Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory Forensics Part I Continued

Similar presentations


Presentation on theme: "Memory Forensics Part I Continued"— Presentation transcript:

1 Memory Forensics Part I Continued
Applied Cyber Forensics Spring 2018

2 Overview Memory Acquisition Wrap Up The Volatility framework
Installation Basic commands and operations Creating a profile Recovering a password hash from memory Recovering a bitlocker key from memory

3 Memory Acquisition Virtual Machines
Virtualbox *Important note make sure Virtual Box is being run as administrator during the acquisition (This includes vboxmanage and virtualbox itself) Ex. vboxmanage debugvm "Win7" dumpvmcore --filename test.elf objdump -h test.elf|egrep -w "(Idx|load1)" size=0x ;off=0x720;head -c $(($size+$off)) test.elf|tail - c +$(($off+1)) > test.raw Modify the size and offset to be the values found from the objdump command

4 Memory Acquisition Virtual Machines Vmware Take a snapshot
Locate the snapshot Use vmss2core.exe vmss2core.exe -W virtualmachine-snapshot.vmsn virtual_machine_name.vmem

5 Memory Acquisition Virtual Machines Hyper-v
Download sysinternals and use livekd.exe List all VM’s livekd -hvl livekd -hv <VMName> -p -o C:\Memory.dmp

6 Memory Acquisition Local acquisition using software tools
Prepare a removable usb with KnTDD software and a self signed certificate You can generate the cert with the makecert tool that comes with KnTDD makecert.exe -r -pe -n -sky exchange -ss my -a sha1 -len b 05/06/2014 -e 05/06/2014 michael.ligh.cer Insert the removable media into the machine

7 Memory Acquisition Local acquisition using software tools
Execute KnTDD from the removable media covert.exe -v -o memory.bin --log --cryptsum sha_512 --pagefiles -- force_pagefiles --4gplus --comp lznt1 --cert michael.ligh.cer --case case001 The options request SHA512 hashes, encryption with the self-signed certificate, LZNT1 compression, and page file collection. Note that the components of the tool set are disguised with the “covert” naming convention (i.e., kntdd.exe was renamed to covert.exe ). The renaming prevents simple anti-forensics attacks based on names of common acquisition tools. Also, the device and symbolic link names are randomized. Transfer the memory image to your forensic analysis workstation and decrypt the dump using kntencrypt.exe kntencrypt.exe --cert michael.ligh.cer -d -v "{DC04DB43-AC D0AD3166DC}/*"

8 Memory Acquisition Local acquisition using software tools
Decompress the data by using the custom dd.exe command that comes with KnTTools dd.exe -v if="{DC04DB43-AC D0AD3166DC}/*.lznt1" of=decompressed\ --decomp lznt1 -- sparse –localwrt

9 Memory Acquisition Remote acquisition
On your forensic workstation set up netcat to listen for a connection and dump the received data in to a file nc --verbose -L --port source O memory.bin --localwrt On the target system we run kntdd.exe kntdd.exe --verbose --out iport gplus --cryptsum sha_512 --pagefiles --force_pagefiles --log --case "Case002" --comp lznt1 --cert michael.ligh.cer

10 The Volatility Framework
An open source, customizable, robust framework for analyzing memory on multiple systems. Works on Windows, MAC, and Linux. Why Volatility? Single Cohesive Framework Open Source Written in Python Extensible and scriptable Unparalleled feature set Comprehensive coverage of file formats Large community Focused on malware, forensics, incident response

11 The Volatility Framework
What Volatility is not. It is not a memory acquisition tool (unless you connect to a machine via firewire cable) It’s not a GUI It is not bug free How to install on linux ( ) Download source and install, follow instructions on github Run sudo apt-get install volatility on your SIFT workstation (it should already be installed)

12 The Volatility Framework
Dependencies Distorm3 (disassembler library) pihooks , callbacks , impscan , volshell, linux_volshell, mac_volshell , and linux_check_syscall Yara yarascan , mac_yarascan , and linux_yarascan PyCrypto lsadump and hashdump PIL Screenshot OpenPyxl : timeliner plugin depends on this when using xlsx output mode

13 The Volatility Framework
Profile - Volatility uses its own data structures, file formats, types, etc. to abstract interfacing with different OSes. A profile is a collection of these types, structures, etc. for a specific version of an OS. If profile for a specific OS does not exist you must create one yourself. It is a requirement within volatility that each profile has a unique name for example Win7SP1x64. Address Space (Volatility) - an interface that provides flexible and consistent access to data in RAM, handles virtual-to-physical-address translation when necessary, and transparently accounts for differences in memory dump file formats (for example, the proprietary headers added to Microsoft crash dumps or the compression schemes used in hibernation files). Deal only with memory that is allocated and accessible, so it doesn’t currently support page files and swap space.

14 The Volatility Framework

15 The Volatility Framework
Plugins - enable you to expand upon the existing Volatility Framework. For example, an address space plugin can introduce support for operating systems that run on new CPU chipsets. Analysis plugins are written to find and analyze specific components of the operating system, user applications, or even malicious code samples. Check available plugins with ‘vol.py -- info’

16 The Volatility Framework
Basic Commands python vol.py –f <FILENAME> --profile=<PROFILE> <PLUGIN> [ARGS] python vol.py –f /home/mike/memory.dmp --profile=Win7SP1x64 pslist Supported profiles can be listed using the vol.py --info command Getting help python vol.py --help python <PLUGIN> --help

17 The Volatility Framework
Selecting a profile Specify with the --profile option Use the imageinfo plugin to automatically determine the profile (WINDOWS only) python vol.py -f memory.raw imageinfo (SLOW, multiple OSes given) Uses plugin kdbgscan Use kdbgscan directly (WINDOWS only) It finds and analyzes characteristics of the kernel debugger data block (_KDDEBUGGER_DATA64 ).

