Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joe Riggins HBGary Sr. Director of Incidence Response

Similar presentations

Presentation on theme: "Joe Riggins HBGary Sr. Director of Incidence Response"— Presentation transcript:

1 Joe Riggins HBGary Sr. Director of Incidence Response
Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response

2 Introduction Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system Copyright 2010

3 Introductions Your Instructor is Joe Riggins, Senior Director of Incidence Response for HBGary. Copyright 2010

4 Agenda Module 1 – Live Memory Basics Module 2 – Windows Memory Model
Module 3 – Live Memory Acquisition Module 4 – Introduction to FastDump Pro Lab 1 – Creating a Memory Dump File using FDPro Module 5 – Webmail Investigation Lab 2 – Creating a New Physical Memory Snapshot Project Lab 3 – Webmail Investigation

5 Section 1 Live Memory Basics © 2010 V1.0

6 Live Memory Basics What is live memory? How to recognize it?
How does it work? How is it organized? Recognize memory chips… different types… © 2010

7 The Basics What is Live Memory?
Live memory is the random access memory ( % of the time) used by the CPU to store data and programs that it manipulates. There are different types of memory… Memory is fast, hd is slow. Volatile location to store and cache data so it doesn’t have to be read/written to the disk. The running state of the computer. If no RAM, it would run as fast a computer from 1982… © 2010

8 The Basics Types of Memory used?
RAM (random-access memory): This is the main memory. RAM is volatile memory, which means that it requires power and refresh to maintain its contents. ROM (read-only memory): Systems usually contain some read-only memory that holds instructions for booting up the computer. ROM memory cannot be changed, it is non-volatile. PROM (programmable read-only memory): A PROM is essentially a ROM memory chip which you program out of the factory once. Like ROMs, PROMs are non-volatile. RAM – main memory – operating state ROM – BIOS set at factory and can’t be changed. Instructions make video card run… PROM – older tech… only write to it once. Very difficult to erase © 2010

9 The Basics Types of Memory used?
EPROM (erasable programmable read-only memory): An EPROM is a special type of PROM that can be erased by exposing it to ultraviolet light. EEPROM (electrically erasable programmable read-only memory): An EEPROM is a special type of PROM that can be erased by a special electrical charge. CMOS (Complimentary Metal Oxide Semiconductor) CMOS usually refers to the non-volatile RAM (NVRAM). EPROM most common – very intense ultraviolet light. Long time to erase. EEPROM – put current thru it to erase. BIOS initializes the system. Turn pc on booting window says dell, gateway, etc… activating components of the system. Malware puts themselves in BIOS. CMOS – requires a battery. Need electric charge, or it loses its state. Keeps setting the motherboard uses. © 2010

10 The Basics of RAM Random access memory (RAM) memory is made of a transistor and a capacitor. A good jury description would be a bucket that holds water (the charge). However the bucket has a small hole and constantly loses water. To keep the bucket full, every so often you have to keep pouring water into the bucket, this is called “Refresh”. Constantly fill it with a charge. Overclocking site… faster you refresh, the faster it runs the memory © 2010

11 The Basics of RAM The faster the memory loses charge, and the faster it can be recharged, determines the memory speed. Can get errors in memory if overclocking it © 2010

12 What does RAM look like? © 2010

13 How RAM works Memory is written one byte at time
Power is applied to the two connections, and charges the memory cell © 2010

14 How RAM works Byte value = 10010101 1 0 0 1 0 1 0 1
Grid of information that gets electrically set © 2010

15 How RAM works Byte value = © 2010

16 How RAM works Byte value = © 2010

17 How RAM works Byte value = © 2010

18 How RAM works The CPU reads and writes to RAM (technically, the CPU reads and writes to Cache, that then reads and writes to RAM) Every memory location has a unique address This leads us into the murky world of how Microsoft Windows manages memory (more on this later…) Cache is even faster, but much more expensive. Small amount of cache close on CPU. © 2010

19 Section 2 Windows Memory Model © 2010

20 Physical Memory vs. Virtual Memory
Physical Memory refers to the hardware view of memory Only one view of physical memory Virtual Memory refers to virtualized OS views of memory There can be many different virtual memory spaces Phys mem – limited amount of memory on chip. System can’t run on low amount of phys mem

21 Memory Virtual Memory Physical Memory Memory (RAM) Operating System

22 Why have Virtual Memory?
Can provide process memory isolation (security) Allows more “logical” memory by increasing the addressable space (each 32-bit process gets its own 4GB of virtual memory). When combined with paging, can increase the total available memory (more on this later). Each process has it’s own vm space. Crashes… 1 program can bring down whole machine.

