Presentation on theme: "Joe Riggins HBGary Sr. Director of Incidence Response"— Presentation transcript:
1Joe Riggins HBGary Sr. Director of Incidence Response Live Memory ForensicsJoe RigginsHBGary Sr. Director of Incidence Response
2Introduction Welcome to the Live Memory Forensics class! This is an introduction to live memory forensicsIt is designed for the investigator who has digital forensic experience, and who has intermediate ability with the Microsoft Windows operating systemCopyright 2010
3IntroductionsYour Instructor is Joe Riggins, Senior Director of Incidence Response for HBGary.Copyright 2010
4Agenda Module 1 – Live Memory Basics Module 2 – Windows Memory Model Module 3 – Live Memory AcquisitionModule 4 – Introduction to FastDump ProLab 1 – Creating a Memory Dump File using FDProModule 5 – Webmail InvestigationLab 2 – Creating a New Physical Memory Snapshot ProjectLab 3 – Webmail Investigation
20Physical Memory vs. Virtual Memory Physical Memory refers to the hardware view of memoryOnly one view of physical memoryVirtual Memory refers to virtualized OS views of memoryThere can be many different virtual memory spacesPhys mem – limited amount of memory on chip. System can’t run on low amount of phys mem
21MemoryVirtual MemoryPhysical MemoryMemory (RAM)Operating System
22Why have Virtual Memory? Can provide process memory isolation (security)Allows more “logical” memory by increasing the addressable space (each 32-bit process gets its own 4GB of virtual memory).When combined with paging, can increase the total available memory (more on this later).Each process has it’s own vm space. Crashes… 1 program can bring down whole machine.
23Total Logical Memory Sum of all virtual memory Physical Memory OS 2 GB Memory (RAM)4GBPhysical MemoryVirtual Memory6 x 4GB = 24 GB of Logical MemoryOSNot all 4GB range used. Some
24Virtual Memory Layout0 GB4 GB2 GBKernel MemoryUser MemoryThe upper 2GB* of every Virtual Memory space is reserved for the Windows Kernel to use. It is not accessible to user mode processes.* Note: except with the rarely used /3GB switchKernel is global to all processes and doesn’t need to change in virtual memoryEach process is allocated 2GB of vm
25How 2GB becomes 24GB (or more) The OS utilizes CPU features to create page directories and page tables which can be used to divide physical memory among multiple virtual memory spaces
26Physical Virtual Virtual Memory for Process A Physical MemoryVirtual Memory for Process AVirtual Memory for Process BVirtual Memory for Process CPage Directories and Page Tables0 GB2 GB4 GBThis process has all of these pages.
27What happens when all Physical Memory is used? Paging to the hard disk drive (SLOW!)Pagefile.sys
28Paging to DiskWhen Physical Memory is getting full, the least used pages of memory are written to diskWhen those pages are needed again, they are read back into Physical Memory and some other pages are written to disk. This is called Swapping.Swapping reduces system performance.Windows tracks least used pages…2 operations on hard drive when read from disk
30Memory DumpTo get a complete collection of memory you need to collect two pieces:Physical MemoryThe on-disk pagefileOnly tool that allows you to collect pagefile. Memory is highly volatile…
31Virtual Memory Allocation Programs can allocate virtual memory dynamicallyThe size can range from a single byte to several GBs (or 8192 GBs in x64 OS versions)32-bit user-mode apps allocate 2GBs
32How is this tracked?The Windows kernel uses a data structure known as Virtual Address Descriptors (VADs) to track virtual memory allocationsResponder™ combines this information with page table data for each process, and displays it in the Memory Map detail panel
33Memory Map Memory Block Individual Pages for this Block Block Length Unreferenced PagesUnidentified – allocated memory we don’t have a name
50Goal of Process ProbeThe goal of Process Probe is to force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys, and code still contained in the executable on disk but not in use. This code is called into RAM prior to the acquisition of physical memory.
51Why Process Probe?Because Process Probe provides the investigator with a more accurate and complete picture of the executable code and the data.The process probe feature allows the investigator to control what memory is “paged-in” to RAM from SWAP and the File System before FDPro performs RAM acquisition.The Probe feature even forces code from the file system into RAM for a specific process.
52Why Process Probe?User Process Probe during any LIVE network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role. Applications include:Instant messengersIP telephonyInternet browsersMalwareEncryption applicationsDatabasesMedia playersEncrypted dataPasswordsUnencrypted chat sessionsDocumentssInternet searchesInternet postingsPassword protected websites
53Probe SmartWhen using the –probe smart feature, FDPro.exe walks the entire process list and makes sure all code is called into RAM, resulting in the ability to recover almost 100% of the user-land process memory by causing these pages to be activated and paged-in on the fly.
54Process Probe Best Practices Forensic best practices dictate that an investigator or analyst should always acquire RAM and Pagefile without running the -Probe Feature. After freezing the current state of RAM, the investigator/analyst should run FDPro again using the -probe Feature. Even when grabbing the pagefile, the -probe feature forces unused code from the file system into RAM.
55Process Probe Best Practices Example steps:Arrive at server or workstation suspected in the computer incident or forensic investigationCollect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation, then you can go ahead and probe –smart on your very first image to save you time.Note: This technique instruments a larger footprint in RAM than only performing a memory acquisition.
57FastDump to Local VMware Drive Take a snapshot to the local hard driveC:\fdpro.exe c:\RAMdump.binCopy (using drag-and-drop) from VMwareField option – take snapshot to USB driveAdd USB controller via Hardware Panel if neededNo perturbation of the local hard drive
62Investigation Preparation Who?Names of PeopleaddressesWhat?Project NamesFilenamesFile format(s)UsernamesPasswordsWhen?DatesTimesWhere?DomainsURLsHow?Carefully create a search term listSpending time up front can save lots of time on the back end
69Webmail Considerations More…Mail applicationsChat ApplicationsNames of Webmail ServicesaddressesPasswordsContent of sDates & Time StampsWeb Sites Visited – HistoryAttachments
70Initial Triage First Steps - Browse and collect Browse the list of processes and applications running…Do I see internet browsers? Yes.Do I see any instant messenger applications?Do I see any other applications that might be useful for my investigation?Add Artifacts to your ReportExport to excelRight click send to report