SlideShare a Scribd company logo

Next Generation Memory Forensics

Andrew Case, profile picture
Andrew Case

This document provides an overview of the Volatility memory forensics framework. It discusses the Volatility Foundation, which supports development of the open-source Volatility tool. It highlights new features in Volatility 2.4, including improved support for Windows, Linux, MacOS, and analyzing application artifacts from programs like Chrome, Firefox, and Notepad. It outlines the Volatility roadmap and concludes by discussing the 2014 Volatility Plugin Contest winners, whose new plugins will enhance Volatility's capabilities.

Technology
Related topics:
Incident ResponseDigital ForensicsMalware Analysis Guide
1 of 41
Downloaded 105 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
EMPOWERING INVESTIGATORS THE VOLATILITY FOUNDATION Next Generation Memory Forensics Volatility Developers November 5, 2014
© 2014 The Volatility Foundation Volatility Development Team •  Core Developers: •  Mike Auty (ikelos) •  Andrew Case (attc) •  Brendan Dolan-Gavitt (moyix) •  Michael Hale Ligh (MHL) •  Jamie Levy (gleeda) •  AAron Walters (labarum) •  The Volatility Community (OOV) •  Numerous research collaborators/testing/bugs •  Academia, government, industry •  Mailing lists, blogs, irc (#volatility) •  Moved: https://github.com/volatilityfoundation/volatility •  @volatility 2 Thank You!
© 2014 The Volatility Foundation Volatility Foundation •  Volatility development is supported by an independent foundation •  US 501(c)(3) Nonprofit •  The Volatility Foundation was established: •  to support the development of Volatility •  to promote the use of Volatility and memory analysis in the forensics community •  to protect the intellectual property and the framework's long-term viability •  to advance the state of the art in memory analysis research. •  But….development driven by Volatility community 3
© 2014 The Volatility Foundation Opaque Systems/Enterprise •  Opaque components of information infrastructure •  Can your systems be trusted? (patches, malware)
© 2014 The Volatility Foundation5 Adversaries Challenges •  Adversaries Challenges •  They want to remain undetected (stealthy) •  They want to execute a mission •  They rely on components of the operating system •  Consume system resources •  Memory (stack, heap, pool) •  Objects (thread, process, mutex, driver) •  Modify control flow (execution) of the system •  Hide the allocated resources •  Perform mission
© 2014 The Volatility Foundation What is Memory Forensics? •  Memory forensics is the process of acquiring and analyzing physical memory (RAM) in order to find artifacts and evidence •  Analysis does not depend on OS (trust) •  Unconstrained analysis (entire state of OS/historical) •  Removes the active adversary •  Usually performed in conjunction with disk and network forensics (memory only artifacts) •  Rapid triage/analysis leads (sandbox)
© 2014 The Volatility Foundation Next Generation Analysis 7 Physical Memory Analysis Operating System Analysis Application Analysis Physical Address Space Kernel Address Spaces Application Address Spaces User Address Spaces Swap Context Virtual Memory Analysis (Hardware) Virtual Address Spaces
© 2014 The Volatility Foundation8 Volatility Framework •  Volatile memory artifact extraction utility framework •  Completely open source (GPLv2/Python) •  Cross platform (Python) •  Single, cohesive analysis framework •  Windows, Mac, Linux, Android, … •  Command-line tools/scriptable •  Modular architecture •  Unparalleled features! •  Active Community •  Industry, academics, government, law enforcement
© 2014 The Volatility Foundation9 Volatility 2.4: AMF
© 2014 The Volatility Foundation Volatility 2.4: Highlights •  Released: August 2014 at Black Hat Arsenal •  Address Spaces (3 new AS/17) •  QEMU virtual machine memory samples •  “split” VMware files (vmem, vmss, vmsn) •  Windows BitMap crash dumps (Windows 8/2012) •  Mac OSX (30 new plugins/62) •  Mavericks through 10.9.4 •  Mac string translation •  Adium message (OTR)/Contact records/Notes artifacts •  Apple Keychain encryption keys/clear-text PGP emails •  API hooks in kernel and process memory •  IP and socket filters •  Suspicious process mappings (injected code) •  Hidden kernel extensions (extraction) •  Recovered files cached in memory 10
© 2014 The Volatility Foundation Application Artifacts 11
© 2014 The Volatility Foundation Volatility 2.4: Highlights •  Linux/Android (24 new plugins/66) •  Linux kernels through 3.16 •  Linux string translation •  API hooks (kernel/userland) •  GOT/PLT overwrites •  Hollowed executables •  Suspicious process mappings (injected code) •  Library listing using the loader’s data structures •  Extract process ELF executables and libraries •  Network interfaces in promiscuous mode •  Processes that are using raw sockets •  Hidden kernel modules •  Netfilter hooks •  Cached TrueCrypt passphrases 12
