Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

Similar presentations


Presentation on theme: "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."— Presentation transcript:

1

2

3 Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

4 Stuff to keep in mind If the machine is x64 use the right imager – If you BSOD the machine you destroyed the info

5 Get memory image F-Response – I have yet to play with this – If you have... I dislike you – Uses iSCSI protocol – blocks write operations – Allows you to use other tools to get image – What other tools? Glad you asked...

6 Win32dd/Moonsols Started life as Win32dd Hashes – MD5, SHA-1 and SHA-256 You can set up a listener on your system – Default is port 1337 Will convert memory to MS crashdump

7 Mandiant Memoryze – will acquire and analyze You can analyze a saved image Also required Audit Viewer Mandiant has a newer product...

8 Redline By Mandiant Free to use Pretty slick / Sloooooooooooooooow at times

9 And a bunch more WinPmem – this is very good: Windows XP to Windows 8, both 32 and 64 bit Dumpit – eh not bad we like ^^ better

10 Volatility We like this... Written in Python – Has API so you can make stuff with it – Has plugins that are pretty cool – Works fairly fast – Not as nice as Redline but a lot of options

11 Volatility – Install Stand alone exe for Windows – You’re not left out – Easy install for Linux Download install: Distorm3 – https://code.google.com/p/distormhttps://code.google.com/p/distorm Yara - https://code.google.com/p/yara-project/https://code.google.com/p/yara-project/ PyCrypto - https://www.dlitz.net/software/pycrypto/https://www.dlitz.net/software/pycrypto/ PIL -

12 Volatility – Install sudo python setup.py install Flipping hard huh?

13 Volatility – Using When in doubt --help it out Python vol.py –h Mmmmkey so?!?

14 Volatility – Do eeeet What OS was image from: Python vol.py –f -imageinfo – It will do best guess, you should know already – Some tools only work on Vista/2003 – You can get modules from the community – Use an verbose and output file –v –output-file=$path

15 Volatility – Still waiting to do eeet To save typing assume all commands are prefaced with – python vol.py –f --profile=

16 Volatility – XP/2003/Vista Network connections: Connections (Standard netstat –an info) Connscan (looks for _TCPT_OBJECTS) Look to see what is running: Pslist – typical tasklist – not cool like tasklist /SVC – Name, Pid, Ppid, Threads, handles, time

17 Volatility Look for: svchost and != svchosts/svch0st/scvhost lsass != Lssas etc Csrss != cssrs etc

18 Wanna see something dirty? 0x01795c18 jqs.exe x098c01a x nc.exe x098c x nc.exe x098c03c x0185a2d0 hot_pics.exe x098c03a

19 psscan Uses _EPROCESS structure different Can find stuff that is not double linked or unlinked

20 Dlllist If you see a process you want to know more about Take the PID: Dlllist –p 420 Will show you Base Addy, size, path: Base Size Path 0x x6000 C:\WINDOWS\system32\svchost.exe 0x7c xb0000 C:\WINDOWS\system32\ntdll.dll 0x7c xf4000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e x91000 C:\WINDOWS\system32\RPCRT4.dll 0x5cb x26000 C:\WINDOWS\system32\ShimEng.dll 0x6f x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x77d x90000 C:\WINDOWS\system32\USER32.dll 0x77f x46000 C:\WINDOWS\system32\GDI32.dll 0x76b x2d000 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll

21 Win7/2008 Ton more stuff we can do: Malfind - The second memory segment (starting at 0x015D0000) was detected because it contained an executable that isn't listed in the PEB's module lists. If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with -D or --dump-dir=DIR. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk From WIKI While there read – Yarascan, Svcscan, Ldrmodules, Apihooks, psxview

22 Way more stuff https://code.google.com/p/volatility/ ads/ ads/

23 L2Read Malware Analyst's Cookbook: Tools and Techniques for Fighting Malicious Code Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7, Third Edition

24 Well screw it... L2listen Forensics - SANS – sans.org d’uh you know they got some good stuff Security in general: Exotic Liability – can be spotty F’ing good in general Pauldotcom – not so much forensics but in general

25


Download ppt "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."

Similar presentations


Ads by Google