Live Memory Forensics Copyright 2010 Ver 1.0.

Introduction Welcome to the Live Memory Forensics class!
This is an introduction to live memory forensics. It is designed for the investigator who has digital forensic experience. Intermediate ability with the Microsoft Windows operating system. Copyright 2010

What will be presented today
Why we are interested in Live Memory What can be found How memory works How to acquire live memory How HBGary differs from other capture software Potential issues that can affect your capture Copyright 2010

What will be presented today
You will also experience capturing live memory. And of course, be tested on what you learn today. Copyright 2010

What will be presented tomorrow
Tomorrow will focus on practical analysis of what you capture. You will be working with image files of memory already captured. You will learn how to analyze captured memory. And have a test of course. Copyright 2010

Housekeeping These items have been provided for you: Class manual
Class CD-ROM A pen Name placard Class roster form Class contact form Copyright 2010

Housekeeping Please fill out the following:
class roster form class contact form Please PRINT your name on the provided placard and place it in front of you. Copyright 2010

Introductions When called upon, please state your: Name
Agency or company Primary job role What you expect to get out of this class Copyright 2010

Introductions Your Instructor is: Michael Staggs
Contact phone number during class Copyright 2010

Why Memory Forensics? Encryption Keys*
BitLocker, PGP Whole Disk Encryption, etc. What was happening on the system... Running programs, open documents Unpacked contents of packed programs Network connections What was really happening on the system Not the sanitized (lying) version from the OS Hidden programs, rootkits, injected code Destroying the Hacker Defense What was running ten minutes before the knock and talk

Complete Investigation
Why Memory Forensics? A more Complete Investigation

To execute must exist in RAM
Why Memory Forensics? To execute must exist in RAM Traditional Forensics & Security Software

Why Live Memory? Traditionally we “Pull the Plug”
However, things have changed © 2010

Why Live Memory? Computers and operating systems are more sophisticated. Virtual machines, embedded programs and encryption are just a few of the reasons. No longer is “Pull the Plug” a blanket policy. © 2010

Why Live Memory? Today we do things in a case specific way.
How sophisticated is the user? What is the environment the computer is in? Do you suspect the system is compromised? All these questions and more come into play. © 2010

Why Live Memory? What can we learn from Live Memory?
What Operating System (OS) is running Single OS or additional OSs in a virtual environment What programs are running What services are running Values of run time (open) Registry entries Values of the Boot record If rootkits are running If viruses are running © 2010

Why Live Memory? Do you feel Lucky?
What can be lost when we “Pull the Plug”? © 2010

Remnants Found in Live Memory
Past Programs VM ware sessions IM messages Chats Malware Root kits Viruses Trojan horses Web pages Cache pages MFT snippets Registry snippets URLs IP adresses addresses © 2010

Remnants Found in Live Memory
Network connections Memory state Logged on users Attached devices Attached network resources VOIP data Skype data Magic Jack data Program passwords OS passwords Network passwords Decrypted documents Decrypted Decrypted chats © 2010

Bad Guys use Memory Tricks
Memory injection attacks never touch the disk Public and commercial hacker tools have used these techniques for over 3 years Metasploit Framework Canvas Core Impact No good software detection mechanism without physical memory preservation and offline analysis Remember: you cannot trust the operating system!

Defeat the Trojan Defense
“I didn’t do it, the Trojan horse did!” “the hacker controlling my PC did it” Used in the UK Plausible deniability because law enforcement didn’t image physical memory Law enforcement destroyed 4 GB of evidence 4GB is equivalent to 1,048,576 pages of paper (2,097 reams) Goal: “to prove a negative” “No, your Honor, there was no Trojan or any other software running on the defendant’s machine at the time in question with the capabilities claimed by the defense…”

Live Memory Basics What is live memory? How to recognize it?
How does it work? How is it organized? © 2010

The Basics What is Live Memory?
Live memory is the random access memory ( % of the time) used by the CPU to store data and programs that it will manipulate. There are different types of memory © 2010

The Basics Types of Memory used?
RAM (random-access memory): This is the main memory. RAM is volatile memory, which means that it requires power and refresh to maintain its contents. ROM (read-only memory): Systems usually contain some read-only memory that holds instructions for booting up the computer. ROM memory cannot be changed, it is non-volatile PROM (programmable read-only memory): A PROM is essentially a ROM memory chip which you program out of the factory once. Like ROMs, PROMs are non-volatile. © 2010

The Basics Types of Memory used?
EPROM (erasable programmable read-only memory): An EPROM is a special type of PROM that can be erased by exposing it to ultraviolet light. EEPROM (electrically erasable programmable read- only memory): An EEPROM is a special type of PROM that can be erased by a special electrical charge. CMOS (Complimentary Metal Oxide Semiconductor) CMOS usually refers to the non-volatile RAM (NVRAM). © 2010

