However the bucket has a small hole and constantly loses water. To keep the bucket full, every so often you have to keep pouring water into the bucket, this is called “Refresh”. © 2010 The Basics of RAM

11 The faster the memory loses charge, and the faster it can be recharged, determines the memory speed. © 2010 The Basics of RAM

12 What does RAM look like? © 2010

13 Memory is written one byte at time Power is applied to the two connections, and charges the memory cell © 2010 How RAM works

14 Byte value = © 2010 How RAM works

15 Byte value = © 2010 How RAM works

16 Byte value = © 2010 How RAM works

17 Byte value = © 2010 How RAM works

18 The CPU reads and writes to RAM (technically, the CPU reads and writes to Cache, that then reads and writes to RAM) Every memory location has a unique address This leads us into the murky world of how Microsoft Windows manages memory (more on this later…) © 2010 How RAM works

19 WINDOWS MEMORY MODEL Section 2 © 2010

20 Physical Memory refers to the hardware view of memory Only one view of physical memory Virtual Memory refers to virtualized OS views of memory There can be many different virtual memory spaces Physical Memory vs. Virtual Memory

21 Memory Virtual Memory Physical Memory Memory (RAM) Operating System

22 Why have Virtual Memory? Can provide process memory isolation (security) Allows more “logical” memory by increasing the addressable space (each 32-bit process gets its own 4GB of virtual memory). When combined with paging, can increase the total available memory (more on this later).

23 Total Logical Memory Sum of all virtual memory 2 GB Memory (RAM) 4GB Physical Memory Virtual Memory 6 x 4GB = 24 GB of Logical Memory OS

24 Virtual Memory Layout The upper 2GB * of every Virtual Memory space is reserved for the Windows Kernel to use. It is not accessible to user mode processes. * Note: except with the rarely used /3GB switch 0 GB 4 GB 2 GB Kernel Memory User Memory

25 How 2GB becomes 24GB (or more) The OS utilizes CPU features to create page directories and page tables which can be used to divide physical memory among multiple virtual memory spaces

26 Physical   Virtual Physical Memory Virtual Memory for Process A Virtual Memory for Process B Virtual Memory for Process C Page Directories and Page Tables 0 GB 2 GB 0 GB4 GB 0 GB 4 GB

27 Paging to the hard disk drive (SLOW!) Pagefile.sys What happens when all Physical Memory is used?

28 Paging to Disk When Physical Memory is getting full, the least used pages of memory are written to disk When those pages are needed again, they are read back into Physical Memory and some other pages are written to disk. This is called Swapping. Swapping reduces system performance.

29 Physical  Virtual

30 Memory Dump To get a complete collection of memory you need to collect two pieces: Physical Memory The on-disk pagefile

31 Virtual Memory Allocation Programs can allocate virtual memory dynamically The size can range from a single byte to several GBs (or 8192 GBs in x64 OS versions)

32 How is this tracked? The Windows kernel uses a data structure known as Virtual Address Descriptors (VADs) to track virtual memory allocations Responder™ combines this information with page table data for each process, and displays it in the Memory Map detail panel

33 Memory Block Individual Pages for this Block Block Length Unreferenced Pages Memory Map

34 MEMORY ACQUISITION Section 3 © 2010

35 RAM collection software relies on the host OS Can be subverted Some software more invasive than others Usually load about 10 modules from the operating system © 2010 Basic Acquisition

36 Goal – Be minimally invasive to suspect machine 1.DO NOT acquire RAM to the local system hard drive Invasive – possibly destroy important data 2.Use external thumb drive – (USB Mass Storage Device) 3.Image the RAM to sterile media Freshly wiped drive preferably with all zeros. Reformat the drive to NTFS FAT32 file system has 2GB file size limitation FDPro cannot split up the file into chunks Generate MD-5 hash at time of collection – save with memory image Used to verify integrity of file to that point in time. © 2010 Memory Acquisition Methodology

37 Software creates a “smear” image Not a “true” duplicate image This process is not reproducible In order to create a “true” image Hardware is required Virtualization can “pause” the processor Crash Dump Hibernation file (hiberfil.sys) © 2010 Acquiring Memory

