Download presentation
Published byPierce Fearon Modified over 9 years ago
1
Joe Riggins HBGary Sr. Director of Incidence Response
Live Memory Forensics Joe Riggins HBGary Sr. Director of Incidence Response
2
Introduction Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics It is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating system Copyright 2010
3
Introductions Your Instructor is Joe Riggins, Senior Director of Incidence Response for HBGary. Copyright 2010
4
Agenda Module 1 – Live Memory Basics Module 2 – Windows Memory Model
Module 3 – Live Memory Acquisition Module 4 – Introduction to FastDump Pro Lab 1 – Creating a Memory Dump File using FDPro Module 5 – Webmail Investigation Lab 2 – Creating a New Physical Memory Snapshot Project Lab 3 – Webmail Investigation
5
Section 1 Live Memory Basics © 2010 V1.0
6
Live Memory Basics What is live memory? How to recognize it?
How does it work? How is it organized? Recognize memory chips… different types… © 2010
7
The Basics What is Live Memory?
Live memory is the random access memory ( % of the time) used by the CPU to store data and programs that it manipulates. There are different types of memory… Memory is fast, hd is slow. Volatile location to store and cache data so it doesn’t have to be read/written to the disk. The running state of the computer. If no RAM, it would run as fast a computer from 1982… © 2010
8
The Basics Types of Memory used?
RAM (random-access memory): This is the main memory. RAM is volatile memory, which means that it requires power and refresh to maintain its contents. ROM (read-only memory): Systems usually contain some read-only memory that holds instructions for booting up the computer. ROM memory cannot be changed, it is non-volatile. PROM (programmable read-only memory): A PROM is essentially a ROM memory chip which you program out of the factory once. Like ROMs, PROMs are non-volatile. RAM – main memory – operating state ROM – BIOS set at factory and can’t be changed. Instructions make video card run… PROM – older tech… only write to it once. Very difficult to erase © 2010
9
The Basics Types of Memory used?
EPROM (erasable programmable read-only memory): An EPROM is a special type of PROM that can be erased by exposing it to ultraviolet light. EEPROM (electrically erasable programmable read-only memory): An EEPROM is a special type of PROM that can be erased by a special electrical charge. CMOS (Complimentary Metal Oxide Semiconductor) CMOS usually refers to the non-volatile RAM (NVRAM). EPROM most common – very intense ultraviolet light. Long time to erase. EEPROM – put current thru it to erase. BIOS initializes the system. Turn pc on booting window says dell, gateway, etc… activating components of the system. Malware puts themselves in BIOS. CMOS – requires a battery. Need electric charge, or it loses its state. Keeps setting the motherboard uses. © 2010
10
The Basics of RAM Random access memory (RAM) memory is made of a transistor and a capacitor. A good jury description would be a bucket that holds water (the charge). However the bucket has a small hole and constantly loses water. To keep the bucket full, every so often you have to keep pouring water into the bucket, this is called “Refresh”. Constantly fill it with a charge. Overclocking site… faster you refresh, the faster it runs the memory © 2010
11
The Basics of RAM The faster the memory loses charge, and the faster it can be recharged, determines the memory speed. Can get errors in memory if overclocking it © 2010
12
What does RAM look like? © 2010
13
How RAM works Memory is written one byte at time
Power is applied to the two connections, and charges the memory cell © 2010
14
How RAM works Byte value = 10010101 1 0 0 1 0 1 0 1
Grid of information that gets electrically set © 2010
15
How RAM works Byte value = © 2010
16
How RAM works Byte value = © 2010
17
How RAM works Byte value = © 2010
18
How RAM works The CPU reads and writes to RAM (technically, the CPU reads and writes to Cache, that then reads and writes to RAM) Every memory location has a unique address This leads us into the murky world of how Microsoft Windows manages memory (more on this later…) Cache is even faster, but much more expensive. Small amount of cache close on CPU. © 2010
19
Section 2 Windows Memory Model © 2010
20
Physical Memory vs. Virtual Memory
Physical Memory refers to the hardware view of memory Only one view of physical memory Virtual Memory refers to virtualized OS views of memory There can be many different virtual memory spaces Phys mem – limited amount of memory on chip. System can’t run on low amount of phys mem
21
Memory Virtual Memory Physical Memory Memory (RAM) Operating System
22
Why have Virtual Memory?
