Presentation on theme: "Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response."— Presentation transcript:
Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response
Introduction Welcome to the Live Memory Forensics class! This is an introduction to live memory forensics It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system Copyright 2010
Your Instructor is Joe Riggins, Senior Director of Incidence Response for HBGary. Copyright 2010 Introductions
Agenda Module 1 – Live Memory Basics Module 2 – Windows Memory Model Module 3 – Live Memory Acquisition Module 4 – Introduction to FastDump Pro Lab 1 – Creating a Memory Dump File using FDPro Module 5 – Webmail Investigation Lab 2 – Creating a New Physical Memory Snapshot Project Lab 3 – Webmail Investigation
Physical Memory refers to the hardware view of memory Only one view of physical memory Virtual Memory refers to virtualized OS views of memory There can be many different virtual memory spaces Physical Memory vs. Virtual Memory
Memory Virtual Memory Physical Memory Memory (RAM) Operating System
Why have Virtual Memory? Can provide process memory isolation (security) Allows more “logical” memory by increasing the addressable space (each 32-bit process gets its own 4GB of virtual memory). When combined with paging, can increase the total available memory (more on this later).
Total Logical Memory Sum of all virtual memory 2 GB Memory (RAM) 4GB Physical Memory Virtual Memory 6 x 4GB = 24 GB of Logical Memory OS
Virtual Memory Layout The upper 2GB * of every Virtual Memory space is reserved for the Windows Kernel to use. It is not accessible to user mode processes. * Note: except with the rarely used /3GB switch 0 GB 4 GB 2 GB Kernel Memory User Memory
How 2GB becomes 24GB (or more) The OS utilizes CPU features to create page directories and page tables which can be used to divide physical memory among multiple virtual memory spaces
Physical Virtual Physical Memory Virtual Memory for Process A Virtual Memory for Process B Virtual Memory for Process C Page Directories and Page Tables 0 GB 2 GB 0 GB4 GB 0 GB 4 GB
Paging to the hard disk drive (SLOW!) Pagefile.sys What happens when all Physical Memory is used?
Paging to Disk When Physical Memory is getting full, the least used pages of memory are written to disk When those pages are needed again, they are read back into Physical Memory and some other pages are written to disk. This is called Swapping. Swapping reduces system performance.
Memory Dump To get a complete collection of memory you need to collect two pieces: Physical Memory The on-disk pagefile
Virtual Memory Allocation Programs can allocate virtual memory dynamically The size can range from a single byte to several GBs (or 8192 GBs in x64 OS versions)
How is this tracked? The Windows kernel uses a data structure known as Virtual Address Descriptors (VADs) to track virtual memory allocations Responder™ combines this information with page table data for each process, and displays it in the Memory Map detail panel
Memory Block Individual Pages for this Block Block Length Unreferenced Pages Memory Map
The goal of Process Probe is to force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys, and code still contained in the executable on disk but not in use. This code is called into RAM prior to the acquisition of physical memory. Goal of Process Probe
Because Process Probe provides the investigator with a more accurate and complete picture of the executable code and the data. The process probe feature allows the investigator to control what memory is “paged-in” to RAM from SWAP and the File System before FDPro performs RAM acquisition. The Probe feature even forces code from the file system into RAM for a specific process. Why Process Probe?
User Process Probe during any LIVE network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role. Applications include: Instant messengers IP telephony Internet browsers Malware Encryption applications Databases Media players Encrypted data Passwords Unencrypted chat sessions Documents Emails Internet searches Internet postings Password protected websites
Probe Smart When using the –probe smart feature, FDPro.exe walks the entire process list and makes sure all code is called into RAM, resulting in the ability to recover almost 100% of the user-land process memory by causing these pages to be activated and paged-in on the fly.
Forensic best practices dictate that an investigator or analyst should always acquire RAM and Pagefile without running the - Probe Feature. After freezing the current state of RAM, the investigator/analyst should run FDPro again using the -probe Feature. Even when grabbing the pagefile, the -probe feature forces unused code from the file system into RAM. Process Probe Best Practices
Example steps: 1.Arrive at server or workstation suspected in the computer incident or forensic investigation 2.Collect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation, then you can go ahead and probe –smart on your very first image to save you time. Note: This technique instruments a larger footprint in RAM than only performing a memory acquisition.
FastDump to Local VMware Drive Take a snapshot to the local hard drive C:\fdpro.exe c:\RAMdump.bin Copy (using drag-and-drop) from VMware Field option – take snapshot to USB drive Add USB controller via Hardware Panel if needed No perturbation of the local hard drive
Investigation Preparation Who? Names of People Email addresses What? Project Names Filenames File format(s) Usernames Passwords When? Dates Times Where? Domains URLs How? Carefully create a search term list Spending time up front can save lots of time on the back end
More… Mail applications Chat Applications Names of Webmail Services Email addresses Passwords Content of emails Dates & Time Stamps Web Sites Visited – History Attachments Webmail Considerations
First Steps - Browse and collect Browse the list of processes and applications running… Do I see internet browsers? Yes. Do I see any instant messenger applications? Do I see any other applications that might be useful for my investigation? Add Artifacts to your Report Export to excel Right click send to report Initial Triage