mem forensic
TRANSCRIPT
Bletchley 2015.11.04 1
§ Volatility § https://github.com/volatilityfoundation
§ Most of practices today can be covered by this tool
2
§ Current computer architectures follow the Von Neumann Architecture § Memory is the only component interactive to CPU
§ The current execution state is resided in memory § A short-term history of
execution state can be retrieve from memory
3
§ Given a memory dump, how to retrieve the system or process execution status ?
§ E.G. § Can we list the processes running in this system? § Which websites are visited by the user?
4
§ Crime Investigation
§ Post Exploitation
§ Malware Analysis
§ CTF….
5
§ All data in a main memory is volatile § it refers to data on a live system. A volatile memory loses its
contents when a system is shut down or rebooted
§ Volatile memory acquisition procedures can be: 1. Hardware-based
§ access memory without relying on the operating system, suspending the CPU and using DMA (Direct Memory Access) to copy contents of physical memory
§ TRIBBLE – PoC Device 2. Software-based
§ A trusted toolkit has to be used to collect volatile data § DD tool § Every action performed on a system, whether initiated by a person
or by the OS itself, will alter the content of memory
6
§ Linux System § LiME ~ Linux Memory Extractor
7
git clone https://github.com/504ensicsLabs/LiME.git cd LiME/src Make insmod /sdcard/lime.ko "path=/tmp/ram.lime format=lime"
§ Windows System § Belkasoft Live RAM Caputer § WindowsSCOPE § winen.exe § …
§ We will focus on Windows Memory Forensic § Close-Source System, which is more difficult to forensic § Most widely used PC system § However, the concept can be shipped to other platform
8
§ Virtual Machine § Pause the VM § Find the .vmem file
§ VirtualBox § The VBoxManager can help you retrieve physical memory
9
§ Try to dump your linux physical memory § LiME § Virtual Machine
10
11
§ Operating System Level Data Structures
§ Page Tables § Translate virtual address to physical address § Each process has it’s own page table
§ Kernel Space Heap § Pools for many kernel objects
§ File System Cache
12
§ Information of Running Application § exe, dll
§ User space stack for every thread
§ Application data structures and codes
13
§ Processors that have a MMU (Memory Management Unit) supports the concept of virtual memory § Page tables are set up by the kernel to
map virtual addresses to physical addresses
14
§ Windows § PTE address = PTE_BASE + (page directory index) * PAGE_SIZE +
(page table index) * PTE size § Cr3 is the register point to per-process page directory
§ Linux § PA = VA –PAGE_OFFSET
15
§ Open it use hex editor § Just raw bytes, it’s a messy here
§ Semantic Gap § Without the extra information, we cannot
understand what’s inside the memory
16
§ First Step: Identify fixed location data § From Debug Symbol § Reversing Engineering § Pattern Match § …
17
§ Second Step: just like other forensic technique, we need to understand data structure to recover data in memory § Open Data Structure § Reversing Data Structure
18
§ Windows saves all the process in the linked list § PsActiveProcessHead
§ Our goal is to find the PsActiveProcessHead from raw physical memory
19
§
20
§ Volatile memory artifact extraction utility framework
§ Completely open source (GPLv2/Python)
§ Cross platform (Python) § Windows, Mac, Linux, Android, ... § Command-line tools/scriptable
§ Modular architecture
§ Active Community § Industry, academics, government, law enforcement
21
§ This cheat sheet can help you during the practice § http://downloads.volatilityfoundation.org/releases/2.4/
CheatSheet_v2.4.pdf § https://digital-forensics.sans.org/media/memory-forensics-cheat-
sheet.pdf
22
§
Plugin
Profile
23
§ Find the appropriate way to analysis memory dump § Knowing which OS is used guides us the further analysis method
24
$ python vol.py –f <your image> imageinfo
§ Boot Information § MBR
§ OS kernel related structure § Process § IDT, SSDT
§ Driver
§ Kdgbscan
§ Kpcrscan
§ Mbrparser
§ Process
25
§ Rootkit § The program aims to hide information from system admin § e.g. hide process
§ DKOM(Direct Kernel Object Manipulation) § Modifying kernel data to hide information
26
§ http://140.113.194.85:3000/problems/33