The Basics of RAM Random access memory (RAM) memory is made of a transistor and a capacitor. A good jury description would be a bucket that holds water (the charge). However the bucket has a small hole and constantly looses water. To keep the bucket full, every so often you have to keep pouring water into the bucket, this is called “Refresh”. © 2010

The Basics of PROM Programmable read-only memory (PROM) gets it zero and ones by programming it either at the factory, or in the field. PROM chips contain all ones until it is programmed. Once programmed, that’s it. The data is permanent © 2010

The Basics of EPROM Erasable programmable read-only memory (EPROM) gets it zero and ones by programming it either at the factory or in the field. EPROM chips contain all ones until it is programmed. Once programmed the data is permanent unless you bathe the chip with ultraviolet light. Ultraviolet light changes all the cells back to a one. You can then reprogram it. © 2010

The Basics of EEPROM Electrically erasable programmable read-only memory (EEPROM) gets it zero and ones by programming it either at the factory or in the field. EEPROM chips contain all ones until it is programmed. Once programmed the data is permanent unless you send a strong current to change the cell back to a one. © 2010

The Basics of CMOS Complimentary Metal Oxide Semiconductor (CMOS) is the non-volatile RAM on a computer where system setup and the real- time clock data is stored. In order for CMOS to store data, it must have a battery providing power (it’s very low power, but it still needs power). © 2010

How RAM works Memory is written one byte at time
Power is applied to the two connections, and charges the memory cell © 2010

How RAM works The CPU reads and writes to RAM (technically, the CPU reads and writes to Cache, that then reads and writes to RAM). Every memory location has a unique address Now this leads us into the murky world of how Microsoft Windows works. © 2010

How does Windows work? Windows is very complex.
Thousands of data structures. They can change between versions and builds. They are mostly undocumented. There are hacks on top of short cuts on top of optimizations on top of millions of lines of code © 2010

Who really knows how it works?
Who knows? Not many people Sysinternals? – Microsoft bought them... Greg, Martin, and Shawn from HBGary. © 2010

Architecture Diagram Kernel mode User mode Executive Base Kernel HAL
Device Drivers USER and GUI support User Applications Services Windows API Environment Subsystems System Support Processes

CPU Privilege Level Ring 0 – Unrestricted
Ring 1, 2 – Not used in Windows Ring 3 – Restricted Ring 0 Ring 1 Ring 2 Ring 3

Windows Kernel Kernel components have unrestricted access to the entire system (dangerous!) The Windows Kernel is Ring 0 Ring 0 Ring 1 Ring 2 Ring 3

Windows Kernel Windows Executive handles memory, process, thread, security, object, IO, and networking management Hardware Abstraction Layer (HAL) USER and GUI functionality Device drivers provide extendable user and hardware input/output (I/O)

What are Device Drivers?
Dynamic, loadable modules that run in kernel mode and can provide hardware I/O support, and/or user I/O translation. Again, as with all kernel components, device drivers have unrestricted access to the system (dangerous)!

Windows User mode Restricted access to the system (Ring 3) Contains:
Must access system resources through the Windows API Contains: User applications Support processes (logon) Service processes Environment subsystems Ring 0 Ring 1 Ring 2 Ring 3

What are Processes? Processes are containers for executing a program
Private virtual memory space Unique identifier called a Process ID (PID) At least one thread of execution Security context

Process Information EPROCESS Contains KPROCESS Points to PEB
Start and Termination times (we’ll recover these soon) PID and Parent PID Heaps Points to PEB BeingDebugged Path to executable Command Line arguments Loaded Modules (DLLs) Points to ETHREAD, other EPROCESS © 2010

Process Relationships
Idle System (pid 0) Smss (pid xyz) (ppid 0) Csrss (pid xyz1) (ppid xyz) Winlogon (and so on…) alg Services svchost Lsass Userinit (exits after Explorer starts) Explorer © 2010

Process Information Full name and path Command line arguments
Process ID number (PID) Parent PID Current working directory Window Title Handles Files, devices, drivers List of loaded modules DLLs © 2010

Process Information System processes have defined parents
cmd.exe should not be the parent of lsass.exe Most user processes are started by Explorer.exe It’s suspicious when they’re not Maybe started from a command prompt Orphaned process – no PPID or Parent! Some system processes should never start programs lsass.exe should not start cmd.exe © 2010

Process Information List of DLLs for each process
Responder gets the name, path, and size of each What is solitaire.exe doing with wsock32.dll? What is iexplore doing with c:\temp\WS2_32.dll? What if there is no path information or memory mapped files? Injected code! Possible Rootkit Where is it on the disk? © 2010