Can provide process memory isolation (security) Allows more “logical” memory by increasing the addressable space (each 32-bit process gets its own 4GB of virtual memory). When combined with paging, can increase the total available memory (more on this later). Each process has it’s own vm space. Crashes… 1 program can bring down whole machine.
23
Total Logical Memory Sum of all virtual memory Physical Memory OS
2 GB Memory (RAM) 4GB Physical Memory Virtual Memory 6 x 4GB = 24 GB of Logical Memory OS Not all 4GB range used. Some
24
Virtual Memory Layout 0 GB 4 GB 2 GB Kernel Memory User Memory The upper 2GB* of every Virtual Memory space is reserved for the Windows Kernel to use. It is not accessible to user mode processes. * Note: except with the rarely used /3GB switch Kernel is global to all processes and doesn’t need to change in virtual memory Each process is allocated 2GB of vm
25
How 2GB becomes 24GB (or more)
The OS utilizes CPU features to create page directories and page tables which can be used to divide physical memory among multiple virtual memory spaces
26
Physical Virtual Virtual Memory for Process A
Physical Memory Virtual Memory for Process A Virtual Memory for Process B Virtual Memory for Process C Page Directories and Page Tables 0 GB 2 GB 4 GB This process has all of these pages.
27
What happens when all Physical Memory is used?
Paging to the hard disk drive (SLOW!) Pagefile.sys
28
Paging to Disk When Physical Memory is getting full, the least used pages of memory are written to disk When those pages are needed again, they are read back into Physical Memory and some other pages are written to disk. This is called Swapping. Swapping reduces system performance. Windows tracks least used pages… 2 operations on hard drive when read from disk
29
Physical Virtual
30
Memory Dump To get a complete collection of memory you need to collect two pieces: Physical Memory The on-disk pagefile Only tool that allows you to collect pagefile. Memory is highly volatile…
31
Virtual Memory Allocation
Programs can allocate virtual memory dynamically The size can range from a single byte to several GBs (or 8192 GBs in x64 OS versions) 32-bit user-mode apps allocate 2GBs
32
How is this tracked? The Windows kernel uses a data structure known as Virtual Address Descriptors (VADs) to track virtual memory allocations Responder™ combines this information with page table data for each process, and displays it in the Memory Map detail panel
33
Memory Map Memory Block Individual Pages for this Block Block Length
Unreferenced Pages Unidentified – allocated memory we don’t have a name
34
Section 3 Memory Acquisition © 2010
35
Basic Acquisition RAM collection software relies on the host OS
Can be subverted Some software more invasive than others Usually load about 10 modules from the operating system © 2010
36
Memory Acquisition Methodology
Goal – Be minimally invasive to suspect machine DO NOT acquire RAM to the local system hard drive Invasive – possibly destroy important data Use external thumb drive – (USB Mass Storage Device) Image the RAM to sterile media Freshly wiped drive preferably with all zeros. Reformat the drive to NTFS FAT32 file system has 2GB file size limitation FDPro cannot split up the file into chunks Generate MD-5 hash at time of collection – save with memory image Used to verify integrity of file to that point in time. © 2010
37
Acquiring Memory Software creates a “smear” image
Not a “true” duplicate image This process is not reproducible In order to create a “true” image Hardware is required Virtualization can “pause” the processor Crash Dump Hibernation file (hiberfil.sys) © 2010
38
Acquiring Memory Software used to dump physical RAM
HBGary FastDump™ and FastDump™ Pro Fastdump (free) Windows 2000 – 2008 Server, Windows 7 32-bit 6GB maximum file size FastDump™ Pro 32- and 64-bit 64GB+ tested maximum file size © 2010
39
Preparing to Image When collecting the tools to image live memory, you need to anticipate the likely possibilities of what you will encounter on the source end. Will your imaging tool run on the source computer (the computer where you want to image the live memory)? Will the destination storage device be recognized by the source computer? Can you save the image on a storage device? © 2010
40
Preparing to Image Is there a way to run FastDump Pro?