§ Compare the following command to find the hidden process § pslist § psscan § pstree § psxview
27
§ Pslist § Walk the doubly linked list pointed to by PsActiveProcessHead § Just like Live tools such as task manager, Process Explorer § DKOM can bypass it
§ Pscan § Scan the pool for EPROCESS structures § Possible to find DKOM rootkit
28
§ Many types of objects that need to be allocated & de-allocated quickly are stored in OS pools
§ Each object allocated from a pool is given a pool header § This pool header contains a tag per-pool type
§ Scanning memory for this tag leads to the recovery of the corresponding objects
§ Pool scanning allows us to recover previously freed objects as well as ones rootkits try to hide
29
§ The fixed location data structure is our start point to recover memory information
§ What if we need to analysis memory dump from different system? § Generating profile to support different OS distribution § Find profile from internet
§ https://github.com/nikki-mccavee/volatility-profiles/tree/master/linux
30
§ The profile is the zip file consisted of 1. Kernel’s Data Structure
2. Debug Symbol
3. ZIP Them
§ Try to build your own profile for your linux machine
$ sudo apt-get install dwarfdump $ cd <volatility dir>/tools/linux $ make
/boot/System.map-3.2.0-23-generic
$ zip volatility/volatility/plugins/overlays/linux/Ubuntu1204.zip volatility/tools/linux/module.dwarf /boot/System.map-3.2.0-23-generic
31
§ Authentication
§ Registry
§ GUI Windows
32
§ Registry managed in hierarchical form and stores configuration settings of users and systems on Windows operating system § Kernel § Device drivers § Services § SAM § User interface § Third party applications § System performance
33
§ Hives are the root directories that stores subdirectories called keys
§ Regedit can be used to edit your registry value
§ Volatility provide hivelist, hivedump and hivescan plugin to examine registry
34
§ Gather information about hardware from Windows operating system by registry
35
§ “-K” option in printkey
36
$ python vol.py -f Windows7.vmem --profile=Win7SP0x64 printkey -o 0xfffff8a00005e010 -K DESCRIPTION
§ Windows SAM stores password in the unreadable format means in encrypted form or in the form of hashes
§ System_virtual, sam_virtual is the virtual address of § \REGISTRY\MACHINE\SYSTEM § \SystemRoot\System32\Config\SAM
37
$ vol.py –f WinXP.raw --profile=WinXPSP2x86 hashdump –y <system_virutal> –s <sam_virtual>
§ Some user activity history is stored in registry § Software\Microsoft\Windows\CurrentVersion\Explorer\Co
mDlg32\CIDSizeMRU § shimcache § userassist § shellbags
38
§ lsass.exe is responded to authenticate user
39
§ Save user password in encrypted form § Should use hash, but not encrypt § Encryption can be reverse
§ keys are in the memory of the LSASS process § Encrypt works with LsaProtectMemory, decrypt with
LsaUnprotectMemory § Depending on the secret size, algorithm is different:
§ 3DES
§ AES
40
§ http://140.113.194.85:3000/problems/34
§ Mimikatz plugin to reveal admin’s password
§ Target Windows.vmem
41
§ Volatility provide the interface for developer to write plugin
§ Many security experts share their plugin
§ More and more good plugin can help us analysis application-specific feature § Social Network § Browsers § Malware
42
§ TrueCrypt is one famous disk encryption system
§ It has the functionality “cache password in memory” § So we can retrieve password from memory
43
§ http://140.113.194.85:3000/problems/35
§ The flag is inside the volume encrypted by TrueCrypt
44
§ http://140.113.194.85:3000/problems/36
§ Target File: d3db926d201f8e997cfbfb2eedab67abe919f4c8.tar.gz
§ Find the flag in 1. Environment Variable 2. GUI Windows Title 3. Command Line History 4. Administrator Password
45
§ With increasing number of applications used, we need to write our own plugin for application level forensic
46
§ The plugin is in form of python class
§ Extend the class commands.Command § calculate() function perform the action § render_text() used to output the result
47
§ Scanner can be used to discover special data in the given memory § Must contain checks attribute to define what to scan
48
§ TBA
§ There are customize structures in the application, you should write plugin to parse it
49