© 2014 The Volatility Foundation Volatility 2.4: Highlights •  Windows (14 new plugins/108) •  Windows 8/2012 support •  TrueCrypt plugins (summary, cached pass, master keys) •  Apihooks (64-bit/JMP FAR) •  hashdump, cachedump, and lsadump (x64/Win8/2012) •  callbacks and timers (64-bit) •  mftparser (ADS, extract MFT resident blocks) •  Single pass executive object scanning •  verinfo plugin (PE version info) •  auditpol plugin (audit policies) •  cmdline plugin (process command line arguments) •  pooltracker plugin (kernel pool tag statistics) •  bigpools plugin (big page pool allocations) •  Notepad plugin (application heap) •  svcscan enumerates service start type 13
© 2014 The Volatility Foundation TrueCrypt 14 Hidden Data Host Disk Passphrase unlocks the header C:UsersMikeDocumentslease.pdf RAM Un-encrypted Encrypted Master keys Cached file(s) Decrypted Cached password
© 2014 The Volatility Foundation Notepad’s Heap 15
© 2014 The Volatility Foundation Volatility 2.4: Resources •  Official Volatility Memory Analysis Cheat Sheet •  Windows, Linux, Mac OS X •  RTFM-style insert for Windows •  http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf •  Volatility demo videos •  Defeating Truecrypt Disk Encryption •  Reverse Engineering Rootkits •  Tracking Mac OS X Activity •  https://www.youtube.com/channel/UC3AsZ6DGlqZIaPkxF6tXgAA 16
© 2014 The Volatility Foundation Volatility Roadmap •  Volatility 2.5 (November 2014) •  Bug fixes •  Unified plugin output format •  Volatility 3.0 (2015) •  “Big Changes”: Refactor/Cleanup/API •  Unicode improvement/Python 3.0 •  *Performance* 17
© 2014 The Volatility Foundation compressor( …" compressor_object (global)"" c_segments"" compressed"pages" c_buffer! c_slots! compressor_pager (per"vm_map_entry"object)"" cpgr_slots! virtual(address(of(page( virtual(address( to(slot(mapping( c_size
 c_offset! Compressed RAM/Swap 18
© 2014 The Volatility Foundation Social Media Artifacts 19
© 2014 The Volatility Foundation Dalvik Inspector 20 http://www.504ensics.com/blog/
© 2014 The Volatility Foundation 2nd Volatility Plugin Contest •  (Inspired by the Hex-Rays IDA plugin contest) •  Create an innovative and useful extension to Volatility and win the contest! •  Facebook doubled the prize money! •  Prizes awarded for top 5 submissions: •  1: $2500, 2: $1250, 3: $750, 4-5: Volatility swag •  Core development team judges •  creativity, usefulness, effort, completeness, submission date, and clarity of documentation. •  12 submissions worldwide (>30 new plugins!) •  Trend: Application analysis/context 21
© 2014 The Volatility Foundation 1st Place: Dave Lasalle •  Dave submitted 14 plugins (“Forensic Suite”) •  Recovering Firefox and Chrome artifacts •  Firefox (3 plugins) •  History, cookies, downloads •  Chrome (6 plugins) •  History, cookies, downloads, visits, search terms •  Java IDX files: Download history of Java archives •  Office TrustRecords : Office files from untrusted src •  Fuzzy hashing to whitelist injected code/API hooks •  ssdeepscan, malfinddeep, apihooksdeep 22
© 2014 The Volatility Foundation Chrome History $ python vol.py –f voltest.dmp chromehistory --output=csv > output.csv
© 2014 The Volatility Foundation IDX Parser $ python vol.py –f voltest.dmp idxparser [*] Section 2 (Download History) found: URL: http://javagameplay.com/offroadrally/inthejar.jar IP: 209.188.88.156 <null>: HTTP/1.1 200 OK content-length: 61699 last-modified: Fri, 10 Oct 2008 20:25:10 GMT content-type: text/plain date: Sat, 30 Aug 2014 19:53:56 GMT server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 deploy-request-content-type: application/x-java-archive
© 2014 The Volatility Foundation apihooksdeep •  Create the whitelist: $ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss -- profile=WinXPSP2x86 vaddump -p 860 -b 0x71590000 -D dumps [snip] 860 iexplore.exe 0x71590000 0x71608fff dumps/iexplore.exe. 24296b8.0x71590000-0x71608fff.dmp $ python hash_by_page.py -n AcLayers.DLL -f dumps/iexplore.exe. 24296b8.0x71590000-0x71608fff.dmp ('AcLayers.DLL', '6:idqLvVg3F+X32xbQ7esfGkxNPWgwh9lorlcIfMfEtj/ lkwSM0E/mh6l+tgdwL:eqGSGfP0FWgO9arlcIrUpEec1w'), ('AcLayers.DLL', '96:1SxccXfBWrvZnxbZ3IX26dZC6FsEzSVr6y616GpIHoib8u:uvBWrpxbxGpW Ecr3UTpIHPb8u'), [snip]
© 2014 The Volatility Foundation apihooksdeep •  Now those hooks are not shown: $ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss -- profile=WinXPSP2x86 apihooksdeep -p 860 Process: 860 (iexplore.exe) Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL Process: 860 (iexplore.exe) Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL
© 2014 The Volatility Foundation 2nd Place: dm_dump •  Submitted by Curtis Carmony •  dm-crypt is used on Linux and Android for FDE •  Keying material in physical memory (RAM) •  dm_dump plugin recovers dm-crypt keys from memory and prints commands that can be copy/ pasted to mount the volumes •  Will be incorporated into core Volatility soon
© 2014 The Volatility Foundation dm_dump $ python vol.py linux_dm_dump --profile=Linux3_11_0-15- generic-i686x86 --dm_profile=3.11.0-15-generic-i686- dm.dwarf –f 3.11.0-15-generic-i686.elf Volatility Foundation Volatility Framework 2.4 sda5_crypt: 0 16269312 crypt aes-xts-plain64 c2ca0a6a52980952016936047ab46fba961397978fbf3219ca39fcfdce3b46e2b6348daa09d093351113288c8258bc6 bd3c3d57afab2d6bc3cac7cfde436939b 0 /dev/sda5 4096 ubuntu--vg-swap_1: 0 1040384 linear /dev/dm-0 15163776 ubuntu--vg-root: 0 15163392 linear /dev/dm-0 384 $ dmsetup create volatility --table “0 16269312 crypt aes- xts-plain64 c2ca0a6a52980952016936047ab46fba961397978fbf3219 ca39fcfdce3b46e2b6348daa09d093351113288c8258bc6 bd3c3d57afab2d6bc3cac7cfde436939b 0 /dev/sda5 4096”
© 2014 The Volatility Foundation 3rd Place: editbox •  Written by Adam Bridge “Bridgey The Geek” •  This plugin extracts text from the edit, combo, and list boxes of GUI applications that run on Windows •  Includes, but is not limited to: •  Notepad window •  Run dialog •  Username and server name fields of Remote Desktop Connection •  Address bar and search bar of Internet Explorer •  Search bar of Windows Media Player •  Username field of Create New Account wizard •  Password of Change Password dialog
© 2014 The Volatility Foundation editbox
© 2014 The Volatility Foundation editbox $ python vol.py --profile=Win7SP1x64 -f WIN7SP1X64-20140929-225403.raw editbox Volatility Foundation Volatility Framework 2.4 ******************************************************* Wnd context : 1WinSta0Default pid : 2244 imageFileName : mstsc.exe wow64 : No atom_class : 6.0.7601.17514!Edit [snip] isPwdControl : No deepthought.h2g2.com ******************************************************* Wnd context : 1WinSta0Default pid : 1748 imageFileName : explorer.exe wow64 : No atom_class : 6.0.7601.17514!Edit [snip] isPwdControl : Yes pwdChar : 0x25cf monkey
© 2014 The Volatility Foundation screenshot + editbox
© 2014 The Volatility Foundation screenshot + editbox
© 2014 The Volatility Foundation Volatility 2014 Plugin Contest •  4th Place: •  Thomas Chopitea: Autoruns – Finding persistence •  5th Place: •  Takahiro Haruyama: OpenIOC Scan •  Submissions: •  Monnappa KA: Gh0stRat Decryption •  Jamaal Speights: MsDecompress •  Cem Gurkok: Mac Rootkit and Bitcoin •  Csaba Barta: Malware Analysis (Baselines) •  Philip Huppert: OpenVPN •  Wyatt Roersma: Hyper-V Tools 34
© 2014 The Volatility Foundation OMFW 2014 •  OMFW first held 2008 •  Highly technical venue for digital investigators •  100% of the proceeds are donated to charity •  What makes OMFW unique: •  Workshop size •  Technical content •  Researchers and developers •  Peer relationships •  Cost •  Lightning talks •  8 Memory forensics presentations 35
© 2014 The Volatility Foundation OMFW Agenda 2014 1300PM The State of Volatility 1330PM Careto: Accomplishing in 7 Minutes What AV Couldn’t Do in 7 yrs 1400PM Restructuring Memory: Extracting Results in a Reusable Way 1430PM Science, Sharing, and Repeatability in Memory Forensics 1500PM Break 1530PM Many Ways to Skin a RAT: Let’s Start with the Tail 1600PM Memory Forensics for IR: Leveraging Volatility to Hunt Adv Actors 1630PM Memory Tracing: Forensic Reverse Engineering 1700PM DAMM: A Tool for Differential Analysis of Malware in Memory 1730PM Closing Comments/Reception 36
© 2014 The Volatility Foundation Volatility Unified Output
© 2014 The Volatility Foundation Careto: Memory vs. AV http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
© 2014 The Volatility Foundation Memory Tracing
© 2014 The Volatility Foundation Volatility Training/Certification •  Learn from the actual researchers and developers •  Show your support for open source developers •  Courses •  Windows Memory Forensics & Malware Analysis •  Memory Forensics Essentials •  Mac Memory Forensics & Malware Analysis •  Linux Memory Forensics & Malware Analysis •  Certifications •  Memory Forensics Examiner •  Memory Forensics Professional (Win/Mac/Lin) •  Information: www.memoryanalysis.net 40
© 2014 The Volatility Foundation41 Download Volatility 2.4 https://github.com/volatilityfoundation/volatility http://volatility-labs.blogspot.com/ @volatility Join the community!