Process Information Suspicious program names Suspicious command lines
Parishilton.exe Suspicious command lines C:\TEMP\solitaire –L –p e cmd.exe c:\windows\system32\cmd.exe © 2010

What is a Thread? A Thread is a container for execution
CPU registers and state Stacks Private storage called TLS Unique identifier called a thread ID (TID or client ID) Security context

Services User mode programs that provide functionality independent of the current user For example: Task scheduler Print spooler Windows Update

Services Services.exe Svchost.exe Others (see VMWareService.exe)

Registry A system database that contains important system information
For example: Startup settings Hardware configurations Application configurations Current user data

Physical Memory vs. Virtual Memory
Physical Memory refers to the hardware view of memory Only one view of physical memory Virtual Memory refers to virtualized OS views of memory There can be many different virtual memory spaces

Memory Virtual Memory(s) Physical Memory Memory (RAM) Operating System

Why have Virtual Memory?
Can provide process memory isolation (security) Allows more “logical” memory by increasing the addressable space (each process gets its own 4GB of virtual memory). When combined with paging, can increase the total available memory (more on this later).

Total Logical Memory Sum of all Virtual Memory Physical Memory OS
2 GB Memory (RAM) 4GB Physical Memory Virtual Memory 6 x 4GB = 24 GB of Logical Memory OS

How 2GB becomes 24GB (or more)
The OS utilizes CPU features to create page directories and page tables which can be used to divide physical memory among multiple virtual memory spaces

Physical <-> Virtual
Physical Memory Virtual Memory for Process A Virtual Memory for Process B Virtual Memory for Process C Page Directories and Page Tables 0 GB 2 GB 4 GB

What happens when all Physical Memory is used?
Paging to the hard disk drive (SLOW!) Pagefile.sys

Virtual Memory for Process A
Physical Memory Virtual Memory for Process A Virtual Memory for Process B Virtual Memory for Process C Page Directories and Page Tables 0 GB 2 GB 4 GB Hard Drive

Paging to Disk When Physical Memory is getting full, the least used pages of memory are written to disk When those pages are needed again, they are read back into Physical Memory and some other pages are written to disk. This is called Swapping. Swapping reduces system performance.

Memory Dump To get a complete collection of memory you need to collect two pieces: Physical Memory The on-disk pagefile

Unreferenced Memory Unreferenced Memory is a feature of Windows Memory Management that may leave empty sections in a memory dump When loading a binary from disk, the Windows Memory Manager may decide to only read portions of the binary into memory The unread portions (unreferenced pages) of the binary are tracked

Why not read everything?
Speed Reduction of actual memory usage Some binaries are very large but only a small section may be commonly used

Virtual Memory for Process A
Physical Memory Virtual Memory for Process A Virtual Memory for Process B Page Directories and Page Tables 0 GB 2 GB 4 GB Hard Drive pagefile ANYFILE

Virtual Memory Allocation
Programs can allocate virtual memory dynamically The size can range from a single byte to several GBs (or 8192 GBs in x64 OS versions)

How is this tracked? The Windows kernel uses a data structure known as Virtual Address Descriptors (VADs) to track virtual memory allocations Responder™ combines this information with page table data for each process, and displays it in the Memory Map detail panel

Virtual Memory for Process A Page Directories and Page Tables
Physical Memory Virtual Memory for Process A Page Directories and Page Tables 0 GB 2 GB 4 GB Hard Drive 0x00C00000 – 0x00E00000 0x00CD0000 – 0x00CDF000 PTE 0x00CE0000 – 0x00CF0000 0x00CE0000 – 0x00E00000 0x00D10000 – 0x00D20000 VAD Tree

Memory Map Memory Block Individual Pages for this Block Block Length
Unreferenced Pages

Windows Memory Model 0x 0x 0xFFFFFFFF Kernel User The upper 2GB* of every Virtual Memory space is reserved for the Windows Kernel to use. It is not accessible to user mode processes. * Note: except with the rarely used /3GB switch © 2010

Windows Memory Model 0xFFFFFFFF Kernel 0xC0000000 /3GB boot switch
User 0x © 2010

Windows Memory Model (4,294,967,295) 0xFFFFFFFF Kernel
Each process has its own 2GB of memory. 0x Truecrypte.exe Winword.exe Skype.exe Solitaire.exe 0x © 2010

User Virtual Memory Process specific Windows system structures
0 GB 2 GB Process specific Windows system structures Windows System DLLs Windows and Application DLLs or Allocated Memory DLLs or Allocated Memory Application Binary Stack Heap or Allocated Memory

