Memory forensic analysis (aashish)

Editor's Notes

• #2: Introduction :
• #3: Here is a story of an incident handled in an Ideal scenario. A Global company has a controlled and secured computing environment. They have adopted many security best practices into their operations. This company has a Null (Sinkhole) Router, which means all the non-routable IP traffic will end up @ this router. After a detailed analysis of the sinkhole router it is observed that there is some suspicious activity going on… the behavioral pattern shows activity from a particular geographical location… several PC’s were trying to access sequentially numbered unused IP addresses…. Traffic looks like source port 0 and destination port 5548. Digging deep and deeper into the logs there was a windows web server who was also generating similar type of traffic. When we went to the SOC team we found that the server running with latest Patches / Antivirus / End Point Protection / HIPS Server logs monitored / reviewed regularly. Server is not showing any of misbehavior or Performance Issues. Server Contains PII’s and SPII’s with Confidential Information stored. (Slide Time Duration 3 Mins)
• #4: Now this particular situation is an unusual behavior or suspicious event. Any un-usual event within an organization can be serious Incident. As an essential and critical control, Ideal Company will have an Incident Response Plan where the Incident Handling guidelines will be in place with a proper IR Methodology. Without an incident response plan, an organization may not discover an attack in the first place, or, if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. NIST has a detailed guideline for creating and running an incident response team. Business Benefits : Provides on demand security expertise on preparing for and responding to incidents Provides comprehensive risk mitigation support Stops attacks in progress to mini-mize their impact Improves incident response preparedness Performs forensics to find and prose-cute perpetrators Provides access to early-warning security intelligence (Slide Time Duration 2 Mins)
• #5: We need to apply an in depth analysis using complex techniques. Forensics is the application of a particular science to the law. Digital Forensics is a branch of forensic science on all sides of the recovery and investigation of material found in digital devices, often in relation to computer crime. Investigations often take one of three forms; forensic analysis (where evidence is recovered to support or oppose a hypothesis before a criminal court), eDiscovery (a form of discovery related to civil litigation) or intrusion investigation (which is a specialist investigation into the nature and extent of an unauthorized network intrusion). Investigations are much broader in scope than other areas of forensic analysis (where the usual aim is to provide answers to a series of simpler questions) often relating to complex time-lines or hypothesis. Computer forensics is an expansive and fast-moving field. New and evolving technologies such as cellular phones, personal digital assistants (PDAs), as well as new and ever-changing operating systems and file systems all require in-depth analysis to determine how best to extract information pertinent to an investigation. In addition, techniques for performing forensics on both new and existing technologies are constantly in development. Many techniques are complex and time-consuming, requiring training and specialized tools. Distinct areas of research and development have emerged within the overarching theme of forensics. (Slide Time Duration 2/3 Mins)
• #6: The Forensic Incident Response Methodology… (Slide Time Duration 2 Mins)
• #7: Value of Windows Memory Forensic Analysis : Applying a straightforward analysis, she noted the advisory committee comment that the rule applies to information "that is fixed in a tangible form and to information that is stored in a medium from which it can be retrieved and examined," and that the rule "is expansive and includes any type of information that is stored electronically," and "is intended to be broad enough to cover all current types of computer-based information." RAM and FRCP 34 Lock Horns http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1182848788454 (Slide Time Duration 3 Mins)
• #8: Information Treasure available In Memory. (Slide Time Duration 4 Mins)
• #9: (Slide Time Duration 1 Mins)
• #10: Memory Basics. Ok. Let me add a small diagram here … and let me grow a little bit here … so that its visible to everyone … I picked up some of these pictures from one of the very interesting and presentation on windows memory forensics with volatility framework, written by a German computer forensic geek Mr. Andreas Schuster. Physical memory is divided into so called “pages”. Allocated virtual memory is mapped onto physical memory page by page. The same page of physical memory can appear at different locations within the same address space or in different address spaces. Data can be moved from physical memory into a page file to clear some space. Alright, now moving on to the important kernel structures, Mr. Mariusz Burdach who owns the secure.net has explained this portion in detail, I have picked up only few here however I suggest you go thru his papers and Black Hat Presentations to understand the concepts better. Here the EPROCESS BLOCK that is the executive process block is very interesting and important kernel structure that contains mainly the KPROCESS BLOCK or kernel process block, ETHREAD or executive thread block, ACCESS_TOKEN & SIDs the Process Environment Block, The VAD or Virtual Address descriptor… One interesting thing about VAD Walking is… it can reveal a wealth of information! We are going to discuss this VAD tree in detail. Handle Table, Creation Time … This is another important kernel structure. Then there is Data Section Control Area that includes Page Frames. And Finally the PFN Database this has the page frame numbers stored. Now lets look @ the relations between structures… this picture explains EPROCESS Block and the relations between other kernel objects. We can clearly derive a one way connection between EPROCESS / ETHREAD and SSDT. Bi-Directional connection between Page Frame Numbers and Page Tables … We are going to discuss in detail the importance of this PFN and the Page Tables towards end of Analysis Phase. Let me allow you to have a closer look @ the diagram.
• #11: Acquisition in detail
• #12: Process Enumeration and Analysis in detail.
• #13: Detailed Analysis for Open Files and Windows Registry. Video : HBGary Responder Pro & Digital DNA -identifying malware http://www.youtube.com/watch?v=zKX8HUkLDtM Duration : 4 Mins
• #14: Detailed Description on Network Information from Memory This information is similar to NETSTAT output … but that can be trojanized to give false or modified output … however pulling the Network Information directly from Live Memory dump using the data structures themselves, it becomes much harder for an attacker to hide their listening backdoor or connection to their home server from which they have a control …
• #15: VAD is nothing but a Virtual Address Descriptor... Processes are stored in Windows in a VAD Tree. This tree describes memory ranges used by currently-running processes, and allows a process’s virtual address space to be reconstructed. Let me try and grow this Image a bit… you will observe the starting point as VAD ROOT That connects VAD Node / Control Area and the Object table that contains File Object. One of the structures in the VAD tree is called an object table, which lists the private objects that are in use by a process – these can be files, registry keys, and events. The memory-mapped files associated with each process can be recovered by walking the VAD tree and pulling out the objects of interest – in this case files, but potentially other objects as well. There is also an area of memory called the “Control Area” that maintains links between file names and the file data stored in the pages; if this area is still present the file name can often be recovered as well. In-depth coverage of this topic you can start with the very interesting paper named Forensic Memory Analysis : Files mapped in memory by Van Baar et.al. and a book named Windows Internals. VAD Tree becomes useful for many reasons – most information associated with a process can be found by walking the VAD Tree. In particular, it is possible to recover all the memory-mapped files associated with specific processes using VAD Tree.
• #16: Video : To find out Passwords and Encryption Keys from Windows Memory Duration: 2 Mins Video : To understand SSDT and Analyse SSDT using Python and Volatility Framework Duration : 2 Mins
• #17: Detailed Description
• #18: Advanced Forensic Techniques
• #19: Quick information on Incident Detection / Verification (Slide Time Duration 3 Mins)
• #20: Elaborated Discussion on Each Tool and Specialty of the tool as appropriate results. (Slide Time Duration 3 Mins)
• #21: Digital Forensics / Security Incident Response is going to play a significant role in India with more maturity and advanced techniques such as Cloud Forensics/Mobile Device Forensics and to cope up with Anti-Forensic attack by adopting innovative techniques with latest technology updates " The Future can be Clouds... but we need to keep our feet on ground with Facts and some common sense" (Slide Time Duration 1 Mins)
• #22: (Slide Time Duration 10 Mins)