More Related Content

PDF
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
PDF
Forensics of a Windows System
Conferencias FIST
 
PDF
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
PDF
Windows Threat Hunting
GIBIN JOHN
 
PPTX
Windows Forensic 101
Digit Oktavianto
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
PPTX
Memory Forensics
Anshul Tayal
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Forensics of a Windows System
Conferencias FIST
 
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Windows Threat Hunting
GIBIN JOHN
 
Windows Forensic 101
Digit Oktavianto
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Memory Forensics
Anshul Tayal
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 

What's hot (20)

PPTX
Memory forensics
Sunil Kumar
 
ODT
Operating System Forensics
ArunJS5
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
PPT
Windowsforensics
Santosh Khadsare
 
PPTX
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
PPTX
Windows registry forensics
Taha İslam YILMAZ
 
PPTX
Memory forensics.pptx
9905234521
 
PDF
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
PPT
intrusion detection system (IDS)
Aj Maurya
 
PDF
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
PDF
Threat Hunting with Splunk Hands-on
Splunk
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
PDF
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
PDF
A Threat Hunter Himself
Sergey Soldatov
 
PDF
Threat Hunting
Splunk
 
PDF
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
PPTX
Malware Static Analysis
Hossein Yavari
 
PPTX
NMAP
PrateekAryan1
 
PPTX
Introduction to penetration testing
Nezar Alazzabi
 
Memory forensics
Sunil Kumar
 
Operating System Forensics
ArunJS5
 
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Windowsforensics
Santosh Khadsare
 
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Windows registry forensics
Taha İslam YILMAZ
 
Memory forensics.pptx
9905234521
 
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
intrusion detection system (IDS)
Aj Maurya
 
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Threat Hunting with Splunk Hands-on
Splunk
 
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
A Threat Hunter Himself
Sergey Soldatov
 
Threat Hunting
Splunk
 
CNIT 121: 8 Forensic Duplication
Sam Bowne
 
Malware Static Analysis
Hossein Yavari
 
NMAP
PrateekAryan1
 
Introduction to penetration testing
Nezar Alazzabi
 
Ad

Viewers also liked (20)

PDF
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
PPTX
Malware analysis using volatility
Yashashree Gund
 
PDF
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
PPT
Memory Forensics
Prince Boonlia
 
PDF
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
PDF
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
PDF
Investigating Cooridinated Data Exfiltration
Andrew Case
 
PDF
Linux Memory Analysis with Volatility
Andrew Case
 
PDF
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
PPTX
Windows forensic
MD SAQUIB KHAN
 
PPTX
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
PPTX
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
PDF
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS
 
PDF
HITCON CTF 2016導覽
HITCON GIRLS
 
PDF
HITCON GIRLS Malware Analysis
Hacks in Taiwan (HITCON)
 
PDF
CTF 經驗分享
Hacks in Taiwan (HITCON)
 
PDF
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS
 
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Malware analysis using volatility
Yashashree Gund
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
Security Bootcamp
 
Memory Forensics
Prince Boonlia
 
Windows Memory Forensic Analysis using EnCase
Takahiro Haruyama
 
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Investigating Cooridinated Data Exfiltration
Andrew Case
 
Linux Memory Analysis with Volatility
Andrew Case
 
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Windows forensic
MD SAQUIB KHAN
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
securityxploded
 
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniques
securityxploded
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Advanced Malware Analysis Training Session 1 - Detection and Removal of Malwares
securityxploded
 
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2
securityxploded
 
HITCON GIRLS: Android 滲透測試介紹 (Elven Liu)
HITCON GIRLS
 
HITCON CTF 2016導覽
HITCON GIRLS
 
HITCON GIRLS Malware Analysis
Hacks in Taiwan (HITCON)
 
CTF 經驗分享
Hacks in Taiwan (HITCON)
 
HITCON GIRLS 成大講座 惡意程式分析(Turkey)
HITCON GIRLS
 
Ad

Similar to Next Generation Memory Forensics (20)

PPTX
OpenTelemetry 101 FTW
NGINX, Inc.
 