Responder provides a complete picture of contents in memory
Stack Might be Heap Application DLLs System DLLs Responder provides a complete picture of contents in memory

Basic Acquisition Acquiring memory is relatively new
There are some imagers, but nothing solid for analysis Freeware Scene – started in 2003 DFRWS community, Kornblum, Carvey, others Academic Scene – Jan. 2008 The Princeton Video “frozen memory” Open Source & Academic Projects Perl scripts Hex editors Strings.exe, grep searches, manual carving Volatility framework © 2010

Basic Acquisition RAM Collection software relies on the host OS
Can be subverted Some software more invasive than others Usually load about 10 modules from the operating system © 2010

Size of Physical Memory
Hibernation Saves system state to disk for faster resume Compress physical memory and write it to c:\hiberfil.sys Space reserved when hibernation enabled Not cleared, contains disk free space No data if enabled but never used Once used, always maintains some data Compressed Memory Disk Data Size of Physical Memory © 2010

Hibernation Not enabled by default* until Windows Vista
Now called Sleep © 2010

Hibernation Header Free Pages Page Tables Compressed Data
Wiped upon successful restore Free Pages Page Tables Compressed Data © 2010

Acquiring Memory Software Memory Imagers Hardware Memory Imagers
FastDump Pro – HBGary WinHex – X-Ways DD derivatives (FAU, DD from Garner, NiGilent32, Helix) Winen – Guidance Software MDD – Mantech Hardware Memory Imagers Firewire “Tribble”, other projects online Princeton Video: freeze the RAM © 2010

Acquiring Memory Goal: Be Minimally Invasive to suspect machine
DO NOT acquire RAM to the local system hard drive Invasive – possibly destroy important data Use external thumb drive – (USB Mass Storage Device) Image the RAM to sterile media Freshly wiped drive preferably with all Zero’s. Reformat the drive to NTFS – FAT 32 File system has 2GB file size limitation FDPro cannot split up the file into chunks yet… Generate MD-5 hash at time of collection – save with memory image Used to verify integrity of file to that point in time. © 2010

Acquiring Memory Software creates a “smear” image
Not a “true” duplicate image This process is not reproducible In order to create a “true” image Hardware is required Virtualization can “pause” the processor Crash Dump Hibernation File (hiberfil.sys) © 2010

Acquiring Memory Software used to dump physical RAM
HBGary FastDump™ Pro Works on Windows Operating Systems Windows 2000 – 2008 Server, Windows 7 32- and 64-bit PAE and Non-PAE © 2010

Lab Exercise Complete Lab Exercises 1
30 minutes to complete lab exercises © 2010

FastDump™ Pro FastDump Pro™ (FDPro™) is a command-line based memory dumping utility that comes packaged with both the Responder™ Professional and the Responder™ Field products. A copy of FDPro.exe is located in the FastDump folder in the directory where Responder™ is installed on the local hard drive. © 2010

FastDump™ Pro FDPro™ supports:
all versions of the Windows™ operating systems and service packs (2000, XP, 2003, Vista, 2008 Server, 7) 32- and 64-bit, including systems with more than 4GBs of RAM (up to 64GBs of RAM). acquisition of the Windows™ pagefile included with the acquisition of RAM. a variety of memory probing features that can assist with malware analysis. © 2010

FastDump™ Pro To peform a RAM dump: Command: fdpro.exe c:\memdump.bin
Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard .bin format using the default 1MB read/write sizes. Command: fdpro.exe c:\memdump.bin –strict Action: FDPro.exe acquires the local system physical memory to the file c:\memdump.bin in literal/standard .bin format using the strict 4kb read/write sizes. © 2010

FastDump™ Pro To perform a RAM and Pagefile dump:
Command: fdpro.exe c:\memdump.hpak Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the default 1MB read/write sizes Command: fdpro.exe c:\memdump.hpak –strict Action: FDPro.exe acquires the local system memory into the HPAK archive file c:\memdump.hpak using the strict 4kb read/write sizes © 2010

Goal of Process Probe The goal of Process Probe is to force all executable code into RAM for one or all processes on the system. This includes code that is swapped out to the Pagefile.sys, and code still contained in the executable on disk but not in use. This code is called into RAM prior to the acquisition of physical memory.

Why Process Probe? Because Process Probe provides the investigator with a more accurate and complete picture of the executable code and the data. The process probe feature allows the investigator to control what memory is “paged-in” to RAM from SWAP and the File System before FDPro performs RAM acquisition. When using the –probe smart feature, FDPro.exe walks the entire process list and makes sure all code is called into RAM, resulting in the ability to recover almost 100% of the user-land process memory by causing these pages to be activated and paged-in on the fly. The Probe feature even forces code from the file system into RAM for a specific process.

