Professional Documents
Culture Documents
Memory Forensics
Memory Forensics
Forensics
1. Introduction
2. Memory Acquisition
3. Memory Structure
4. Memory Concepts
5. Memory Analysis
6. Windows Registry
Reading: Textbook Chapter 2
1
Introduction
• Memory forensics relies on capturing live memory from a
running computer system.
• RAM analysis consists of performing forensic analysis on the data
gathered from the live computer.
• After conducting a memory dump on any live machine to
capture RAM, the memory image can be used to determine
information about:
• running programs, the operating system, and the overall state of a
computer, as well as to locate deleted or temporary information that
might otherwise not be found on a normal image.
2
Introduction (ctd.)
• Until recently, RAM analysis and capture was not a mandatory
step in investigations, or even in triage situations where
analysts were attempting to gather forensic data on site.
• However, with new tools that allow entry into locked systems
and with the growing importance of temporary files, RAM
analysis is quickly becoming a pivotal and mandatory part of
the digital forensics process.
3
Introduction
Why Memory Forensic?
• Everything in the OS traverses RAM
• Processes and threads
• Malware (including rootkit technologies)
• Network sockets, URLs, IP addresses
• Open files
• User generated content
• Passwords, caches, clipboards
• Encryption keys
• Hardware and software configuration
• Windows registry keys and event logs
4
Introduction (cont.)
Memory Forensics – Basic Approach
• Ideal analysis includes physical memory data (from RAM) as well as Page
File (or SWAP space) data
5
Memory Acquisition
Memory can be acquired "LIVE" or "DEAD"
Swap space on live or dead systems
■ PAGEFILE.SYS
■ /private/var/vm/swapfile
■ Swap Partitions
Live Memory:
■ \\.\PhysicalMemory
■ \\.\DebugMemory
■ Device Drivers
■ Hardware memory imagers
■ Firewire (provides DMA)
6
Memory Acquisition (ctd.)
Options for RAM acquisition
- Different approaches to acquire physical memory images: software and hardware oriented.
■ Advantage: the absence of interaction with the operating system avoids risk of writing
data to the target memory => DMA (Direct memory access)
■ Disadvantage: systems using DMA can be attacked by exploiting same feature
7
Memory Acquisition (cont.)
Options for RAM acquisition (cont.)
Software Acquisition
■ Windows crash dump utility: copy of the RAM and extra debugging
information Internally when a crash dump occurs.
■ Hibernation File
■ Contains a compressed RAM Image
%SystemDrive%/hiberfil.sys
Speed:
■ Memory changes fast; it won’t be consistent.
Availability:
■ Software methods can be blocked by attacker.
Integrity:
■ Software changes the memory map
■ You can't get all the memory
9
Memory Acquisition (ctd.)
• Some Initial factors to
consider before acquiring
memory:
- Is the machine currently booted?
- If the machine was a virtual instance, was it suspended
or shut down?
- If the machine is booted, can it be snapshotted or
suspended?
- What OS and version is it running?
- Does the acquisition tool you are about to use output
in a format that is compatible with your analysis tool?
- If not, do you have the proper tools to convert the
resultant image?
10
Memory Acquisition (ctd.)
Memory File Format
Most commonly used memory dump formats are:
12
Memory Structure (ctd.)
Paging
• Provides the ability to virtualize the linear address space.
• Simulates a large linear address space with a modest amount of physical
memory and disk storage.
• Each 32-bit linear address space is broken up into fixed-length sections, called
pages, which can be mapped into physical memory in an arbitrary order.
• When a program attempts to access a linear address, this mapping uses
memory-resident page directories and page tables to translate the linear
address into a physical address.
13
Memory Structure (ctd.)
• Address Translation
14
Memory Structure (ctd.)
• How to do a Page Lookup?
15
Memory Concepts
Process Management
• A process is an instance of a program executing in memory.
• The operating system is responsible for managing process creation, suspension, and
termination.
• When a program executes, a new process is created and associated with its own set of
attributes, including a unique process ID and address space.
• A process provides the execution environment, resources, and context for
threads to run.
• A thread is the basic unit of CPU utilization and execution. A thread is often
characterized by a thread ID, CPU register set, and execution stack(s), which help
define a thread’s execution context.