PDF
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
Vietnam Open Infrastructure User Group
 
PDF
DevOps Unleashed: Strategies that Speed Deployments
ForgeRock
 
PDF
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
The Linux Foundation
 
PDF
Html5 Application Security
chuckbt
 
PPTX
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
KEY
Phonegap 2.x
Brian LeRoux
 
PDF
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
PDF
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
PPTX
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
PDF
How to debug IoT Agents
Fernando Lopez Aguilar
 
PDF
Metasploitation part-1 (murtuja)
ClubHack
 
PDF
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
AswathRangaraj1
 
PPTX
Make the Shift from Manual to Automation with Open Source
Perfecto by Perforce
 
PPTX
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
PDF
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
Piyush Kumar
 
PDF
SOC-BlueTEam.pdf
BeratAkit
 
PDF
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
PDF
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
hackersuli
 
PDF
2012-03-15 What's New at Red Hat
Shawn Wells
 
OpenTelemetry 101 FTW
NGINX, Inc.
 
StarlingX - A Platform for the Distributed Edge | Ildiko Vancsa
Vietnam Open Infrastructure User Group
 
DevOps Unleashed: Strategies that Speed Deployments
ForgeRock
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
The Linux Foundation
 
Html5 Application Security
chuckbt
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
Phonegap 2.x
Brian LeRoux
 
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
Microsoft power point automation-opensourcetestingtools_matrix-1
tactqa
 
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
How to debug IoT Agents
Fernando Lopez Aguilar
 
Metasploitation part-1 (murtuja)
ClubHack
 
Zephyr Introduction - Nordic Webinar - Sept. 24.pdf
AswathRangaraj1
 
Make the Shift from Manual to Automation with Open Source
Perfecto by Perforce
 
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
"In love with Open Source : Past, Present and Future" : Keynote OSDConf 2014
Piyush Kumar
 
SOC-BlueTEam.pdf
BeratAkit
 
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
hackersuli
 
2012-03-15 What's New at Red Hat
Shawn Wells
 

More from Andrew Case (9)

PDF
Proactive Measures to Defeat Insider Threat
Andrew Case
 
PPTX
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
PPTX
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
PPTX
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
PDF
Hunting Mac Malware with Memory Forensics
Andrew Case
 
PPTX
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
PPT
Mac Memory Analysis with Volatility
Andrew Case
 
PDF
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
PDF
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
Proactive Measures to Defeat Insider Threat
Andrew Case
 
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
Andrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Hunting Mac Malware with Memory Forensics
Andrew Case
 
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
Mac Memory Analysis with Volatility
Andrew Case
 
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
KodekX | Application Modernization Development
KodekX
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Cloud computing and distributed systems.
kkkkkhan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Next Generation Memory Forensics