38 Software used to dump physical RAM HBGary FastDump™ and FastDump™ Pro Fastdump (free) Windows 2000 – 2008 Server, Windows 7 32-bit 6GB maximum file size FastDump™ Pro Windows 2000 – 2008 Server, Windows and 64-bit 64GB+ tested maximum file size © 2010 Acquiring Memory

39 When collecting the tools to image live memory, you need to anticipate the likely possibilities of what you will encounter on the source end. 1.Will your imaging tool run on the source computer (the computer where you want to image the live memory)? 2.Will the destination storage device be recognized by the source computer? Can you save the image on a storage device? © 2010 Preparing to Image

40 Is there a way to run FastDump Pro? USB 1.1, 2.0 or 3.0 port Place FastDump Pro on a USB storage device such as a thumb drive, or external USB hard drive. CD/DVD-ROM drive Place FastDump Pro on a CD/DVD-ROM. It does not have to be bootable. © 2010

41 Preparing to Image Is there a way to run FastDump Pro? FireWire port – 400/800 Place FastDump Pro on a external FireWire hard drive PCMCIA or CardBus port Place FastDump Pro on a CardBus flash card or hard drive. There are several cards that use a Compact Flash media card for storage. © 2010

42 Preparing to Image Does it have a way to attach a storage device for memory dumping? The amount of storage should be 10-15% larger than the biggest amount of memory you expect the computer to have. In today’s world (the year 2012) 8GBs is safe. Keep in mind you should have something that has more than 8GBs to call on when needed. Speed can also be an issue Thumb drives can be slow © 2010

43 Preparing to Image Windows does not create files larger than 4GBs on Windows 2000 or Windows XP operating systems using FAT32. FAT32 has a limit of 4GBs for a single file Format your destination drive with NTFS if possible. Carry a second drive with FAT32 formatting © 2010

44 Preparing to Image Buy a moderately fast USB 4-8GB thumb drive. It should conform to the USB Mass Storage specification. Format it with NTFS and place FDPro.exe on it. © 2010

45 FASTDUMP PRO Section 4 © 2010

46 FastDump Pro™ (FDPro™) is a command-line based memory dumping utility that comes packaged with both the Responder™ Professional and the Responder™ Field products. A copy of FDPro.exe is located in the FastDump folder in the directory where Responder™ is installed on the local hard drive. © 2010 FastDump™ Pro

47 FDPro™ supports: all versions of the Windows™ operating systems and service packs (2000, XP, 2003, Vista, 2008 Server, 7) 32- and 64-bit, including systems with more than 4GBs of RAM (up to 64GBs of RAM). acquisition of the Windows™ pagefile included with the acquisition of RAM. a variety of memory probing features that can assist with malware analysis. © 2010 FastDump™ Pro

48 To peform a RAM dump: Command: fdpro.exe c:\memdump.bin Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard.bin format using the default 1MB read/write sizes. Command: fdpro.exe c:\memdump.bin –strict Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard.bin format using the strict 4kb read/write sizes. © 2010 FastDump™ Pro

49 To perform a RAM and Pagefile dump: Command: fdpro.exe c:\memdump.hpak Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the default 1MB read/write sizes Command: fdpro.exe c:\memdump.hpak –strict Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the strict 4kb read/write sizes © 2010 FastDump™ Pro

50 The goal of Process Probe is to force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys, and code still contained in the executable on disk but not in use. This code is called into RAM prior to the acquisition of physical memory. Goal of Process Probe

51 Because Process Probe provides the investigator with a more accurate and complete picture of the executable code and the data. The process probe feature allows the investigator to control what memory is “paged-in” to RAM from SWAP and the File System before FDPro performs RAM acquisition. The Probe feature even forces code from the file system into RAM for a specific process. Why Process Probe?

52 User Process Probe during any LIVE network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role. Applications include: Instant messengers IP telephony Internet browsers Malware Encryption applications Databases Media players Encrypted data Passwords Unencrypted chat sessions Documents s Internet searches Internet postings Password protected websites

53 Probe Smart When using the –probe smart feature, FDPro.exe walks the entire process list and makes sure all code is called into RAM, resulting in the ability to recover almost 100% of the user-land process memory by causing these pages to be activated and paged-in on the fly.

