Memory forensics and incident response
-
Upload
concise-ac -
Category
Technology
-
view
1.453 -
download
4
Transcript of Memory forensics and incident response
![Page 1: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/1.jpg)
Memory Forensics and Incident Response
Robert Reed
![Page 2: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/2.jpg)
Frequently when we think ofCyberCrime external intrusionsimmediately comes to mind, but weshould remember that “insiders”represent a significant threat toorganizations. Between 46 and 58percent of the incidents resulting in thelargest losses to organizations were“inside jobs.” This is particularlytroubling because in these incidents thelikely hood of identification of offendersand potential recovery of assets shouldbe easier.
Intrusions
Insiders
Outsiders
Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
![Page 3: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/3.jpg)
42%
40%
39%
12%
8%
6%
5%
4%
11%
20%
0% 10% 20% 30% 40% 50%
Damage levelinsufficient
Could not identify theindividual
Lack of evidence
negative publicity
Concerns about liability
competitors use foradvantage
Prior negativeresponse law…
Unaware crime wasreportable
Other
Don't know
Reason not Prosecuted
Damage level insufficient
Could not identify theindividual
Lack of evidence
negative publicity
Concerns about liability
competitors use foradvantage
Prior negative responselaw enforcement
Unaware crime wasreportable
Other
In “insider” incidents, 40 percent of the time those responsible are never identified, or insufficient evidence was obtained for prosecution. This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier
2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
![Page 4: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/4.jpg)
Why are so many incidents not producing sufficient informationfor prosecutions? To some degree this makes sense when we digdeeper into the numbers, 61 percent businesses suffering fromCyberCrime indicated that “they don’t have, or are not aware ofhaving, access to forensic technology investigators.”
61
60
46
0 20 40 60 80
Not Aware of access toforensic investigators
No in-house forensics
No forensic IRproceedures
Business Forensic capabilities
Forensic Capabilities
Global Economic Crime Survey 2011, PriceWaterhouse Cooper
![Page 5: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/5.jpg)
Objectives of incident response:• Collect as much evidence as possible• Minimize or eliminate changes made to
evidentiary information• Maintain the integrity of the investigation• Minimize the disruption to business processes • Obtain a successful outcome
![Page 6: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/6.jpg)
Striking a balance
• Do we need to do a forensic examination?– Is there a statutory requirement to report?– Is there potential liability for not investigating?– Is there a broader objective in the investigation?– Is it fiscally responsible?
![Page 7: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/7.jpg)
Typical Incident life cycle• Identify incident• Establish approach• Collect evidence• Analyze evidence• Document and report• Assess and follow-up
![Page 8: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/8.jpg)
Traditional Computer Forensic Response
• Secure location• Document the scene• Pull the plug• Collect evidence• Image the media• Analysis• Reporting
![Page 9: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/9.jpg)
Pro’s of the Approach
• Acceptable for most of the cases LE is presented with
• Easy to validate the information for court purposes
• Easy to establish and validate SOP’s
![Page 10: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/10.jpg)
Con’s to Traditional Approach• Increasing drive capacities• Increased security
awareness– Encryption– Passwords– “Personal Privacy” Software
• Business Continuity • Misses /Destroys vital
information in RAM
![Page 11: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/11.jpg)
Better Approach• Secure location• Photograph and document scene• Collect volatile data• Isolate from network??• Bring the machine down or live image??• Bit stream image• Analysis• Reporting
![Page 12: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/12.jpg)
Order of volatility1. CPU cache and Register2. ARP cache, Routing and Process tables3. RAM4. Temp file systems, Swap and page files5. Fixed and removable media attached 6. Remotely logged data7. Archives
![Page 13: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/13.jpg)
Collection of volatile data
Tool/s
Utilities
OSHardware
Results
![Page 14: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/14.jpg)
Concerns• Reliability of local tools• Root kits• Integrity of evidence– Authenticity– Integrity
• Chains of custody• Security
![Page 15: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/15.jpg)
Collection of Volatile data• cmd• tasklist• netstat• arp• Route• Net commands• etc
* The problem with using native commands is that we can not trust their results*
![Page 16: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/16.jpg)
Collection of volatile data
Tool/s
Utilities
OSHardware
Results
![Page 17: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/17.jpg)
Collection of volatile data
Tool/s
Utilities
OSHardware
Results
Kernel Space
Use
r Sp
ace
![Page 18: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/18.jpg)
External tools• cmd ?? *are you bringing your own command console?*
• Sysinternals: http://technet.microsoft.com/en-us/sysinternals/default
• Nirsoft: http://www.nirsoft.net/
• Foundstone: http://www.mcafee.com/us/downloads/free-tools/index.aspx
• WFT: http://www.foolmoon.net/security/wft/
• Tons of others out there
![Page 19: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/19.jpg)
Collection of volatile data
Tool/s
Utilities
OSHardware
Results
Kernel Space
Use
r Sp
ace
API
![Page 20: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/20.jpg)
Collection of volatile data
Tool/s
Utilities
OSHardware
Results
Kernel Space
Use
r Sp
ace
![Page 21: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/21.jpg)
RAM / Image Analysis
tool
OS utilities
OSHardware
Results ?
Kernel Space
Use
r Sp
ace
Tool
![Page 22: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/22.jpg)
Imaging and Analysis Tools
• Win32/64 dd• Dumpit• Man dd• FTK Imager• Belkasoft• Volatility
• Memoryze• Redline• HBGary
Responder• Encase• Etc….
![Page 23: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/23.jpg)
Imaging and Analysis Tools
• Challenges– Varied Implementations– Anti-Forensics programs and
techniques
![Page 24: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/24.jpg)
Direct Memory Access
tool
OS utilities
OSHardware
Results ?
Kernel Space
Use
r Sp
ace
Tool
![Page 25: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/25.jpg)
http://www.breaknenter.org/projects/inception/
“Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.”
![Page 26: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/26.jpg)
“Goldfish was a project by AfrahAlmansoori, Pavel Gladyshev, and Joshua James aimed at the extraction of user password and fragments of AIM instant messenger conversations directly from RAM of Apple Mac computers. Goldfish software can be used against 32 bit versions of Mac OS X up to and including Mac OS X (10.5) Leopard.”
http://digitalfire.ucd.ie/?page_id=430
![Page 27: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/27.jpg)
Direct Memory Access
• Advantages– Bypass passwords to gain access– Recover passwords (keyboard buffers)– Evade current anti-forensics techniques
![Page 28: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/28.jpg)
Direct Memory Access
• Challenges– Hardware dependent!– Physical access!– Disabled drivers?– 4GB of accessible space! 0>ffffffff
![Page 29: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/29.jpg)
Direct Memory Access
• Mitigation– Windows
• Block SBP-2 drivers: http://support.microsoft.com/kb/2516445
• Remove FireWire and thunderbolt drivers
![Page 30: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/30.jpg)
Direct Memory Access
• Mitigation– Macs
• Filevault2 (OS X Lion) and screen locked• Firmware password
![Page 31: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/31.jpg)
Direct Memory Access
• Mitigation– Linux
• Disable DMA• Remove FireWire drivers
![Page 32: Memory forensics and incident response](https://reader034.fdocuments.us/reader034/viewer/2022052303/555c4366d8b42a2c068b4eff/html5/thumbnails/32.jpg)
Questions ??