16
Memory concepts (ctd.)
Executive Objects
• A great deal of memory forensics involves finding and analyzing executive objects
• The OS, in particular Windows, uses (C-like) structures to organize related data
and attributes, these include all Kernel objects, e.g., process, threads, etc.
• Executive objects: structures with various headers for managing services such as
naming, access control, and reference counts
执行对象:具有各种标头的结构,用于管理服务,例如命名、
访问控制和引用计数
17
Memory Concepts (ctd.)
Executive Objects
• Data – content of objects (data block | page frame)
• Metadata – provides details about any given object (i.e. internal data
structures)
18
Memory Concepts (cont.)
Basic Process Resources
Acronym
SID: security identifier
19
Memory Concepts (cont.)
Process Organization
• Processes are chained/linked together in a doubly link list structure
20
Memory Analysis
Memory Analysis for Malware
Steps for memory analysis to identify indicators of
compromise: Check Running processes, Check executable’s names,
parent processes, and executable’s paths,
when they started command line parameters,
1. Identify rogue processes security identifiers, DLLs,
流氓 etc.
2. Analyze process objects
Check established
3. Review network artifacts network connections
and associated
processes
4. Look for evidence of code injection
21
Memory Analysis (ctd.)
Baseline Processes
Identify what is expected and use it as a reference of what to expect
Initial Baseline
Require a basic understanding of the core processes loaded by the OS upon boot and
when a user logs on
Initial process baseline (for Windows systems - only samples)
22
Memory Analysis (ctd.)
Baseline Processes (cont.)
Initial process baseline for logon (Windows systems – only samples)
23
Baseline Processes (cont.)
smss.exe: session manager subsystem
System.exe
csrss.exe: client/server runtime subsystem
wininit.exe: windows initialization
smss.exe lsa.exe: local security authority
lsm.exe: load session manager
winlogon.exe: Windows logon process
csrss.exe wininit.exe winlogon.exe services.exe: service control manager
userInit.exe
svchost.exe
rdpclip.exe explorer.exe
24
Memory Analysis (ctd.)
Volatility – Memory Analysis Tool
Created by Aaron Walters and Nick L. Petroni Command-line memory forensic tool
■ Open Source (unlike prior systems) •Primarily Windows-focused
■ Written in Python
•Linux (Android) & Mac support now
available
Extracts: •Modular, portable
■ Image date & time
■ Memory map for each running process
■ Network sockets
■ DLLs loaded for each process
■ Lots more.
https://www.volatilesystems.com/VolatileWeb/volatility.gsp
http://volatility.tumblr.com/
25
Memory Analysis (ctd.)
Volatility – Memory Analysis Tool (cont.)
Volatility commands:
$ python volatility
Supported Commands:
! connections ! Print list of open connections
! connscan ! Scan for connection objects
! datetime ! Get date/time information for image
! dlllist ! Print list of loaded dlls for each process
! files ! Print list of open files for each process
! ident ! Identify image properties such as DTB and VM type
! modules ! Print list of loaded modules
! pslist ! Print list of running processes
! psscan ! Scan for EPROCESS objects
! sockets ! Print list of open sockets
! sockscan ! Scan for socket objects
! strings ! Match physical offsets to virtual addresses
! thrdscan ! Scan for ETHREAD objects
! vaddump ! Dump the Vad sections to files
! vadinfo ! Dump the VAD info
! vadwalk ! Walk the vad tree 26
Memory Analysis (ctd.) Process structures:
• Offset : The location in RAM of
Volatility – Memory Analysis Tool (cont.) the process, in hexadecimal
• Name : The process name, as it
• Analyzing process activity would be shown in Task
Manager
• PID : The process ID
• PPID : The parent process, i.e.,
the process that launched this
process.
27
Memory Analysis (ctd.)
Process Injection
- Technique used for running code within the address space of another process by
forcing it to load malicious code, e.g., under the form of a dynamic-link library (DLL).
28
Memory Analysis (ctd.)
Process Hollowing
• Process Hollowing: a code injection technique in which the executable section of
a legitimate process in the memory is replaced with malicious code (mostly
malicious executable).
