Windows Memory Dump Analysis - Software Diagnostics Services
The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows...
Transcript of The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows...
![Page 1: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/1.jpg)
The State of the Art in
Windows Memory Forensics
![Page 2: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/2.jpg)
Introduction
![Page 3: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/3.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 3
System state is kept in memory
• Processes• Sockets• TCP connections• System functions• …
![Page 4: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/4.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 4
Relevant data is not on disk
Dolan-Gavitt (2008):• Registry consists of several files (hives).• Hives (partially) loaded into memory.• Direct changes to in-memory registry (by-
passing the API) not mirrored back to disk.
![Page 5: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/5.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 5
Key recovery
Kornblum (2008): Bitlocker key material
![Page 6: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/6.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 6
Forensic process
The same process applies to traditional and memory forensics:
1. Acquisition2. Analysis3. Presentation
![Page 7: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/7.jpg)
Acquisition
![Page 8: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/8.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 8
Memory is volatile
• Do NOT pull the plug:Without power and clocking, memory contents dissipates within seconds to minutes.
• Examination of the system’s state changes the system’s state.
• Do it right the first time!
![Page 9: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/9.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 9
Find the right tool
• Several tools and techniques available• Taxonomy:
1. Access to main memorypure hardware vs. software
2. Time of installationprior to incident vs. post incident
3. Required privilegesuser vs. administrator
![Page 10: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/10.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 10
Find the right tool
• Taxonomy (cont.):4. Impact on system
in vivo vs. post mortem5. Atomicity of image
6. Image file formatraw (“dd-style”) vs. Microsoft crash dumpnot important any longer
• Test it thoroughly!
![Page 11: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/11.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 11
Select tool: VMware
• Popular virtual machine monitor.• Simulated “physical memory” can be
stored in a file.• Excellent lab environment, though
malware is aware of virtualization techniques.
![Page 12: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/12.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 12
Select tool: FireWire
• Physical access and IEEE • Hard though not impossible to
counterfeit.
![Page 13: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/13.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 13
Select tool: KnTTools
• by GMG Systems, Inc. (George Garner)http://www.gmgsystemsinc.com/knttools/
• Also obtains for later analysis– kernel and network driver binaries– system status as seen from userland
• Enterprise edition:– signed/encrypted jobs and evidence– pre-installed or on-demand
![Page 14: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/14.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 14
Some free tools
• mddby Benjamin Stotts, Mantechhttps://sourceforge.net/projects/mdd/
• win32ddby Matthieu Suichehttp://win32dd.msuiche.net/
![Page 15: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/15.jpg)
Analysis
![Page 16: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/16.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 16
Select tool: KnTList
• by GMG Systems, Inc. (George Garner)http://www.gmgsystemsinc.com/knttools/
• Extensive output, plain text and XML• Analyses file cache• Cross-view examination eases rootkit
detection.
![Page 17: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/17.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 17
Select tool: PoolTools
• by Andreas Schusterhttp://computer.forensikblog.de/files/poolfinder/
• Open source software.• Generic kernel object carver and utility
programs.• About 40,000 to 80,000 objects per
memory dump (depends on system usage).
![Page 18: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/18.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 18
Select tool: Volatility
• by Volatile Systemshttps://www.volatilesystems.com/default/volatility
• Open source software.• Supports all major memory image
formats.• Many object viewers.• Programming framework, pure Python.
![Page 19: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/19.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 19
Select tool: PyFlag
• by Michael Cohen and David Colletthttp://www.pyflag.net/
• Open source software.• Web-based analysis software:
– file systems– network captures
– memory images (using Volatility)
• Generates report (“brief of evidence”).
![Page 20: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/20.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 20
The future: Correlation
• Case et al.,2008http://www.dfrws.org/2008/proceedings/p65-case.pdf
• Automatic correlation of evidence from disk, network, and RAM.
• Proof of concept, Linux.
![Page 21: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/21.jpg)
Conclusion
![Page 22: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/22.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 22
Conclusion
• Most tools are in a proof-of-concept phase and target a technical audience.
• Memory analysis produces a lot of extra data.
• Integration into forensics process:– front-end: pyFlag, EnCase Enterprise, etc.– correlation, e.g. FACE
![Page 23: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/23.jpg)
Questions?
![Page 25: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/25.jpg)
Acquisition tool taxonomy
![Page 26: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/26.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 26
Access to main memory
Software• Employs CPU,
memory, kernel and drivers.
• Can easily be fooled.• Easy to deploy and
maintain in a corporate environment.
• Costs mainly driven by license.
Pure Hardware• Does not utilize the
CPU.• Trusted access to
memory?• May require extra
hardware• Installation requires
significant time (more costs).
![Page 27: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/27.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 27
Time of installation
Prior to incident
• Usually requires a reboot.
• Does not tamper with evidence.
• Permanently adds (privileged) code to system, increases exposure to attacks.
Post incident
• Installation possibleafter the incident occurred.
• Could interfere with evidence.
• “Installed” only as long as needed.
![Page 28: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/28.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 28
Required privileges
Unprivileged• No (secondary)
logon required.• Minimizes impact
on evidence.
Privileged• Requires either
installation prior to incident or (secondary) logon.
• High impact on evidence in case of a (secondary) logon.
![Page 29: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/29.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 29
Atomicity of image
Low• Inconsistent state;
may confuse tools and examiners (e.g. dangling pointers).
• Significant problem for analysis of user data.
• Less impact on analysis of kernel data.
High• Consistent state over
whole image.• Difficult to achieve.
![Page 30: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/30.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 30
Impact on system
Low• System continues to
work. • Degraded
performance during imaging, reverts to normal afterwards.
• Should be safe even on servers.
High• System forced to
crash.• System out of service
for time required to obtain the dump and reboot.
• Acceptable only for clients. Generally best choice under lab conditions.
![Page 31: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/31.jpg)
References
![Page 32: The State of the Art in Windows Memory Forensics€¦ · 2008-10-08 Andreas Schuster: Windows Memory Analysis 32 References • Dolan-Gavitt, B.: Forensic analysis of the Windows](https://reader034.fdocuments.us/reader034/viewer/2022050300/5f697dc96167cf486205f391/html5/thumbnails/32.jpg)
2008-10-08 Andreas Schuster: Windows Memory Analysis 32
References
• Dolan-Gavitt, B.: Forensic analysis of the Windows registry in memory. Proc. 8th DFRWS. Baltimore, August 2008.
• Kornblum, J.: Practical Cryptographic Key Recovery. Open Memory Forensics Woekshop. Baltimore, August 2008.
• Case A., Cristina A.,Marziale L., Richard G., Roussev V.: FACE: Automated digital evidence discovery and correlation. Proc. 8th DFRWS. Baltimore, August 2008.