Memory Forensics - publish.illinois.edupublish.illinois.edu/.../files/2014/03/acc-forensics.pdfWhat...
-
Upload
phungnguyet -
Category
Documents
-
view
268 -
download
9
Transcript of Memory Forensics - publish.illinois.edupublish.illinois.edu/.../files/2014/03/acc-forensics.pdfWhat...
Memory Forensics
Kevin Larson
What is Computer Forensics?
Mobile Device ForensicsNetwork ForensicsMemory & Data Forensics● Offline
○ Hard drives○ Memory Snapshot analysis
● Online○ Live memory techniques
Why do We Care about Forensics?
Administrative & Engineering● Just to know an attack or compromise
occurred● Understand how it happened● Know what needs to be fixed or cleaned● Understand how to prevent it in the futureLegal● Proof and accountability
Recent Attacks on SCADA and the Power Grid
"The discovery is a rootkit called Rootkit.TmpHider that came with a trojan that infects systems via USB drives. ... the driver files that make up the rootkit have a legitimate digital signature from ... an embeded device maker Realtek. Worse, it appears to (be) targeted at SCADA control systems." -Greg Feezel
"A German power utility specialising in renewable energy was hit by a serious cyber-attack two weeks ago that lasted five days, knocking its internet communications systems offline, in the first confirmed digital assault against a European grid operator." -EurActive.com
"Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings - OASyS SCADA - a product that helps energy firms mesh older IT assets with more advanced "smart grid" technologies."- krebsonsecurity.com
Forensics in SCADA
Continuous operation hinders most traditional techniquesEmbedded systems and remote locations often limit physical access to machines"It is still unclear how to acquire live data on a SCADA system in a way that minimizes risk to the system’s services." -Ahmed et al
Forensics in the cloud
Vast quantities of machines makes manual inspection infeasibleRedundancy allows for flexibility in the inspection process
Memory & Data Forensics
Offline Forensics● Hard drives● Memory snapshot analysis
Shortcomings● Slow● Misses volatile data● Incompatible with critical systems
Memory & Data Forensics
Online● Extract data from a running computer
○ Faster○ Some data only available online
● Shortcomings○ Still imposes overhead○ Quality concerns - blurriness○ Many techniques subject to attack
Data Storage
In order of increasing speed● Magnetic tape and peripherals
○ Floppies, CDs, Magnetic tape, etc● Hard drives
○ Magnetic disks ○ Solid State
● Memory○ Faster○ Volatile - loses contents if powered off
■ However, this doesn't happen immediately!
Memory
Information available only in memory (DRAM in this case)
● Encryption keys
○ Data on encrypted hard drives useless
● Passwords
● Malicious programs
Memory Remanence
RAM still contains data after powered off. Capacitors take long enough to discharge that data can often be recovered.● Limited lifespan● Many factors
○ Temperature○ Type of RAM ○ Manufacturer (design/construction)
● Limitations○ Potentially short lifespans○ Certain hardware overwrites some/all memory
Memory Remanence
There are many ways to manipulate remanence ● Cooling memory
○ Cheap and easy - canned air ○ Can extend lifespan by a significant factor
● Circumvent incompatible hardware○ Move RAM chips to other systems
Remanence Attacks
Pioneered by Halderman et al [5]● Thoroughly investigated remanence
○ Tested many systems/DRAM for compatibility○ Measured lifespan in various environments
● Found Vulnerabilities○ Extracted various keys ○ Modeled decay and reconstructed partial keys
Remanence Attacks
● Privilege escalation through remanence○ Restart machine○ Find critical system elements○ Jump start and enjoy full priviledges
Forenscope
● Built off Bootjacker - Take control of machine● Forensics platform
○ Use priviledge to investigate○ Doesn't rely on existing system○ Multiple forensic payloads○ Can be interactive
Forenscope
Leverages memory remanence to build a forensics platform● Freshly rebooted machine
○ No persistent infections● Full copy of memory
○ High quality○ Extremely low taint○ Minimal blurriness
Forenscope
Extremely Low Taint● Conventional tools have memory footprints
○ Reside in extended memory■ Where most important data resides
○ Are large■ Clobber potentially valuable information■ Leave a trace of their own
