CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special...
Transcript of CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special...
![Page 1: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/1.jpg)
![Page 2: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/2.jpg)
CHAD TILBURY 0 Former: Special Agent with US Air
Force Office of Special Investigations
0 Current: Incident Response and Computer Forensics Consultant
0 Over 12 years in the trenches
0 SANS Digital Forensics and Incident Response Instructor & Author [email protected]
http://ForensicMethods.com
@chadtilbury
![Page 3: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/3.jpg)
The Year of Memory Forensics?
64 bit support
Volatile Registry Analysis
Memory Timelining
Mac OS X Analysis
Linux Analysis
Live Memory Analysis
Whitelisting
![Page 4: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/4.jpg)
Old School vs. New School
vs.
![Page 5: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/5.jpg)
Mac and Linux Memory Forensics
![Page 6: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/6.jpg)
Mac Memory Reader
0 Runs on Mac OS X 10.4-10.8, PowerPC, Intel, x86, x64
0 Generates a Mach-O file or raw dump of memory (-P)
0 Optional image hashing (-H)
0 Load kernel extension to fake /dev/mem only (-k)
0 Simple and effective!
![Page 7: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/7.jpg)
“There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.”
-Mac Memory Reader help file
“There are currently very few tools to analyze physical memory dumps from Mac OS X machines. Hex editors, string extraction tools, search tools, and file carvers are all useful for extracting data.”
-Mac Memory Reader help file
![Page 8: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/8.jpg)
Mac Memoryze
0 Dump memory 0 sudo macmemoryze dump –f mem.dmp
0 Analysis (just the basics): 0 proclist
0 proclist –w (similar to lsof)
0 proclist –c (carve for processes)
0 kextlist
0 kextlist –c (carve for kernel extensions)
0 Enumerate System Call Table and Mach Trap Table
0 Live analysis capable (do not include –f option)
![Page 9: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/9.jpg)
Mac Memoryze Proclist
![Page 10: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/10.jpg)
Volatility + Mac = System Information 0 mac_print_boot_cmdline 0 mac_dmesg 0 mac_version 0 mac_vfs_events 0 mac_machine_info 0 mac_mount 0 mac_list_sessions 0 mac_list_zones 0 mac_ls_logins 0 mac_volshell
Malware 0 mac_trustedbsd 0 mac_check_syscalls 0 mac_check_sysctl 0 mac_check_trap_table 0 mac_psxview 0 mac_yarascan 0 mac_notifiers 0 mac_ip_filters
Process / Module Information 0 mac_pslist 0 mac_pstree 0 mac_proc_maps 0 mac_psaux 0 mac_lsmod 0 mac_lsof 0 mac_dead_procs 0 mac_pgrp_hash_table 0 mac_pid_hash_table 0 mac_dump_maps 0 mac_tasks Networking 0 mac_ifconfig 0 mac_netstat 0 mac_route 0 mac_arp
https://code.google.com/p/volatility/wiki/MacMemoryForensics
![Page 11: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/11.jpg)
Volatility + Mac
![Page 12: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/12.jpg)
Linux Memory Acquisition 0 Old School:
0 dd if=/dev/kmem
0 Fmem kernel module
0 Redhat Crash Dump Utilities
0 New School
http://code.google.com/p/lime-forensics/
![Page 13: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/13.jpg)
Volatility + Linux =
System Information 0 linux_dmesg 0 linux_bash 0 linux_cpuinfo 0 linux_dentry_cache 0 linux_tmpfs 0 linux_find_file 0 linux_memmap 0 linux_mount 0 linux_mount_cache 0 linux_slabinfo 0 linux_iomem 0 linux_vma_cache 0 linux_volshell
Process / Module Info 0 linux_proc_maps 0 linux_dump_map 0 linux_psaux 0 linux_pslist 0 linux_pslist_cache 0 linux_pstree 0 linux_psxview 0 linux_pidhashtable 0 linux_lsmod 0 linux_moddump 0 linux_lsof
Malware 0 linux_yarascan 0 linux_check_syscall 0 linux_check_idt 0 linux_check_afinfo 0 linux_check_creds 0 linux_check_evt_arm 0 linux_check_fop 0 linux_check_tty 0 linux_check_modules 0 linux_keyboard_notifier
Networking 0 linux_arp 0 linux_ifconfig 0 linux_netstat 0 linux_route_cache 0 linux_pkt_queues 0 linux_sk_buff_cache
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
![Page 14: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/14.jpg)
linux_yarascan
![Page 15: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/15.jpg)
linux_bash
![Page 16: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/16.jpg)
Memory Timelining
![Page 17: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/17.jpg)
What is Timeliner?
0 Set of Volatility plugins to collect time information from memory artifacts
0 Many memory artifacts have embedded timestamps: 0 Processes 0 Threads 0 Portable Executable Files
0 Process EXEs, DLLs, and Drivers 0 Network Sockets 0 Registry Keys 0 Event Logs
0 Timeliner consolidates artifacts into a delimited file that can be easily converted to a timeline 0 Volatility 2.3 now capable of body file format! 0 David Nides submitted recent patch for Log2Timeline format
![Page 18: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/18.jpg)
Memory Timelining timeliner
• Timeliner collects timestamps from memory artifacts and outputs them in a timeline format
Purpose
• Send output to a delimited file (--output-file=file_name) v2.1 • Create output in body file format (--output=body) v2.3 • Log2Timeline output format (pending) v2.4??
