Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory Forensics During Incident Response

Published byShon Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "Memory Forensics During Incident Response"— Presentation transcript:

1 Memory Forensics During Incident Response

2 Jack Crook Incident Handler Works for GE Founded RaDFIRe
Handlerdiaries.com

3 IR in a nutshell

4 Consider the following scenario

5 It’s been a long night and you finally get to bed only to be woken up 30 minutes later to the sound of your phone alerting you that there’s an alert that fired and needs to be triaged immediately.  Crawling out of bed you’re thinking this has to be a false positive because you’ve gone through this same routine each of the past 5 nights you were on call.  Not bothering to turn the lights on for something that’s sure to be random noise,  you peer into the ids console and see an alert that you have never seen before.  You automatically think to yourself, being the tired analyst that you are, “who was the a$$hole that added this new rule”, and you’re sure it was added intentionally just to keep you awake, but you know you can’t get back to bed until the alert is validated.  So you begin sifting through the data and it quickly becomes apparent that this isn’t a false positive, but rather it’s the real deal and alerted to the fact that there’s an intruder in your network attempting to move laterally.  You double check your initial analysis and you come to the realization that you’re not going to feel the comfort of your bed for a long long time to come.  As the adrenaline begins to rush, your mind starts racing, thinking about everything that needs to happen and you know you need to act immediately.

6 Questions that need answered
Is there a compromise? How was access obtained? When do I contain? How many points of access are there? What is the scope of the incident? Was there any data exfil?

7 Useful Data Types Knowing which data will give you the most information when analyzing intrusions and being able to quickly collect that data is critical. Network (PCAP / Netflow) OS logs AV, HIPS/HIDS Logs MFT Memory Pagefile Prefetch Registry Hives

8 Host based analysis

9 Questions that need answered
Is host compromised? What was placed on the host? Was lateral movement performed? Was there any data exfil? Are additional hosts compromised?

10 Memory is one if the richest pieces of data to collect when analyzing host data

11 Why collect memory? Acquisition times Complete system state
Recover artifacts of compromise Identify command execution

12 Tools for acquiring memory
There are several tools that you can use to acquire memory during forensic investigations. DumpIt (Moonsols) Fastdump Pro (HBGary) Memoryze (Mandiant) FTK Imager (FTK)

13 Analysis Tools There are several freely available tools that you can use to aid in your forensic investigations. Volatility Rekall Redline Responder Strings Grep dd

14 Questions we can often answer?
Is the host compromised? How was the host compromised? Were malicious files dropped? Who talked to the host? Who did the host talk to? Were any user accts compromised? Was any lateral movement identified? How was lateral movement performed? Was any data taken from the host? Do additional hosts need investigation?

15 What can we glean?

16 Memory Terms Some key terms that will be explained in the following slides : Virtual Memory Stack Memory Heap Memory Paging Memory management VAD’s Shared Memory

17 Memory Terms Virtual Memory:
A mechanism used so that each process can have it’s own memory space without bleeding into other process space. Stack Memory: This is basically the runtime state of process. This area of memory includes data such as local variables and functions. All processes. Heap Memory: This area of memory is used for the dynamic allocation. File contents and user input are some of the data types in heap memory. All processes.

18 Memory Terms Paging: Also know as swapping. Used when physical memory for that process is exhausted. Pages from memory are written to disk to free physical memory space. When a swapped page is needed it is retrieved from disk and rewritten to memory. Memory Management: The operating system’s process of allocating and tracking allocated memory.

19 Memory Terms VAD: Also known as Virtual Address Descriptors. It’s the method used to record the usage of virtual addresses. It’s possible to rebuild an entire process (minus paged data) by walking this tree like structure and extracting each page. Shared Memory: Used for processes to share different pieces of memory. Think of dll’s.

20 Demo 2012 GrrCON forensic challenge

Download ppt "Memory Forensics During Incident Response"

Similar presentations

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 12 - Virtual Memory (2) Jonathan Walpole Computer Science Portland State University.
11/15/2005Comp 120 Fall 20051 15 November Seven Classes to Go! Questions! VM and Making Programs Go.

11/15/2005Comp 120 Fall November Seven Classes to Go! Questions! VM and Making Programs Go.
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Chapter 12 File Management Systems

Chapter 12 File Management Systems
A. Frank - P. Weisberg Operating Systems Real Memory Management.

A. Frank - P. Weisberg Operating Systems Real Memory Management.
03/05/2008CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.

03/05/2008CSCI 315 Operating Systems Design1 Memory Management Notice: The slides for this lecture have been largely based on those accompanying the textbook.
PRASHANTHI NARAYAN NETTEM.

PRASHANTHI NARAYAN NETTEM.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan

Incident Response: The First 10 Minutes Matt Bing Incident Response Coordinator The University of Michigan
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
Forensic Artifacts From A Pass The Hash (PtH) Attack

Forensic Artifacts From A Pass The Hash (PtH) Attack
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Tutorial 6 Memory Management

Tutorial 6 Memory Management
System Calls 1.

System Calls 1.
Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.

Computers in the real world Objectives Understand what is meant by memory Difference between RAM and ROM Look at how memory affects the performance of.
Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.

Computer Architecture and Operating Systems CS 3230: Operating System Section Lecture OS-7 Memory Management (1) Department of Computer Science and Software.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google