Why Process Probe? When would I use the Process Probe feature?
During any LIVE network intrusion investigation, malware analysis case, or computer forensic investigation where the running applications on the computer could play a role. Applications include: Instant messengers IP telephony Internet browsers Malware Encryption applications Databases Media players Encrypted data Passwords Unencrypted chat sessions Documents s Internet searches Internet postings Password protected websites

Process Probe Best Practices
Forensic best practices dictate that an investigator or analyst should always acquire RAM and Pagefile without running the -Probe Feature. After freezing the current state of RAM, the investigator/analyst should run FDPro again using the -probe Feature. Even when grabbing the pagefile, the -probe feature forces unused code from the file system into RAM.

Process Probe Best Practices
Example steps: Arrive at server or workstation suspected in the computer incident or forensic investigation Collect RAM to “freeze the runtime state of the machine”. This is a full RAM image with Pagefile If you’re doing any sort of malware analysis, Reverse Engineering, or know for a fact that you will never have to use the RAM acquisition in litigation, then you can go ahead and probe –smart on your very first image to save you time. Note: This technique instruments a larger footprint in RAM than only performing a memory acquisition.

Process Probe Commands
To probed processes into memory and RAM Command: fdpro.exe c:\memdump.bin –probe all Action: fdpro.exe probes all processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe smart Action: fdpro.exe probes only user processes into memory before acquiring the local system memory into the file c:\memdump.bin Command: fdpro.exe c:\memdump.bin –probe pid 123 Action: fdpro.exe probes process with PID 123 into memory before acquiring the local system memory into the file c:\memdump.bin © 2010

Comparing Acquisition Tools
Section 6 © 2010

Systems you are capturing are “Live”, so it is never a perfect capture as compared to a hard drive. Your environment for capturing is dynamic, so how flexible is the tool? Some systems have CD drives some don’t. Some have USB or FireWire, some don’t. Do they have USB 1 or USB 2? Are you going after a 32- or 64- bit system? Are you dealing with 2 GBs or 16GBs of RAM? Is it a live web server or just a workstation? © 2010

Is there a responsible party for the tool? Who fixes it if an error is found? Who can explain how the tools works Who has tested it? Are they even capable of testing? A free tool is nice but are you prepared to defend it? Do you know how it works? Do you know how it fails? Do you feel comfortable going to the stand to testify about it? © 2010

How easy is the tool to use? GUI vs. Command line GUI: has nice screens typically limits your options and use requires more memory (isn’t that what you are going for?) Command Line: Overall, very efficient. Only a keyboard is needed. Uses less memory than GUI Typically has more options © 2010

Pros and Cons of Windows Crash
Built into Windows Creates Memory.DMP file Uses windows call, can be subverted Ignores hardware physical memory addresses Relies on using WinDbg for analysis Does not get processor state Requires admin rights Relatively slow No control to where it writes the file Support, it is what it is… your on your own. Pros Cons © 2010

Win32dd/Win64dd Win32dd/Win64dd is an open source command-line tool
Used to acquire physical memory by investigators, incident responses engineers, malware analysts, system administrators and kernel developers Copy win32dd.exe to thumb drive to capture memory dump file © 2010

Pros and Cons of Win32dd Free tool
Can perform memory dump without using Windows call Creates multiple file formats Small footprint Ignores first physical memory page by default (pre-boot password located here in plain text) Ignores hardware physical memory addresses Relies on using WinDbg for analysis Does not get processor state Requires admin rights Relatively slow 4GB memory limit No support for court Limited support for errors, fixes or omissions No directly responsible party. Pros Cons © 2010

FastDump Pro With FastDump you get: Free with registration
Collects all of the memory Fast operation A responsible party to contact for support Professionally written and supported Easy and efficient operation Small foot print Fastdump can acquire physical memory on Windows through Windows XP 32 bit but not Windows or Vista. © 2010

Fastdump Pro With FastDump Pro you get: Collects all of the memory
Fast operation A responsible party to contact for support Professionally written and supported Easy and efficient operation Small foot print Can acquire physical memory on Windows through Windows 2008, all service packs. © 2010

With FastDump Pro you get 32- bit and 64- bit architectures Acquisitions of greater than 4GB Fast acquisitions through the use of larger page sizes (1024KB) but also supports a strict mode that enforces 4KB page sizes. Process probing which allows for a more complete memory image of a process of interest. Acquisition of the system page file during physical memory acquisition. This allows for a more complete memory analysis. © 2010

