Presentation on theme: "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."— Presentation transcript:
Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....
Stuff to keep in mind If the machine is x64 use the right imager – If you BSOD the machine you destroyed the info
Get memory image F-Response – I have yet to play with this – If you have... I dislike you – Uses iSCSI protocol – blocks write operations – Allows you to use other tools to get image – What other tools? Glad you asked...
Win32dd/Moonsols Started life as Win32dd Hashes – MD5, SHA-1 and SHA-256 You can set up a listener on your system – Default is port 1337 Will convert memory to MS crashdump
Mandiant Memoryze – will acquire and analyze You can analyze a saved image Also required Audit Viewer Mandiant has a newer product...
Redline By Mandiant Free to use Pretty slick / Sloooooooooooooooow at times
And a bunch more WinPmem – this is very good: Windows XP to Windows 8, both 32 and 64 bit Dumpit – eh not bad we like ^^ better
Volatility We like this... Written in Python – Has API so you can make stuff with it – Has plugins that are pretty cool – Works fairly fast – Not as nice as Redline but a lot of options
Volatility – Install Stand alone exe for Windows – You’re not left out – Easy install for Linux Download install: Distorm3 – https://code.google.com/p/distormhttps://code.google.com/p/distorm Yara - https://code.google.com/p/yara-project/https://code.google.com/p/yara-project/ PyCrypto - https://www.dlitz.net/software/pycrypto/https://www.dlitz.net/software/pycrypto/ PIL -
Volatility – Using When in doubt --help it out Python vol.py –h Mmmmkey so?!?
Volatility – Do eeeet What OS was image from: Python vol.py –f -imageinfo – It will do best guess, you should know already – Some tools only work on Vista/2003 – You can get modules from the community – Use an verbose and output file –v –output-file=$path
Volatility – Still waiting to do eeet To save typing assume all commands are prefaced with – python vol.py –f --profile=
Volatility – XP/2003/Vista Network connections: Connections (Standard netstat –an info) Connscan (looks for _TCPT_OBJECTS) Look to see what is running: Pslist – typical tasklist – not cool like tasklist /SVC – Name, Pid, Ppid, Threads, handles, time
Wanna see something dirty? 0x01795c18 jqs.exe x098c01a x nc.exe x098c x nc.exe x098c03c x0185a2d0 hot_pics.exe x098c03a
psscan Uses _EPROCESS structure different Can find stuff that is not double linked or unlinked
Dlllist If you see a process you want to know more about Take the PID: Dlllist –p 420 Will show you Base Addy, size, path: Base Size Path 0x x6000 C:\WINDOWS\system32\svchost.exe 0x7c xb0000 C:\WINDOWS\system32\ntdll.dll 0x7c xf4000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e x91000 C:\WINDOWS\system32\RPCRT4.dll 0x5cb x26000 C:\WINDOWS\system32\ShimEng.dll 0x6f x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x77d x90000 C:\WINDOWS\system32\USER32.dll 0x77f x46000 C:\WINDOWS\system32\GDI32.dll 0x76b x2d000 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll
Win7/2008 Ton more stuff we can do: Malfind - The second memory segment (starting at 0x015D0000) was detected because it contained an executable that isn't listed in the PEB's module lists. If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with -D or --dump-dir=DIR. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk From WIKI While there read – Yarascan, Svcscan, Ldrmodules, Apihooks, psxview
Way more stuff https://code.google.com/p/volatility/ ads/ ads/
L2Read Malware Analyst's Cookbook: Tools and Techniques for Fighting Malicious Code Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7, Third Edition
Well screw it... L2listen Forensics - SANS – sans.org d’uh you know they got some good stuff Security in general: Exotic Liability – can be spotty F’ing good in general Pauldotcom – not so much forensics but in general