Important Parameters
• Compatible with XP and Win7: automatically adjusts helper plugins • Output can voluminous; best practice is to use “--output-file” • The output is not currently compatible with other timeline formats • Timeliner can take hours to run – be patient! • The “-h” help information currently lists many incorrect options
Investigative Notes
![Page 19: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/19.jpg)
Example Output: Timeliner Processes
Column Header Column Header
1 Creation Time 5 Parent Process ID
2 Artifact Type (PROCESS) 6 Exit Time
3 Process Name 7 EPROCESS Offset
4 Process ID
![Page 20: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/20.jpg)
Timeliner Example
![Page 21: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/21.jpg)
Redline Time Wrinkles™
![Page 22: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/22.jpg)
Live Response &
Live Memory Analysis
![Page 23: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/23.jpg)
Old School Batch Scripts
![Page 24: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/24.jpg)
Mandiant Redline “Collector”
![Page 25: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/25.jpg)
Redline Portable Collector
![Page 26: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/26.jpg)
Live Memory Analysis Who Cares?
0 Digital Signature Checks 0 Digital signatures stripped when loaded into memory
0 Verification done using file certificates stored on-disk
0 MD5 Whitelisting 0 MD5 hashes of on-disk copies of memory mapped files
0 Must have access to file system
0 MemD5 Whitelisting 0 Hashing of in memory copy of binaries
0 Requires access to Page File
![Page 27: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/27.jpg)
Narrowing Your Focus with Live Analysis
![Page 28: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/28.jpg)
0 ID “known good hashes” from live memory analysis
0 Redline Options Whitelist Management
Whitelist Filtering
169 vs. 12 Items
![Page 29: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/29.jpg)
Live Memory Analysis with Volatility
0 Winpmem
0 Raw, crash dump, and output to stdout
0 Direct analysis of running kernel (-l switch)
0 Optional write support!
0 https://code.google.com/p/volatility/downloads/list
0 Volatility Technology Preview Branch
0 https://code.google.com/p/volatility/wiki/TechPreviewBranch
0 Includes interactive shell (similar to volshell) -> the future of Volatility?
![Page 30: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/30.jpg)
Live Analysis with winpmem
![Page 31: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/31.jpg)
Live Response with Volatility
![Page 32: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/32.jpg)
Good Day or Bad Day?
![Page 33: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/33.jpg)
Old School doskey
![Page 34: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/34.jpg)
Memory Carving
![Page 35: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/35.jpg)
Typed Commands: cmdscan & consoles
• Scan csrss.exe (XP) and conhost.exe (Win7) for Command_History and Console_Information residue
Purpose
• None
Important Parameters
• Gathering command history and console output can give insight into user / attacker activities
•cmdscan provides information from the command history buffer
•consoles prints commands (inputs) + screen buffer (outputs)
• Plugins can identify data from active and closed sessions
Investigative Notes
![Page 36: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/36.jpg)
Typed Commands: cmdscan & consoles
cmd
sca
n
![Page 37: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/37.jpg)
Old School pclip
Find pcclip.exe at http://unxutils.sourceforge.net/ (or just get infected with Zeus)
![Page 38: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/38.jpg)
Clipboard Contents: clipboard
• Extract contents of windows clipboard
Purpose
• Verbose mode (-v) shows hex view of data (necessary if binary data stored in clipboard)
Important Parameters
• Recovers clipboard data for each Windows Station (i.e. console, RDP, Fast User Switching, etc.)
• Works on both XP/2003 and Windows 7/2008 systems • In some cases, the clipboard only holds a pointer to the
“clipped” content – (i.e. the full path for a copied file)
Investigative Notes
![Page 39: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/39.jpg)
Clipboard Contents: clipboard
Vo
lati
lity
![Page 40: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/40.jpg)
Additional References
0 http://gleeda.blogspot.com/2011/04/volatility-14-userassist-plugin.html
0 http://gleeda.blogspot.com/2012/09/week-3-of-month-of-volatility-plugins.html
0 http://volatility-labs.blogspot.com/2013/05/movp-ii-23-creating-timelines-with.html
0 http://cybermarshal.com/index.php/cyber-marshal-utilities/mac-memory-reader
0 https://www.mandiant.com/blog/unibody-memory-analysis-introducing-mac-memoryze/
0 http://memoryforensics.blogspot.com/2013/06/final-week-of-month-of-volatility.html
0 http://volatility-labs.blogspot.com/2013/05/movp-ii-32-linuxandroid-memory.html
0 http://holisticinfosec.blogspot.com/2013/03/toolsmith-redline-apt1-and-you-were-all.html
0 http://media.blackhat.com/bh-us-11/Butler/
BH_US_11_ButlerMurdock_Physical_Memory_Forensics-WP.pdf
0 DFIROnline Memory Forensics with Michael Cohen :
http://www.youtube.com/watch?v=9aC7yIYwvAY
0 http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html
0 http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html
![Page 42: CHAD TILBURY - SANS TILBURY 0 Former: Special Agent with US Air Force Office of Special Investigations 0 Current: Incident Response and Computer Forensics Consultant 0 Over 12 years](https://reader031.fdocuments.us/reader031/viewer/2022030420/5aa78ca27f8b9aee748c3537/html5/thumbnails/42.jpg)