Potential Acquisition Issues
Section 7 © 2010 V1.0

RAM Collection software relies on the host OS Can be subverted, some more than others. Some software more invasive than others Usually load about 10 modules from the operating system. This means memory can be changed, stuff overwritten. © 2010

Rootkits User Mode Can modify system commands (netstat, ipconfig) Kernel Mode Can hide and modify low level blocks of memory/disk Can subvert software dumping of RAM That’s why we’re working on ICEDUMP Similar to the Princeton approach Countermeasures to kernel-mode rootkits: VMware Snapshot Files: pause the processor Hiberfil.sys: contents of RAM are written to non- volatile storage before the system is powered down. © 2010

Pause the Processor – Virtual Machines Existing Memory Images (made by Windows) Hibernation Files – file system Crash Dumps – system frozen 4KByte header Blue Screen 3 types Small, Kernel, Complete, we want Complete. 2GBs or smaller © 2010

Lab Exercise Complete Lab Exercises 2 and 3
1:00 to complete lab exercises © 2010

Introduction to Responder Field Edition
Section 8

An Overview of Responder
Live Physical Memory Forensics Runtime & Binary Forensics Responder Professional Rootkit Detection Computer Forensics Computer Intrusions Malware Analysis © 2010

HBGary Responder Embodies the HBGary IR Methodology
Compliments disk forensic investigations Commercial shipping product to analyze RAM images “Windows without Windows” Carves all Windows Memory images for Win2k, XP, 2003, Vista, 2008 Server, Windows 7 All service packs 32- & 64-bit © 2010

Architecture User View Digital DNA™ API to access code and data flows
Physical RAM Acquisition OS Reconstruction API to access Memory Objects Reverse Engineering (RE) of all Code API to access code and data flows Digital DNA™ User View

Creating a Project File  Project  New Two types of projects:
Physical Memory Snapshot Live memory analysis (all running processes) Remote Memory Snapshot Captures a physical memory snapshot over TCP/IP on a remote machine

Machine details Optional - Add details about the Case and Machine

Pattern Files Add a text (.txt) file to search for user-specified patterns. Supported pattern file formats: string – the search is NOT case sensitive [hex] – brackets containing a hex pattern

Scanning process tasks
The physical memory snapshot scanning performs the following tasks: Validates the page table layout and size Identifies PAE/Non-PAE Identifies OS and service pack Reconstructs Object Manager Rebuilds EPROCESS blocks Rebuilds the virtual address descriptor table (VAD tree)

Report Tab The Report tab stores the human-readable results of an analysis, and allows the user to quickly create report items from interesting pieces of data, and to sort them into groups or folders.

Report Panel Case # - User supplied number
Double-clicking any of the Report folders or Report items takes the user to the item entry in the Report summary

Report Summary The Report Summary contains details of the items in the Report Panel. Items in the Report Summary are designed to be exported in html, and can be printed.

Report Folders Report folders can be added, edited and deleted by right-clicking the Report folder

Report Items Report items can be moved up/down, edited, deleted and copied to the clipboard by right- clicking the Report item

Detail Panels To access a detail panel for an entry in the Report or Object tabs, perform one of the two following steps: Double-click the icon in the Object tab. Click View  Panels 

Detail panels Provide detailed information about the selected category in the Object panel Data can be searched and exported to the following formats: PDF - XLS - CSV HTML - Image - Text RTF Panel contents can be locked Additional columns are available

Details Panel – Column Chooser
Right-click the header bar (where the column labels are) and select the Column Chooser option

Details Panel – Search Click the Search icon to filter the panel’s contents to only those entries that match the search criteria

Details Panel – Export 1. Click the Export icon
2. Enter a name for the file  Click Open 3. Locate the saved file, and open it to view the information 1. Click the Export icon

Details Panel - Lock 1. Click the Lock icon to lock the Details panel
2. Double-click the All Open Registry Keys folder again. Since the Registry Panel is locked, a new (unfiltered) Registry View window is created. Lock/unlock this window

Right-click Context-Sensitive Actions
Every panel has a right-click context menu Right-click menu choices based on selected object(s) Common options include: Send to report – creates an entry in the Report panel for the selected item Google™ Text Search – uses the Google™ search engine to find internet references to the selected item Google™ Code Search – uses the Google™ search engine to find source code that uses the selected item (typically a string or symbol)

Right-click Google™ Text Search

Right-click Google™ Code Search

MSDN Query

Objects Tab Displays all harvested objects
Processes, modules, drivers Strings, symbols Macroscopic view of object data Allows drill-down on most objects Context-sensitive right- click menu Status icons Object panel schema: Project Memory Image Hardware IDT Operating System SSDT Processes Drivers Open Files Network Socket Information Open Registry Analyzed Binary Strings Analyzed Symbols