  • 1. EMPOWERING INVESTIGATORS THE VOLATILITY FOUNDATION Next Generation Memory Forensics Volatility Developers November 5, 2014
  • 2. © 2014 The Volatility Foundation Volatility Development Team •  Core Developers: •  Mike Auty (ikelos) •  Andrew Case (attc) •  Brendan Dolan-Gavitt (moyix) •  Michael Hale Ligh (MHL) •  Jamie Levy (gleeda) •  AAron Walters (labarum) •  The Volatility Community (OOV) •  Numerous research collaborators/testing/bugs •  Academia, government, industry •  Mailing lists, blogs, irc (#volatility) •  Moved: https://github.com/volatilityfoundation/volatility •  @volatility 2 Thank You!
  • 3. © 2014 The Volatility Foundation Volatility Foundation •  Volatility development is supported by an independent foundation •  US 501(c)(3) Nonprofit •  The Volatility Foundation was established: •  to support the development of Volatility •  to promote the use of Volatility and memory analysis in the forensics community •  to protect the intellectual property and the framework's long-term viability •  to advance the state of the art in memory analysis research. •  But….development driven by Volatility community 3
  • 4. © 2014 The Volatility Foundation Opaque Systems/Enterprise •  Opaque components of information infrastructure •  Can your systems be trusted? (patches, malware)
  • 5. © 2014 The Volatility Foundation5 Adversaries Challenges •  Adversaries Challenges •  They want to remain undetected (stealthy) •  They want to execute a mission •  They rely on components of the operating system •  Consume system resources •  Memory (stack, heap, pool) •  Objects (thread, process, mutex, driver) •  Modify control flow (execution) of the system •  Hide the allocated resources •  Perform mission
  • 6. © 2014 The Volatility Foundation What is Memory Forensics? •  Memory forensics is the process of acquiring and analyzing physical memory (RAM) in order to find artifacts and evidence •  Analysis does not depend on OS (trust) •  Unconstrained analysis (entire state of OS/historical) •  Removes the active adversary •  Usually performed in conjunction with disk and network forensics (memory only artifacts) •  Rapid triage/analysis leads (sandbox)
  • 7. © 2014 The Volatility Foundation Next Generation Analysis 7 Physical Memory Analysis Operating System Analysis Application Analysis Physical Address Space Kernel Address Spaces Application Address Spaces User Address Spaces Swap Context Virtual Memory Analysis (Hardware) Virtual Address Spaces
  • 8. © 2014 The Volatility Foundation8 Volatility Framework •  Volatile memory artifact extraction utility framework •  Completely open source (GPLv2/Python) •  Cross platform (Python) •  Single, cohesive analysis framework •  Windows, Mac, Linux, Android, … •  Command-line tools/scriptable •  Modular architecture •  Unparalleled features! •  Active Community •  Industry, academics, government, law enforcement
  • 9. © 2014 The Volatility Foundation9 Volatility 2.4: AMF
  • 10. © 2014 The Volatility Foundation Volatility 2.4: Highlights •  Released: August 2014 at Black Hat Arsenal •  Address Spaces (3 new AS/17) •  QEMU virtual machine memory samples •  “split” VMware files (vmem, vmss, vmsn) •  Windows BitMap crash dumps (Windows 8/2012) •  Mac OSX (30 new plugins/62) •  Mavericks through 10.9.4 •  Mac string translation •  Adium message (OTR)/Contact records/Notes artifacts •  Apple Keychain encryption keys/clear-text PGP emails •  API hooks in kernel and process memory •  IP and socket filters •  Suspicious process mappings (injected code) •  Hidden kernel extensions (extraction) •  Recovered files cached in memory 10
  • 11. © 2014 The Volatility Foundation Application Artifacts 11
  • 12. © 2014 The Volatility Foundation Volatility 2.4: Highlights •  Linux/Android (24 new plugins/66) •  Linux kernels through 3.16 •  Linux string translation •  API hooks (kernel/userland) •  GOT/PLT overwrites •  Hollowed executables •  Suspicious process mappings (injected code) •  Library listing using the loader’s data structures •  Extract process ELF executables and libraries •  Network interfaces in promiscuous mode •  Processes that are using raw sockets •  Hidden kernel modules •  Netfilter hooks •  Cached TrueCrypt passphrases 12