● Forenscope○ Resides in conventional memory (lowest 640kb)
■ Virtually unused in modern systems■ Still only taints a small percent
Image Quality Comparison
● Difference from actual memory contents
Tool Conventional Memory Extended Memory
Forenscope 0.125% 0%
dd 0% 21.665
dd to FS mounted with sync flag
0% 21.44%
dd with O_DIRECT 0% 1.46%
System Restoration
● Hardware systems○ Have initialization functions○ Re-initialize hardware
● We have memory!○ Restore registers from stack○ Kernel structures accessible
■ Page tables■ Stack
Forenscope
Conventional tools often rely on potentially compromised components● FU rootkit
○ Manipulates kernel structures and corrupts process lists
● Virtualization rootkits○ Operate outside the scope of the running system
Forenscope
Critical Systems● Can not afford downtime● Forenscope
○ Extremely fast■ Can operate as quickly as system restarts■ ~15 seconds on many systems
○ Customizable - invoke many different payloads■ Copy memory■ Rootkits■ Interactive platform
Forenscope & SCADA
SCADA poses unique challenges for which Forenscope excels● Take control of systems in unknown state● Minimally intrusive system● Customizable payloads unique to tasks● Interactive modes can allow for interactive
remote forensics
Forenscope & The Cloud
The cloud poses unique challenges for Forenscope● Customizable payloads unique to tasks● Interactive modes can allow for interactive
remote forensics
Shortcomings
Forenscope provides high quality images or a platform to do forensics● Much effort is still manual● Interfaces, protocols, and abstractions have
to be extracted
Other ways to capture memory
● Firewire○ Inception○ Libforensic 1394○ Forenscope-like agent
● Virtualized Environment○ LibVMI and other introspection○ Direct Capture
Valgrind
● x86 memory debugging tool● Virtual cpu
○ Memory instrumentation● Variety of different tools
○ Cache/Callgrind - simulate cache and call graph○ Hellgrind/DRD - race detection for multithreaded○ Massif - heap profiler
Cafegrind
● Extension of Massif tool in Valgrind● Collects statistics of memory usage in the heap
○ Longevity of every allocated object○ Number of reads and writes
● Freed memory is not necessarily lost○ Tracks period between free and clobber
Cafegrind
Type Inferencestruct <data structure> *mydata;mydata = (struct datastructure *) malloc(sizeof(struct ds));mydata.f1d1 = 100;
Maintains this information for all dynamically allocated objects
Requirements
● Requires programs and libraries to be c/c++ and compiled with -g and -O0
● Lots of RAM and/or swap space○ Used 40GB ssd for swap
● Hard disk space○ Generates data on the order of GB per minute of
execution
Coverage
Percent of load/stores inferred
Application Store Coverage Load Coverage Overall
Firefox 70.48% 88.11% 83.51%
KWrite 85.8% 94.27% 92.66%
Links 99.09% 99.99% 99.6%
Tor 85.95% 96.43% 95.02%
Example
Cafegrind and Konqueror web browser
Volatility
● The Volatility Framework is an open collection of tools
● Used for the extraction of digital artifacts from volatile memory samples
● Support for samples from Windows, Linux, and Mac OSX systems
● Profiles for a wide variety of versions● Functionality to create profiles for any
Linux system
Volatility Capabilities
● General info (date, time, CPU count)● Running processes
○ IDs○ Memory mappings
● Network sockets and connections● File Handles● Kernel Modules and objects (keys, mutexes,etc)● Virtual and physical mappings
Beyond Volatility
Volatility can provide basic process info● Process IDs● Memory offsets to the stack and heap● Misc other metadata
Cafegrind proved there was a wealth of information in the heap!
Exploring the Heap
● Leveraged virtual machine environment to provide memory images
● We no longer have debug symbols● What is left?
Pointers
● Typically pretty easy to identify● Point to all sorts of things
○ Data○ Functions○ Other pointers○ Structs (a combination of the above)
A Quick Look at Initd
Initd application● First process started by kernel● Everything else is a child of initd● Handles orphaned processes
Some of the numbers
● Used Volatility to extract all pages identified for the heap of initd○ 85 pages (348kb)○ 21643 pointers (173kb, or 49.7%)○ 17852 pointers have cycles○ 1622 point to invalid pages or not alligned○ 3549 are involved in longer chains of pointers
Initd Visualization
Rsyslogd Visualization
Questions