USB 1.1, 2.0 or 3.0 port Place FastDump Pro on a USB storage device such as a thumb drive, or external USB hard drive. CD/DVD-ROM drive Place FastDump Pro on a CD/DVD-ROM. It does not have to be bootable. 1. The USB drive needs to be as large as the memory you are saving. If you are going to save the Swap cache or hiperbin file you will need more storage. Figure 4-8 Gigs for live memory and for the other files. This may be a little overkill but better safe than sorry. 2. Use your favorite CD ROM software to create a CD-ROM (or DVD-ROM). Do not use CD or DVD Read/Write disks (CD-RW or DVD-RW) Also with DVD use a DVD-R and not DVD+R disks. The DVD-R are way more compatible and work best for digiutal data. 3. A 1.44 Megabyte floppy will work in 2.88MByte floppy drives and in 120MByte SuperFloppy drives BUT NOT in older 720 which you should not ever see today. 4. SATA can be used on some systems but this causes a larger footprint in memory. So if you have to you can use a SATA drive formatted with FAT32 with FDPro on it. The FAT32 partition will use less memory than a NTFS formatted drive would. © 2010
41
Preparing to Image Is there a way to run FastDump Pro?
FireWire port – 400/800 Place FastDump Pro on a external FireWire hard drive PCMCIA or CardBus port Place FastDump Pro on a CardBus flash card or hard drive. There are several cards that use a Compact Flash media card for storage. 1. Just for sake of that “rare but can happen incident”, try to use a external USB drive that has both USB2 and FireWire (and throw in SATA if you want) connections 2. There are any number of Cardbus adapters for Compac Flash Memory to Cardbus slots available. Then use a Compac Flash Memory of 2-4 Gigs © 2010
42
Preparing to Image Does it have a way to attach a storage device for memory dumping? The amount of storage should be 10-15% larger than the biggest amount of memory you expect the computer to have. In today’s world (the year 2012) 8GBs is safe. Keep in mind you should have something that has more than 8GBs to call on when needed. Speed can also be an issue Thumb drives can be slow Have more free space on the storage drive than the memory size. © 2010
43
Preparing to Image Windows does not create files larger than 4GBs on Windows 2000 or Windows XP operating systems using FAT32. FAT32 has a limit of 4GBs for a single file Format your destination drive with NTFS if possible. Carry a second drive with FAT32 formatting © 2010
44
Preparing to Image Buy a moderately fast USB 4-8GB thumb drive. It should conform to the USB Mass Storage specification. Format it with NTFS and place FDPro.exe on it. © 2010
45
Section 4 FastDump Pro © 2010
46
FastDump™ Pro FastDump Pro™ (FDPro™) is a command-line based memory dumping utility that comes packaged with both the Responder™ Professional and the Responder™ Field products. A copy of FDPro.exe is located in the FastDump folder in the directory where Responder™ is installed on the local hard drive. © 2010
47
FastDump™ Pro FDPro™ supports:
all versions of the Windows™ operating systems and service packs (2000, XP, 2003, Vista, 2008 Server, 7) 32- and 64-bit, including systems with more than 4GBs of RAM (up to 64GBs of RAM). acquisition of the Windows™ pagefile included with the acquisition of RAM. a variety of memory probing features that can assist with malware analysis. © 2010
48
FastDump™ Pro To peform a RAM dump: Command: fdpro.exe c:\memdump.bin
Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard .bin format using the default 1MB read/write sizes. Command: fdpro.exe c:\memdump.bin –strict Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard .bin format using the strict 4kb read/write sizes. © 2010
49
FastDump™ Pro To perform a RAM and Pagefile dump:
Command: fdpro.exe c:\memdump.hpak Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the default 1MB read/write sizes Command: fdpro.exe c:\memdump.hpak –strict Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the strict 4kb read/write sizes © 2010
50
Goal of Process Probe The goal of Process Probe is to force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys, and code still contained in the executable on disk but not in use. This code is called into RAM prior to the acquisition of physical memory.
51
Why Process Probe? Because Process Probe provides the investigator with a more accurate and complete picture of the executable code and the data. The process probe feature allows the investigator to control what memory is “paged-in” to RAM from SWAP and the File System before FDPro performs RAM acquisition. The Probe feature even forces code from the file system into RAM for a specific process.