  • 13. © 2014 The Volatility Foundation Volatility 2.4: Highlights •  Windows (14 new plugins/108) •  Windows 8/2012 support •  TrueCrypt plugins (summary, cached pass, master keys) •  Apihooks (64-bit/JMP FAR) •  hashdump, cachedump, and lsadump (x64/Win8/2012) •  callbacks and timers (64-bit) •  mftparser (ADS, extract MFT resident blocks) •  Single pass executive object scanning •  verinfo plugin (PE version info) •  auditpol plugin (audit policies) •  cmdline plugin (process command line arguments) •  pooltracker plugin (kernel pool tag statistics) •  bigpools plugin (big page pool allocations) •  Notepad plugin (application heap) •  svcscan enumerates service start type 13
  • 14. © 2014 The Volatility Foundation TrueCrypt 14 Hidden Data Host Disk Passphrase unlocks the header C:UsersMikeDocumentslease.pdf RAM Un-encrypted Encrypted Master keys Cached file(s) Decrypted Cached password
  • 15. © 2014 The Volatility Foundation Notepad’s Heap 15
  • 16. © 2014 The Volatility Foundation Volatility 2.4: Resources •  Official Volatility Memory Analysis Cheat Sheet •  Windows, Linux, Mac OS X •  RTFM-style insert for Windows •  http://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf •  Volatility demo videos •  Defeating Truecrypt Disk Encryption •  Reverse Engineering Rootkits •  Tracking Mac OS X Activity •  https://www.youtube.com/channel/UC3AsZ6DGlqZIaPkxF6tXgAA 16
  • 17. © 2014 The Volatility Foundation Volatility Roadmap •  Volatility 2.5 (November 2014) •  Bug fixes •  Unified plugin output format •  Volatility 3.0 (2015) •  “Big Changes”: Refactor/Cleanup/API •  Unicode improvement/Python 3.0 •  *Performance* 17
  • 18. © 2014 The Volatility Foundation compressor( …" compressor_object (global)"" c_segments"" compressed"pages" c_buffer! c_slots! compressor_pager (per"vm_map_entry"object)"" cpgr_slots! virtual(address(of(page( virtual(address( to(slot(mapping( c_size
 c_offset! Compressed RAM/Swap 18
  • 19. © 2014 The Volatility Foundation Social Media Artifacts 19
  • 20. © 2014 The Volatility Foundation Dalvik Inspector 20 http://www.504ensics.com/blog/
  • 21. © 2014 The Volatility Foundation 2nd Volatility Plugin Contest •  (Inspired by the Hex-Rays IDA plugin contest) •  Create an innovative and useful extension to Volatility and win the contest! •  Facebook doubled the prize money! •  Prizes awarded for top 5 submissions: •  1: $2500, 2: $1250, 3: $750, 4-5: Volatility swag •  Core development team judges •  creativity, usefulness, effort, completeness, submission date, and clarity of documentation. •  12 submissions worldwide (>30 new plugins!) •  Trend: Application analysis/context 21
  • 22. © 2014 The Volatility Foundation 1st Place: Dave Lasalle •  Dave submitted 14 plugins (“Forensic Suite”) •  Recovering Firefox and Chrome artifacts •  Firefox (3 plugins) •  History, cookies, downloads •  Chrome (6 plugins) •  History, cookies, downloads, visits, search terms •  Java IDX files: Download history of Java archives •  Office TrustRecords : Office files from untrusted src •  Fuzzy hashing to whitelist injected code/API hooks •  ssdeepscan, malfinddeep, apihooksdeep 22
  • 23. © 2014 The Volatility Foundation Chrome History $ python vol.py –f voltest.dmp chromehistory --output=csv > output.csv
  • 24. © 2014 The Volatility Foundation IDX Parser $ python vol.py –f voltest.dmp idxparser [*] Section 2 (Download History) found: URL: http://javagameplay.com/offroadrally/inthejar.jar IP: 209.188.88.156 <null>: HTTP/1.1 200 OK content-length: 61699 last-modified: Fri, 10 Oct 2008 20:25:10 GMT content-type: text/plain date: Sat, 30 Aug 2014 19:53:56 GMT server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 deploy-request-content-type: application/x-java-archive
  • 25. © 2014 The Volatility Foundation apihooksdeep •  Create the whitelist: $ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss -- profile=WinXPSP2x86 vaddump -p 860 -b 0x71590000 -D dumps [snip] 860 iexplore.exe 0x71590000 0x71608fff dumps/iexplore.exe. 24296b8.0x71590000-0x71608fff.dmp $ python hash_by_page.py -n AcLayers.DLL -f dumps/iexplore.exe. 24296b8.0x71590000-0x71608fff.dmp ('AcLayers.DLL', '6:idqLvVg3F+X32xbQ7esfGkxNPWgwh9lorlcIfMfEtj/ lkwSM0E/mh6l+tgdwL:eqGSGfP0FWgO9arlcIrUpEec1w'), ('AcLayers.DLL', '96:1SxccXfBWrvZnxbZ3IX26dZC6FsEzSVr6y616GpIHoib8u:uvBWrpxbxGpW Ecr3UTpIHPb8u'), [snip]
  • 26. © 2014 The Volatility Foundation apihooksdeep •  Now those hooks are not shown: $ vol.py -f D5XLBY3J-bf977e52_lookIE_pid_860.vmss -- profile=WinXPSP2x86 apihooksdeep -p 860 Process: 860 (iexplore.exe) Hook at 0x715b9e59 in page 0x715b9000 is 100% similar to whitelist hook AcLayers.DLL Process: 860 (iexplore.exe) Hook at 0x715ba067 in page 0x715ba000 is 100% similar to whitelist hook AcLayers.DLL