23 Total Logical Memory Sum of all virtual memory Physical Memory OS
2 GB Memory (RAM) 4GB Physical Memory Virtual Memory 6 x 4GB = 24 GB of Logical Memory OS Not all 4GB range used. Some

24 Virtual Memory Layout 0 GB 4 GB 2 GB Kernel Memory User Memory The upper 2GB* of every Virtual Memory space is reserved for the Windows Kernel to use. It is not accessible to user mode processes. * Note: except with the rarely used /3GB switch Kernel is global to all processes and doesn’t need to change in virtual memory Each process is allocated 2GB of vm

25 How 2GB becomes 24GB (or more)
The OS utilizes CPU features to create page directories and page tables which can be used to divide physical memory among multiple virtual memory spaces

26 Physical   Virtual Virtual Memory for Process A
Physical Memory Virtual Memory for Process A Virtual Memory for Process B Virtual Memory for Process C Page Directories and Page Tables 0 GB 2 GB 4 GB This process has all of these pages.

27 What happens when all Physical Memory is used?
Paging to the hard disk drive (SLOW!) Pagefile.sys

28 Paging to Disk When Physical Memory is getting full, the least used pages of memory are written to disk When those pages are needed again, they are read back into Physical Memory and some other pages are written to disk. This is called Swapping. Swapping reduces system performance. Windows tracks least used pages… 2 operations on hard drive when read from disk

29 Physical  Virtual

30 Memory Dump To get a complete collection of memory you need to collect two pieces: Physical Memory The on-disk pagefile Only tool that allows you to collect pagefile. Memory is highly volatile…

31 Virtual Memory Allocation
Programs can allocate virtual memory dynamically The size can range from a single byte to several GBs (or 8192 GBs in x64 OS versions) 32-bit user-mode apps allocate 2GBs

32 How is this tracked? The Windows kernel uses a data structure known as Virtual Address Descriptors (VADs) to track virtual memory allocations Responder™ combines this information with page table data for each process, and displays it in the Memory Map detail panel

33 Memory Map Memory Block Individual Pages for this Block Block Length
Unreferenced Pages Unidentified – allocated memory we don’t have a name

34 Section 3 Memory Acquisition © 2010

35 Basic Acquisition RAM collection software relies on the host OS
Can be subverted Some software more invasive than others Usually load about 10 modules from the operating system © 2010

36 Memory Acquisition Methodology
Goal – Be minimally invasive to suspect machine DO NOT acquire RAM to the local system hard drive Invasive – possibly destroy important data Use external thumb drive – (USB Mass Storage Device) Image the RAM to sterile media Freshly wiped drive preferably with all zeros. Reformat the drive to NTFS FAT32 file system has 2GB file size limitation FDPro cannot split up the file into chunks Generate MD-5 hash at time of collection – save with memory image Used to verify integrity of file to that point in time. © 2010

37 Acquiring Memory Software creates a “smear” image
Not a “true” duplicate image This process is not reproducible In order to create a “true” image Hardware is required Virtualization can “pause” the processor Crash Dump Hibernation file (hiberfil.sys) © 2010

38 Acquiring Memory Software used to dump physical RAM
HBGary FastDump™ and FastDump™ Pro Fastdump (free) Windows 2000 – 2008 Server, Windows 7 32-bit 6GB maximum file size FastDump™ Pro 32- and 64-bit 64GB+ tested maximum file size © 2010

39 Preparing to Image When collecting the tools to image live memory, you need to anticipate the likely possibilities of what you will encounter on the source end. Will your imaging tool run on the source computer (the computer where you want to image the live memory)? Will the destination storage device be recognized by the source computer? Can you save the image on a storage device? © 2010