Objects Tab Project type Top level folders
Leaf-node folders: double-click these to see details view of the folder Expandable folders: single-click these to expand contents of the folder Table: double-click this to see contents of table. Object panel The Object panel allows the user to get more details on almost any item in the report. Double-clicking an item typically displays detailed information about that item Provides automatic filtering

Object Tab Icons Package that has not been analyzed
Package that has been analyzed (disassembled and scanned for suspicious behavior) EXE that has not been analyzed EXE that has been analyzed (disassembled and scanned for suspicious behavior)

Snapshot Summary The Snapshot Summary panel provides specific information related to the case. The information is user-supplied when the project is created, or is generated during the static import process, and can be edited or supplemented as the analysis progresses.

Interrupt Descriptor Table
Primary control table for the CPU, and is probably the most important table in memory

All Modules Panel Displays a summary list of modules, usermode DLLs dynamically linked to a process, as well as operating system drivers.

All Open Files Details the file handles open at the time of a physical memory snapshot.

All Open Network Sockets Panel
Displays all open TCP and UDP connections at the time of the physical memory snapshot.

All Open Registry Keys Panel
Displays all open registry keys and the process which owns them.

Documents and Messages Panel
Responder™ scans the imported memory and attempts to locate document fragments. These documents include graphics files, HTML, executables, memory mapped files, and more.

Drivers Panel Device drivers are hardware-dependent, operating-system-specific, and they usually provide the interrupt handling for hardware on the system.

Internet History Panel
A URL captured in the Internet History panel does not necessarily indicate the URL was visited by a user.

Keys and Passwords Panel
Displays any keys and passwords found during analysis. These keys and passwords can come from many sources including users, administrators and malware.

Processes Panel Displays information about all processes running at the time the memory image was taken.

System Service Descriptor Tables Panel
Display the contents of the main table that controls system calls for the operating system, and consists of two panels: System Call Table – NTOSKRNL/HOOKED – The primary system SSDT. It resides in the windows kernel NTOSKRNL.exe System Call Table – WIN32K – The USER32/GDI32 SSDT. This SSDT resides in the driver win32k.sys

Pattern Matches Panel Displays all of the user-specified pattern matches, and the physical offsets within the binary file where the pattern matched. The pattern match file is added to the project during the project creation

Importing and Analysis
A Binary in Responder™ is any executable, such as an EXE, DLL, or device driver (SYS) associated with a process Binary analysis builds up a complete memory map of a particular process, and is an important part of forensic analysis. Responder™ doesn't disassemble every module by default. When an analysis is requested of a module, the module is disassembled, and suspicious information is extracted and placed into the report

Analyzing Modules To extract and analyze a driver or process, right- click the package and choose Package  Analyze Binary, or you can simply double-click the package.

Strings Strings, a data type storing a sequence of data values expressed as a sequence of characters, provide clues to origin and intention Usually in the language of the developer Typically use descriptive variable names

Memory Map Panel The Memory Map panel displays the virtual address ranges allocated in each specific process. Memory mapped files are special regions of memory that have been mapped to the contents of a file on disk.

Threads Panel The Threads panel displays lists of OS threads.

Baserules.txt Section 9

Baserules.txt What is the Baserules.txt file?
It is a malware identification file It can auto-magically analyze “hits” Sometime’s auto-magic is good, but sometimes it’s not Searches for suspicious behaviors Customizable by the end-user Add in strings and pattern searches Flagged binaries can be automatically extracted and disassembled for further diagnosis

Baserules.txt Suspicious Strings API calls Bytes Assembly *Wildcards
Example

Editing the Baserules.txt
<Type>:<Version>:<Weight>:<Text/Arg>:< Group>:<Description> <Type>: The rule type <Version>: Rule version, 1.0 <Weight>: 0 (benign) to 255 (critical): Severity of a match on this rule <Text/Arg>: Varies by rule type. Used by the rule to determine a match. Some rule types may have multiple arguments <Group>: Group for this rule (KERNELMODE, USERMODE, KEYBOARD, ALL, etc) <Description>: Text description for this rule

Example – Storm virus which spreads via Trojan-Downloader.Win32.Small.dam Trojan.Downloader-647 Trojan.DL.Tibs.Gen!Pac13 Known process names to search for: FullClip.exe - GreetingCard.exe GreetingPostcard.exe - MoreHere.exe - FlashPostcard.exe Dropper process wincom32.exe