  • 27. © 2014 The Volatility Foundation 2nd Place: dm_dump •  Submitted by Curtis Carmony •  dm-crypt is used on Linux and Android for FDE •  Keying material in physical memory (RAM) •  dm_dump plugin recovers dm-crypt keys from memory and prints commands that can be copy/ pasted to mount the volumes •  Will be incorporated into core Volatility soon
  • 28. © 2014 The Volatility Foundation dm_dump $ python vol.py linux_dm_dump --profile=Linux3_11_0-15- generic-i686x86 --dm_profile=3.11.0-15-generic-i686- dm.dwarf –f 3.11.0-15-generic-i686.elf Volatility Foundation Volatility Framework 2.4 sda5_crypt: 0 16269312 crypt aes-xts-plain64 c2ca0a6a52980952016936047ab46fba961397978fbf3219ca39fcfdce3b46e2b6348daa09d093351113288c8258bc6 bd3c3d57afab2d6bc3cac7cfde436939b 0 /dev/sda5 4096 ubuntu--vg-swap_1: 0 1040384 linear /dev/dm-0 15163776 ubuntu--vg-root: 0 15163392 linear /dev/dm-0 384 $ dmsetup create volatility --table “0 16269312 crypt aes- xts-plain64 c2ca0a6a52980952016936047ab46fba961397978fbf3219 ca39fcfdce3b46e2b6348daa09d093351113288c8258bc6 bd3c3d57afab2d6bc3cac7cfde436939b 0 /dev/sda5 4096”
  • 29. © 2014 The Volatility Foundation 3rd Place: editbox •  Written by Adam Bridge “Bridgey The Geek” •  This plugin extracts text from the edit, combo, and list boxes of GUI applications that run on Windows •  Includes, but is not limited to: •  Notepad window •  Run dialog •  Username and server name fields of Remote Desktop Connection •  Address bar and search bar of Internet Explorer •  Search bar of Windows Media Player •  Username field of Create New Account wizard •  Password of Change Password dialog
  • 30. © 2014 The Volatility Foundation editbox
  • 31. © 2014 The Volatility Foundation editbox $ python vol.py --profile=Win7SP1x64 -f WIN7SP1X64-20140929-225403.raw editbox Volatility Foundation Volatility Framework 2.4 ******************************************************* Wnd context : 1WinSta0Default pid : 2244 imageFileName : mstsc.exe wow64 : No atom_class : 6.0.7601.17514!Edit [snip] isPwdControl : No deepthought.h2g2.com ******************************************************* Wnd context : 1WinSta0Default pid : 1748 imageFileName : explorer.exe wow64 : No atom_class : 6.0.7601.17514!Edit [snip] isPwdControl : Yes pwdChar : 0x25cf monkey
  • 32. © 2014 The Volatility Foundation screenshot + editbox
  • 33. © 2014 The Volatility Foundation screenshot + editbox
  • 34. © 2014 The Volatility Foundation Volatility 2014 Plugin Contest •  4th Place: •  Thomas Chopitea: Autoruns – Finding persistence •  5th Place: •  Takahiro Haruyama: OpenIOC Scan •  Submissions: •  Monnappa KA: Gh0stRat Decryption •  Jamaal Speights: MsDecompress •  Cem Gurkok: Mac Rootkit and Bitcoin •  Csaba Barta: Malware Analysis (Baselines) •  Philip Huppert: OpenVPN •  Wyatt Roersma: Hyper-V Tools 34
  • 35. © 2014 The Volatility Foundation OMFW 2014 •  OMFW first held 2008 •  Highly technical venue for digital investigators •  100% of the proceeds are donated to charity •  What makes OMFW unique: •  Workshop size •  Technical content •  Researchers and developers •  Peer relationships •  Cost •  Lightning talks •  8 Memory forensics presentations 35
  • 36. © 2014 The Volatility Foundation OMFW Agenda 2014 1300PM The State of Volatility 1330PM Careto: Accomplishing in 7 Minutes What AV Couldn’t Do in 7 yrs 1400PM Restructuring Memory: Extracting Results in a Reusable Way 1430PM Science, Sharing, and Repeatability in Memory Forensics 1500PM Break 1530PM Many Ways to Skin a RAT: Let’s Start with the Tail 1600PM Memory Forensics for IR: Leveraging Volatility to Hunt Adv Actors 1630PM Memory Tracing: Forensic Reverse Engineering 1700PM DAMM: A Tool for Differential Analysis of Malware in Memory 1730PM Closing Comments/Reception 36
  • 37. © 2014 The Volatility Foundation Volatility Unified Output
  • 38. © 2014 The Volatility Foundation Careto: Memory vs. AV http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
  • 39. © 2014 The Volatility Foundation Memory Tracing
  • 40. © 2014 The Volatility Foundation Volatility Training/Certification •  Learn from the actual researchers and developers •  Show your support for open source developers •  Courses •  Windows Memory Forensics & Malware Analysis •  Memory Forensics Essentials •  Mac Memory Forensics & Malware Analysis •  Linux Memory Forensics & Malware Analysis •  Certifications •  Memory Forensics Examiner •  Memory Forensics Professional (Win/Mac/Lin) •  Information: www.memoryanalysis.net 40
  • 41. © 2014 The Volatility Foundation41 Download Volatility 2.4 https://github.com/volatilityfoundation/volatility http://volatility-labs.blogspot.com/ @volatility Join the community!