40 Preparing to Image Is there a way to run FastDump Pro?
USB 1.1, 2.0 or 3.0 port Place FastDump Pro on a USB storage device such as a thumb drive, or external USB hard drive. CD/DVD-ROM drive Place FastDump Pro on a CD/DVD-ROM. It does not have to be bootable. 1. The USB drive needs to be as large as the memory you are saving. If you are going to save the Swap cache or hiperbin file you will need more storage. Figure 4-8 Gigs for live memory and for the other files. This may be a little overkill but better safe than sorry. 2. Use your favorite CD ROM software to create a CD-ROM (or DVD-ROM). Do not use CD or DVD Read/Write disks (CD-RW or DVD-RW) Also with DVD use a DVD-R and not DVD+R disks. The DVD-R are way more compatible and work best for digiutal data. 3. A 1.44 Megabyte floppy will work in 2.88MByte floppy drives and in 120MByte SuperFloppy drives BUT NOT in older 720 which you should not ever see today. 4. SATA can be used on some systems but this causes a larger footprint in memory. So if you have to you can use a SATA drive formatted with FAT32 with FDPro on it. The FAT32 partition will use less memory than a NTFS formatted drive would. © 2010

41 Preparing to Image Is there a way to run FastDump Pro?
FireWire port – 400/800 Place FastDump Pro on a external FireWire hard drive PCMCIA or CardBus port Place FastDump Pro on a CardBus flash card or hard drive. There are several cards that use a Compact Flash media card for storage. 1. Just for sake of that “rare but can happen incident”, try to use a external USB drive that has both USB2 and FireWire (and throw in SATA if you want) connections 2. There are any number of Cardbus adapters for Compac Flash Memory to Cardbus slots available. Then use a Compac Flash Memory of 2-4 Gigs © 2010

42 Preparing to Image Does it have a way to attach a storage device for memory dumping? The amount of storage should be 10-15% larger than the biggest amount of memory you expect the computer to have. In today’s world (the year 2012) 8GBs is safe. Keep in mind you should have something that has more than 8GBs to call on when needed. Speed can also be an issue Thumb drives can be slow Have more free space on the storage drive than the memory size. © 2010

43 Preparing to Image Windows does not create files larger than 4GBs on Windows 2000 or Windows XP operating systems using FAT32. FAT32 has a limit of 4GBs for a single file Format your destination drive with NTFS if possible. Carry a second drive with FAT32 formatting © 2010

44 Preparing to Image Buy a moderately fast USB 4-8GB thumb drive. It should conform to the USB Mass Storage specification. Format it with NTFS and place FDPro.exe on it. © 2010

45 Section 4 FastDump Pro © 2010

46 FastDump™ Pro FastDump Pro™ (FDPro™) is a command-line based memory dumping utility that comes packaged with both the Responder™ Professional and the Responder™ Field products. A copy of FDPro.exe is located in the FastDump folder in the directory where Responder™ is installed on the local hard drive. © 2010

47 FastDump™ Pro FDPro™ supports:
all versions of the Windows™ operating systems and service packs (2000, XP, 2003, Vista, 2008 Server, 7) 32- and 64-bit, including systems with more than 4GBs of RAM (up to 64GBs of RAM). acquisition of the Windows™ pagefile included with the acquisition of RAM. a variety of memory probing features that can assist with malware analysis. © 2010

48 FastDump™ Pro To peform a RAM dump: Command: fdpro.exe c:\memdump.bin
Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard .bin format using the default 1MB read/write sizes. Command: fdpro.exe c:\memdump.bin –strict Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard .bin format using the strict 4kb read/write sizes. © 2010

49 FastDump™ Pro To perform a RAM and Pagefile dump:
Command: fdpro.exe c:\memdump.hpak Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the default 1MB read/write sizes Command: fdpro.exe c:\memdump.hpak –strict Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the strict 4kb read/write sizes © 2010

50 Goal of Process Probe The goal of Process Probe is to force all executable code into RAM for one or all processes on the system.   This includes code that is swapped out to the Pagefile.sys, and code still contained in the executable on disk but not in use. This code is called into RAM prior to the acquisition of physical memory.

51 Why Process Probe? Because Process Probe provides the investigator with a more accurate and complete picture of the executable code and the data. The process probe feature allows the investigator to control what memory is “paged-in” to RAM from SWAP and the File System before FDPro performs RAM acquisition. The Probe feature even forces code from the file system into RAM for a specific process.  

52 Why Process Probe? User Process Probe during any LIVE network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role . Applications include: Instant messengers IP telephony Internet browsers Malware Encryption applications Databases Media players Encrypted data Passwords Unencrypted chat sessions Documents s Internet searches Internet postings Password protected websites

53 Probe Smart When using the –probe smart feature, FDPro.exe walks the entire process list and makes sure all code is called into RAM, resulting in the ability to recover almost 100% of the user-land process memory by causing these pages to be activated and paged-in on the fly.