################################### ### Blacklisted Modules - Alert ### # ADDED ENTRY – Dropper for Storm Worm SuspiciousModule:1.0:100:wincom32.exe:KERNELMODE:SuspiciousM odule – wincom32.exe, Dropper for Storm worm # ADDED ENTRY – Executable for Storm Worm SuspiciousModule:1.0:100:fullclip.exe:USERMODE:SuspiciousModule –fullclip.exe, executable for Storm worm SuspiciousModule:1.0:100:greetingcard.exe:USERMODE:SuspiciousM odule – greetingcard.exe, executable for Storm worm

Investigating Applications
Goal: identify artifacts that lead you to other pieces of information… Finding bread crumbs Following the bread crumbs…

Approach: Knowledge is helpful… Google: “skype” What is it? How is it used? How does it work? Why is my suspect using it? Is there data in memory that might not be available by performing disk based forensics? © 2010

Create a list of things you know… Names involved in the investigation Domain names Project names Filenames Website Applications in question Office Applications? Internet Browser Encryption? Chat © 2010

Investigation Preparation
Who? Names of People addresses What? Project Names Filenames File format(s) Usernames Passwords When? Dates Times Where? Domains URLs How? Carefully create a search term list Spending time upfront can save lots of time on the back end

Web Mail Search terms that can be used messageID= gmail.com
@hotmail.com @yahoo.com @hushmail.com Attachment &passwd= &login= messageID= © 2010

Webmail Considerations
More… Mail applications Chat Applications Names of Webmail Services addresses Passwords Content of s Dates & Time Stamps Web Sites Visited – History Attachments

Initial Triage First Steps - Browse and collect
Browse the list of processes and applications running… Do I see internet browsers? Yes. Do I see any instant messenger applications? Do I see any other applications that might be useful for my investigation? Add Artifacts to your Report Export to excel Right click send to report

Web Mail Focus: Intellectual Property Investigation
Type: Private data sent via Description: Search for indications of files, addresses, and other related info to the data theft. © 2010

The Scenario Beginning a search based on suspicion
Press release from competitor having similar data Searching for private content WHAT DO WE SEARCH FOR? LETS MAKE A LIST Understanding search hits Process name/module/unidentified Adding webmail data/artifacts to the report © 2010

Searching Beginning a search based on suspicion
Press release from competitor having similar data FIRST - Search for content we know We know we are looking for “Pluripotent” Searching for addresses to corroborate suspicion Search terms gmailchat= Understanding search hits Process name/module/unidentified SECOND - Search for content we learn Adding webmail data/artifacts to the report © 2010

Searching Search for “Pluripotent”, what file do you find?
Where is it located on file system? Who sent this file? What is the address? Who received this file? What is the address? What other important file name is mentioned in the thread? What is the date associated? © 2010

Web Mail Answers Pluripotent.pdf C:\temp\plutipotent.pdf
Lori Hanson, Lance Kline, I5867.doc Fri, July at 3:22pm © 2010

Lab Exercise Complete Lab Exercise 6

Skype Section 11

Skype – Where do I start? Questions to answer: What is Skype?
secure instant messenger free phone online telephony Why are bad guys using it? anti-forensics secure communications What are the disk anti-forensic capabilities and uses of Skype? Why is Skype not liked by IT Security? Encrypted communications…

Investigating Skype Process list - are there chat programs listed there? Name harvesting Look to open files, sort, go to skype Notice C:\Documents and Settings\username\Application Data\Skype\skype username. Take note of 'Username', Take note of 'Skypename‘ Here we have username john smith but with skype name lance kline May be different identity, may be same identity

Investigating Skype 2 Name search to get other names
Search memory to find other names being chatted Look for something unique, which might only exist once in memory speech, common expressions "wazup" You might try a few search to see which ones give the fewest hits. Examples: pass = 1,000+ need something more specific

The Scenario Beginning a search based on suspicion
Press release from competitor having similar data Searching for references to private content WHAT DO WE SEARCH FOR? LETS MAKE A LIST What do people say in conversation? Adding chat data/artifacts to the report

Key Search Concept Link Pieces of Information Together
How can time stamps help us? How can something we already know find something we don’t know?

Search Steps Beginning a search based on something we know to find something we don’t know. FIRST - Search for content we know names? Too many hits? Search for word “research”

Lab Exercise Complete Lab Exercise 7

Chat Answers jsmithers1971@gmail.com John Smith, could be
Research on Advanced Stem Cell I5867.doc Yes. Searching on a term from the document showed it to be in memory Steve Barko Hushmail

Live Memory Forensics Copyright 2010 Ver 1.0.

Similar presentations

Presentation on theme: "Live Memory Forensics Copyright 2010 Ver 1.0."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Live Memory Forensics Copyright 2010 Ver 1.0.

Similar presentations

Presentation on theme: "Live Memory Forensics Copyright 2010 Ver 1.0."— Presentation transcript:

Similar presentations

About project

Feedback