18 The Volatility Framework
Selecting a profile Issues: _KDDEBUGGER_DATA64 can be overwritten without causing any issues therefore malware can overwrite this value to throw off your investigation. This is why you have the option to manually specify a profile. ALSO, there may be more than one _KDDEBUGGER_DATA64 structure in the memory dump (no reboot since a hotpatch was installed) Blackhat Takahiro Haruyama and Hiroshi Suzuki showed a 1 byte write anti-forensics technique that crashed most memory forensics acquisition software.

19 The Volatility Framework
Selecting a profile Issues: Many memory forensics tools use the debugging information to perform their analysis however they only analyze the first debugging structure they can find kdbgscan will scan for all structures and will print multiple if found. You can then tell all of the plugins to use the correct structure by specifying the -- kdbg=0xf cf0 option. Using environmental variables to avoid typing profiles and image locations everytime

20 The Volatility Framework
Output is by default printed to the screen you can use the --output option or output redirection to write the output to a file The --output option can allow multiple output formats while output redirect does not. It is possible to automatically create new profiles on linux. Was unable to find a method for doing this on a Windows system automatically. Usually a profile for the windows system you are analyzing will already have been made.

21 Example Recovering Passwords From Memory

22 A quick note on password cracking
John the Ripper is one of the better password crackers when it comes to using wordlists. How to install jumbo/doc/INSTALL-UBUNTU Cheatsheet sheet.pdf Basic command jtr --format=NT --wordlist=~/extra/pass_list/rockyou.txt hashes.txt Show cracked hashes jtr --format=NT --show hashes.txt

23 Example Recovering Passwords From Memory
Our task is to recover as many passwords as possible from a memory capture we are given. We are told it is a server image but they are not sure which Windows Server. Step 1 What profile should we use? python vol.py -f memory_fun.raw kdbgscan

24 Example Recovering Passwords From Memory
Once we’ve decided on the profile let’s test the profile by attempting to list the running processes vol.py -- profile=Win2008SP2x64 -f memory_fun.raw pslist Now let's try to dump password hashes from memory If we need to manually specify the hive locations vol.py --profile=Win2008SP2x64 -f memory_fun.raw hivelist vol.py --profile=Win2008SP2x64 -f memory_fun.raw hashdump -y 0xfffff s 0xfffff f010 > hashes.txt y is the virtual offset of the SAM hive and s is the SYSTEM hive Or we can try just run hashdump to see if volatility is able to find the location itself vol.py --profile=Win2008SP2x64 -f memory_fun.raw hashdump > hashes.txt That’s it we have the hashes now we just run a password cracker on it. This will probably be one of your HW problems (slightly changed) Here is a method to decrypt passwords on windows 7 no need for cracking using-wdigest-in-memory-dump/

25 Example Recovering Bitlocker Keys From Memory

26 Example Recovering Bitlocker Keys From Memory
Install the following bitlocker plugin git clone Copy to volatility/plugins/bitlocker.py Run python vol.py --info | grep bitlocker to see if it was added correctly Determine partition layout and identify BitLocker volume mmls hexdump -C -s $((128*512)) -n16 bitlocker.raw

27 Example Recovering Bitlocker Keys From Memory
Run to get a list of FVEK python ~/src/volatility/vol.py --profile=Win2008SP2x64 -f memory_fun.raw bitlocker Decrypt drive and mount sudo bdemount -k d5b6e71adb0c2e2d38dafdcedade8fc11e8be631b9fed5b2ba5b51ba 32a57cd1:49f9ecd5ddffcae44cde7f7a578b9a3ca5e e14 7de89423ebdf3f3 -o $((512* )) john_win7_x64.dd /crypt/1 sudo mount -o loop,ro /crypt/1/bde1 /mnt/2

28 Miscellaneous Volatility
To work with hibernation files you must convert the hibernation file vol -f hiberfil.sys --profile Win7SP1x64 imagecopy -O hiberfil.raw vol -f hiberfil.raw --profile Win7SP1x64 pslist ...etc.

29 Questions?

30 In Class Practice 2 Give me the passwords of Bob and Administrator
See in class practice 2 assignment Show me this is working on your computer

31 Homework (Incomplete)
We can’t seem to hit a break on Alice’s machine the drive is encrypted and we don’t have any credentials to login to the system. We were able to capture a memory dump of the system, would you provide us with any passwords and keys you can find in the memory dump? Memory forensics is too hard. Problem 2 alright you did okay but can you get me all admin account passwords? I was told the original admin died from extreme migraines caused by the windows CLI. Brute Force not required! Problem 3 What windows were open on the machine?

32 Relevant Links https://github.com/elceef/bitlocker
08/Suiche/BH_US_08_Suiche_Windows_hibernation.pdf Dump Windows Password Hashes Efficiently password-hashes.html


Download ppt "Memory Forensics Part I Continued"

Similar presentations


Ads by Google