• Allow blending in malware as a legitimate process and then cause a legitimate
process to execute malicious code
• the path of the process being hollowed out will still point to the legitimate path → by
executing within the context of legitimate process the malware can bypass firewalls and host
intrusion prevention systems
• E.g. svchost.exe process hollowed out with the path still pointing to the legitimate executable
(C:\Windows\system32\svchost.exe), but only in the memory the executable section of
svchost.exe is replaced with malicious code
29
Process Hollowing (cont.)
Working of Process Hollowing A: malicious process
B: legitimate process
1. Malicious Process A 2. A identifies full path to B and
starts legitimate process points to the address where B’s
B in suspended mode executable is loaded
31
Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics (cont.)
Detecting by Comparing the PEB and the VAD structure
32
Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics (cont.)
Detecting by Comparing the PEB and the VAD structure – Example
Full path to lsass.exe (pid 868) and the base address (0x01000000) where it is loaded obtained from the PEB
From VAD: full path name to the lsass.exe, not shown because the malware unmapped the lsass.exe
process, as result of that the full path name is no longer associated with the address 0x01000000
33
Memory Analysis (cont.)
Detecting Process Hollowing using Memory Forensics (cont.)
Detecting using suspicious memory protection
- Process with memory protection (PAGE_EXECUTE_READWRITE) suggests that the particular memory
range might be concealing executable code, and this makes the process suspicious
- Any executable that is normally loaded will have a memory protection of PAGE_EXECUTE_WRITECOPY.
34
Memory Analysis (ctd.)
Process Hiding
• Main technique used by rootkits to escape detection
• Various hiding techniques exist, e.g.:
• renaming the process to something that looks like a windows process.
• hiding or masquerading as a service, run through svchost.exe
伪装
• hiding in a crowded directory (e.g. dev or Windows Systems)
• Direct Kernel Object Modification (DKOM) is a common hiding
technique used in many rootkits
35
Memory Analysis (cont.)
Process Hiding with DKOM
• Windows kernel uses of the
EPROCESS structures to handle
processes.
• Each structure has the Process ID
(PID) and two links Flink
(Forwardlink) and (Backlink) Blink
• All processes in a Windows
system refer to each other via
pointers
36
Memory Analysis (cont.)
Process Hiding with DKOM (cont.)
• Processes make up
a double chained
list used by tools
e.g. taskmgr.exe
(task manager)
37
Memory Analysis (cont.)
Process Hiding with DKOM (cont.)
• DKOM technique hides a process by
unlinking its own process links and linking
the previous and next processes directly
to each other.
39
Windows Registry
分层数据库
40
Windows Registry (cont.)
• Opening Windows Registry
• Type ‘regedit’ in cmd window
• Registry comprises 5 to 7 hierarchical
folders – hives.
• Folders’ names start with HKEY – Handle to a
Key.
41
Windows Registry
(cont.)
Registry Structure
42
Windows Registry (cont.)
• Information (i.e. potential evidence) that reside in the Registry make it a significant
forensics resource
• Information that can be found in the registry include:
• startup (boot-time) applications
• logs of computers that have communicated with the host
• downloaded files/programs, e.g. wiping programs to destroy evidence
• auto complete Internet Explorer passwords
• Users and the time they last used the system
• Most recently used software
• Any devices mounted to the system including unique identifiers of flash drives, hard drives, phones,
tablets, etc.
• When the system connected to a specific wireless access point
• What and when files were accessed
• A list of any searches done on the system (web site visited and typed URLs)
43
Windows Registry – Sample Keys (cont.)
• A handful of Registry entries control the applications and services that
run at startup, e.g.:
HKLM \SOFTWARE \Microsoft \Windows \CurrentVersion\Run
HKLM \SOFTWARE \Microsoft \Windows \CurrentVersion\RunOnce
HKCU \Software \Microsoft \Windows \CurrentVersion\Run
HKCU \Software \Microsoft \Windows \CurrentVersion\Runonce
45
Windows Registry – Sample Keys (cont.)
• The Winlogon key controls actions that occur when a user logs on to a
computer running Windows. The following keys can automatically
launch programs:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
• Programs listed in the load value of the following registry keys run
when any user logs on:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
46