52
Why Process Probe? User Process Probe during any LIVE network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role . Applications include: Instant messengers IP telephony Internet browsers Malware Encryption applications Databases Media players Encrypted data Passwords Unencrypted chat sessions Documents s Internet searches Internet postings Password protected websites
53
Probe Smart When using the –probe smart feature, FDPro.exe walks the entire process list and makes sure all code is called into RAM, resulting in the ability to recover almost 100% of the user-land process memory by causing these pages to be activated and paged-in on the fly.
54
Process Probe Best Practices
Forensic best practices dictate that an investigator or analyst should always acquire RAM and Pagefile without running the -Probe Feature. After freezing the current state of RAM, the investigator/analyst should run FDPro again using the -probe Feature. Even when grabbing the pagefile, the -probe feature forces unused code from the file system into RAM.
55
Process Probe Best Practices
Example steps: Arrive at server or workstation suspected in the computer incident or forensic investigation Collect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation, then you can go ahead and probe –smart on your very first image to save you time. Note: This technique instruments a larger footprint in RAM than only performing a memory acquisition.
56
Process Probe Commands
To probe processes into memory and RAM: Command: fdpro.exe c:\memdump.bin –probe all Action: fdpro.exe probes all processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe smart Action: fdpro.exe probes only user processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe pid 123 Action: fdpro.exe probes process with PID 123 into memory before acquiring the local system memory into the file c:\memdump.bin © 2010
57
FastDump to Local VMware Drive
Take a snapshot to the local hard drive C:\fdpro.exe c:\RAMdump.bin Copy (using drag-and-drop) from VMware Field option – take snapshot to USB drive Add USB controller via Hardware Panel if needed No perturbation of the local hard drive
58
Lab Exercise Complete Lab Exercises 1 & 2
30 minutes to complete lab exercises © 2010
59
Web Mail Investigation
Section 5 Web Mail Investigation © 2010
60
Investigating Applications
Goal: Identify artifacts that lead you to other pieces of information Finding bread crumbs, then following the bread crumbs…
61
Analyzing Applications
Try to find objects and artifacts that tell you: Who, What, Where, When, Why, How © 2010
62
Investigation Preparation
Who? Names of People addresses What? Project Names Filenames File format(s) Usernames Passwords When? Dates Times Where? Domains URLs How? Carefully create a search term list Spending time up front can save lots of time on the back end
63
Analyzing Applications
Approach: Knowledge is helpful… Google: “skype” What is it? How is it used? How does it work? Why is my suspect using it? Is there data in memory that might not be available by performing disk based forensics? © 2010
64
Analyzing Applications
Create a list of things you know Names involved in the investigation Domain names Project names Filenames Websites Applications in question Office applications Internet browser Encryption Chat © 2010
65
Web Mail Start with the browsers… Internet Explorer Firefox Opera
Google Chrome © 2010
66
Web Mail Then go to browser artifacts Web sites visited
Files downloaded Dates and timestamps © 2010
67
Web Mail Things to consider Web server applications act differently
Gmail stores passwords differently than hushmail. © 2010
68
Web Mail Search terms that can be used gmail.com @hotmail.com
@yahoo.com @hushmail.com Attachment &passwd= &login= messageID= © 2010
69
Webmail Considerations
More… Mail applications Chat Applications Names of Webmail Services addresses Passwords Content of s Dates & Time Stamps Web Sites Visited – History Attachments
70
Initial Triage First Steps - Browse and collect
Browse the list of processes and applications running… Do I see internet browsers? Yes. Do I see any instant messenger applications? Do I see any other applications that might be useful for my investigation? Add Artifacts to your Report Export to excel Right click send to report
71
Web Mail Focus: Intellectual Property Investigation
Type: Private data sent via Description: Search for indications of files, addresses, and other related info to the data theft. © 2010
72
The Scenario Beginning a search based on suspicion
Press release from competitor having similar data Searching for private content What do we search for? Understanding search hits Process name/module/unidentified Adding webmail data/artifacts to the report © 2010
73
Searching Beginning a search based on suspicion
Press release from competitor having similar data FIRST - Search for content we know We know we are looking for “Pluripotent” Searching for addresses to corroborate suspicion Search terms gmailchat= Understanding search hits Process name/module/unidentified SECOND - Search for content we learn Adding webmail data/artifacts to the report © 2010
74
Lab Exercise Complete Lab Exercise 3
30 minutes to complete lab exercises © 2010
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.