Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....
Stuff to keep in mind If the machine is x64 use the right imager – If you BSOD the machine you destroyed the info
Get memory image F-Response – I have yet to play with this – If you have... I dislike you – Uses iSCSI protocol – blocks write operations – Allows you to use other tools to get image – What other tools? Glad you asked...
Win32dd/Moonsols Started life as Win32dd Hashes – MD5, SHA-1 and SHA-256 You can set up a listener on your system – Default is port 1337 Will convert memory to MS crashdump
Mandiant Memoryze – will acquire and analyze You can analyze a saved image Also required Audit Viewer Mandiant has a newer product...
Redline By Mandiant Free to use www.mandiant.com/resources/downloads Pretty slick / Sloooooooooooooooow at times
And a bunch more WinPmem – this is very good: Windows XP to Windows 8, both 32 and 64 bit Dumpit – eh not bad we like ^^ better
Volatility We like this... Written in Python – Has API so you can make stuff with it – Has plugins that are pretty cool – Works fairly fast – Not as nice as Redline but a lot of options
Volatility – Install Stand alone exe for Windows – You’re not left out – Easy install for Linux Download install: Distorm3 – https://code.google.com/p/distormhttps://code.google.com/p/distorm Yara - https://code.google.com/p/yara-project/https://code.google.com/p/yara-project/ PyCrypto - https://www.dlitz.net/software/pycrypto/https://www.dlitz.net/software/pycrypto/ PIL - http://www.pythonware.com/products/pil/http://www.pythonware.com/products/pil/
Volatility – Using When in doubt --help it out Python vol.py –h Mmmmkey so?!?
Volatility – Do eeeet What OS was image from: Python vol.py –f -imageinfo – It will do best guess, you should know already – Some tools only work on Vista/2003 – You can get modules from the community – Use an verbose and output file –v –output-file=$path
Volatility – Still waiting to do eeet To save typing assume all commands are prefaced with – python vol.py –f --profile=.............
Volatility – XP/2003/Vista Network connections: Connections (Standard netstat –an info) Connscan (looks for _TCPT_OBJECTS) Look to see what is running: Pslist – typical tasklist – not cool like tasklist /SVC – Name, Pid, Ppid, Threads, handles, time
psscan Uses _EPROCESS structure different Can find stuff that is not double linked or unlinked
Dlllist If you see a process you want to know more about Take the PID: Dlllist –p 420 Will show you Base Addy, size, path: Base Size Path 0x1000000 0x6000 C:\WINDOWS\system32\svchost.exe 0x7c900000 0xb0000 C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 C:\WINDOWS\system32\RPCRT4.dll 0x5cb70000 0x26000 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x77d40000 0x90000 C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll
Win7/2008 Ton more stuff we can do: Malfind - The second memory segment (starting at 0x015D0000) was detected because it contained an executable that isn't listed in the PEB's module lists. If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with -D or --dump-dir=DIR. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk. ---- From WIKI ------ While there read – Yarascan, Svcscan, Ldrmodules, Apihooks, psxview
Way more stuff https://code.google.com/p/volatility/ http://www.mandiant.com/resources/downlo ads/ http://www.mandiant.com/resources/downlo ads/
L2Read Malware Analyst's Cookbook: Tools and Techniques for Fighting Malicious Code Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7, Third Edition
Well screw it... L2listen Forensics - SANS – sans.org d’uh you know they got some good stuff Security in general: Exotic Liability – can be spotty F’ing good in general Pauldotcom – not so much forensics but in general