54 Forensic best practices dictate that an investigator or analyst should always acquire RAM and Pagefile without running the - Probe Feature. After freezing the current state of RAM, the investigator/analyst should run FDPro again using the -probe Feature. Even when grabbing the pagefile, the -probe feature forces unused code from the file system into RAM. Process Probe Best Practices

55 Example steps: 1.Arrive at server or workstation suspected in the computer incident or forensic investigation 2.Collect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation, then you can go ahead and probe –smart on your very first image to save you time. Note: This technique instruments a larger footprint in RAM than only performing a memory acquisition.

56 Process Probe Commands To probe processes into memory and RAM: Command: fdpro.exe c:\memdump.bin –probe all Action: fdpro.exe probes all processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe smart Action: fdpro.exe probes only user processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe pid 123 Action: fdpro.exe probes process with PID 123 into memory before acquiring the local system memory into the file c:\memdump.bin © 2010

57 FastDump to Local VMware Drive Take a snapshot to the local hard drive C:\fdpro.exe c:\RAMdump.bin Copy (using drag-and-drop) from VMware Field option – take snapshot to USB drive Add USB controller via Hardware Panel if needed No perturbation of the local hard drive

58 Complete Lab Exercises 1 & 2 30 minutes to complete lab exercises © 2010 Lab Exercise

59 WEB MAIL INVESTIGATION Section 5 © 2010

60 Goal: Identify artifacts that lead you to other pieces of information Finding bread crumbs, then following the bread crumbs… Investigating Applications

61 © 2010 Analyzing Applications Try to find objects and artifacts that tell you: Who, What, Where, When, Why, How

62 Investigation Preparation Who? Names of People addresses What? Project Names Filenames File format(s) Usernames Passwords When? Dates Times Where? Domains URLs How? Carefully create a search term list Spending time up front can save lots of time on the back end

63 © 2010 Analyzing Applications Approach: Knowledge is helpful… Google: “skype” What is it? How is it used? How does it work? Why is my suspect using it? Is there data in memory that might not be available by performing disk based forensics?

64 © 2010 Analyzing Applications Create a list of things you know Names involved in the investigation Domain names Project names Filenames Websites Applications in question Office applications Internet browser Encryption Chat

65 © 2010 Web Mail Start with the browsers… Internet Explorer Firefox Opera Google Chrome

66 © 2010 Web Mail Then go to browser artifacts Web sites visited Files downloaded Dates and timestamps

67 © 2010 Web Mail Things to consider Web server applications act differently Gmail stores passwords differently than hushmail.

68 Search terms that can be @hushmail.com Attachment &passwd= &login= messageID= © 2010 Web Mail

69 More… Mail applications Chat Applications Names of Webmail Services addresses Passwords Content of s Dates & Time Stamps Web Sites Visited – History Attachments Webmail Considerations

70 First Steps - Browse and collect Browse the list of processes and applications running… Do I see internet browsers? Yes. Do I see any instant messenger applications? Do I see any other applications that might be useful for my investigation? Add Artifacts to your Report Export to excel Right click send to report Initial Triage

71 Focus: Intellectual Property Investigation Type: Private data sent via Description: Search for indications of files, addresses, and other related info to the data theft. © 2010 Web Mail

72 Beginning a search based on suspicion Press release from competitor having similar data Searching for private content What do we search for? Understanding search hits Process name/module/unidentified Adding webmail data/artifacts to the report © 2010 The Scenario

73 Beginning a search based on suspicion Press release from competitor having similar data FIRST - Search for content we know We know we are looking for “Pluripotent” Searching for addresses to corroborate suspicion Search terms gmailchat= Understanding search hits Process name/module/unidentified SECOND - Search for content we learn Adding webmail data/artifacts to the report © 2010 Searching

74 Complete Lab Exercise 3 30 minutes to complete lab exercises © 2010 Lab Exercise


Download ppt "Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response."

Similar presentations


Ads by Google