Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

Similar presentations

Presentation on theme: "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."— Presentation transcript:



3 Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

4 Stuff to keep in mind If the machine is x64 use the right imager – If you BSOD the machine you destroyed the info

5 Get memory image F-Response – I have yet to play with this – If you have... I dislike you – Uses iSCSI protocol – blocks write operations – Allows you to use other tools to get image – What other tools? Glad you asked...

6 Win32dd/Moonsols Started life as Win32dd Hashes – MD5, SHA-1 and SHA-256 You can set up a listener on your system – Default is port 1337 Will convert memory to MS crashdump

7 Mandiant Memoryze – will acquire and analyze You can analyze a saved image Also required Audit Viewer Mandiant has a newer product...

8 Redline By Mandiant Free to use Pretty slick / Sloooooooooooooooow at times

9 And a bunch more WinPmem – this is very good: Windows XP to Windows 8, both 32 and 64 bit Dumpit – eh not bad we like ^^ better

10 Volatility We like this... Written in Python – Has API so you can make stuff with it – Has plugins that are pretty cool – Works fairly fast – Not as nice as Redline but a lot of options

11 Volatility – Install Stand alone exe for Windows – You’re not left out – Easy install for Linux Download install: Distorm3 – Yara - PyCrypto - PIL -

12 Volatility – Install sudo python install Flipping hard huh?

13 Volatility – Using When in doubt --help it out Python –h Mmmmkey so?!?

14 Volatility – Do eeeet What OS was image from: Python –f -imageinfo – It will do best guess, you should know already – Some tools only work on Vista/2003 – You can get modules from the community – Use an verbose and output file –v –output-file=$path

15 Volatility – Still waiting to do eeet To save typing assume all commands are prefaced with – python –f --profile=.............

16 Volatility – XP/2003/Vista Network connections: Connections (Standard netstat –an info) Connscan (looks for _TCPT_OBJECTS) Look to see what is running: Pslist – typical tasklist – not cool like tasklist /SVC – Name, Pid, Ppid, Threads, handles, time

17 Volatility Look for: svchost and != svchosts/svch0st/scvhost lsass != Lssas etc Csrss != cssrs etc

18 Wanna see something dirty? 0x01795c18 jqs.exe 1720 676 0x098c01a0 2010-02-03 20 0x01797020 nc.exe 1508 1124 0x098c0200 2010-02-03 20 0x01842900 nc.exe 1888 1124 0x098c03c0 2010-02-03 20 0x0185a2d0 hot_pics.exe 1124 380 0x098c03a0 2010-02-03 20

19 psscan Uses _EPROCESS structure different Can find stuff that is not double linked or unlinked

20 Dlllist If you see a process you want to know more about Take the PID: Dlllist –p 420 Will show you Base Addy, size, path: Base Size Path 0x1000000 0x6000 C:\WINDOWS\system32\svchost.exe 0x7c900000 0xb0000 C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 C:\WINDOWS\system32\RPCRT4.dll 0x5cb70000 0x26000 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x77d40000 0x90000 C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll

21 Win7/2008 Ton more stuff we can do: Malfind - The second memory segment (starting at 0x015D0000) was detected because it contained an executable that isn't listed in the PEB's module lists. If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with -D or --dump-dir=DIR. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk. ---- From WIKI ------ While there read – Yarascan, Svcscan, Ldrmodules, Apihooks, psxview

22 Way more stuff ads/ ads/

23 L2Read Malware Analyst's Cookbook: Tools and Techniques for Fighting Malicious Code Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7, Third Edition

24 Well screw it... L2listen Forensics - SANS – d’uh you know they got some good stuff Security in general: Exotic Liability – can be spotty F’ing good in general Pauldotcom – not so much forensics but in general


Download ppt "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."

Similar presentations

Ads by Google