54 Process Probe Best Practices
Forensic best practices dictate that an investigator or analyst should always acquire RAM and Pagefile without running the -Probe Feature.   After freezing the current state of RAM, the investigator/analyst should run FDPro again using the -probe Feature.   Even when grabbing the pagefile, the -probe feature forces unused code from the file system into RAM.

55 Process Probe Best Practices
Example steps: Arrive at server or workstation suspected in the computer incident or forensic investigation Collect RAM to “freeze the runtime state of the machine”.   This is a full RAM image with Pagefile  If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation, then you can go ahead and probe –smart on your very first image to save you time. Note: This technique instruments a larger footprint in RAM than only performing a memory acquisition.

56 Process Probe Commands
To probe processes into memory and RAM: Command: fdpro.exe c:\memdump.bin –probe all Action: fdpro.exe probes all processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe smart Action: fdpro.exe probes only user processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe pid 123 Action: fdpro.exe probes process with PID 123 into memory before acquiring the local system memory into the file c:\memdump.bin © 2010

57 FastDump to Local VMware Drive
Take a snapshot to the local hard drive C:\fdpro.exe c:\RAMdump.bin Copy (using drag-and-drop) from VMware Field option – take snapshot to USB drive Add USB controller via Hardware Panel if needed No perturbation of the local hard drive

58 Lab Exercise Complete Lab Exercises 1 & 2
30 minutes to complete lab exercises © 2010

59 Web Mail Investigation
Section 5 Web Mail Investigation © 2010

60 Investigating Applications
Goal: Identify artifacts that lead you to other pieces of information Finding bread crumbs, then following the bread crumbs…

61 Analyzing Applications
Try to find objects and artifacts that tell you: Who, What, Where, When, Why, How © 2010

62 Investigation Preparation
Who? Names of People addresses What? Project Names Filenames File format(s) Usernames Passwords When? Dates Times Where? Domains URLs How? Carefully create a search term list Spending time up front can save lots of time on the back end

63 Analyzing Applications
Approach: Knowledge is helpful… Google: “skype” What is it? How is it used? How does it work? Why is my suspect using it? Is there data in memory that might not be available by performing disk based forensics? © 2010

64 Analyzing Applications
Create a list of things you know Names involved in the investigation Domain names Project names Filenames Websites Applications in question Office applications Internet browser Encryption Chat © 2010

65 Web Mail Start with the browsers… Internet Explorer Firefox Opera
Google Chrome © 2010

66 Web Mail Then go to browser artifacts Web sites visited
Files downloaded Dates and timestamps © 2010

67 Web Mail Things to consider Web server applications act differently
Gmail stores passwords differently than hushmail. © 2010

68 Web Mail Search terms that can be used Attachment &passwd= &login= messageID= © 2010

69 Webmail Considerations
More… Mail applications Chat Applications Names of Webmail Services addresses Passwords Content of s Dates & Time Stamps Web Sites Visited – History Attachments

70 Initial Triage First Steps - Browse and collect
Browse the list of processes and applications running… Do I see internet browsers? Yes. Do I see any instant messenger applications? Do I see any other applications that might be useful for my investigation? Add Artifacts to your Report Export to excel Right click send to report

71 Web Mail Focus: Intellectual Property Investigation
Type: Private data sent via Description: Search for indications of files, addresses, and other related info to the data theft. © 2010

72 The Scenario Beginning a search based on suspicion
Press release from competitor having similar data Searching for private content What do we search for? Understanding search hits Process name/module/unidentified Adding webmail data/artifacts to the report © 2010

73 Searching Beginning a search based on suspicion
Press release from competitor having similar data FIRST - Search for content we know We know we are looking for “Pluripotent” Searching for addresses to corroborate suspicion Search terms gmailchat= Understanding search hits Process name/module/unidentified SECOND - Search for content we learn Adding webmail data/artifacts to the report © 2010

74 Lab Exercise Complete Lab Exercise 3
30 minutes to complete lab exercises © 2010

Download ppt "Joe Riggins HBGary Sr. Director of Incidence Response"

Similar presentations

Ads by Google