Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

The role of Live RAM analysis

advertisement 
Catching the ghost with Live RAM Analysis
Yuri Gubanov, Belkasoft
www.belkasoft.com
Digital Device as Source of Evidence
Every PC, Laptop or Mobile Device is an Invaluable
Source of Evidence
•
•
•
Hard drive/Permanent memory
Volatile memory (RAM)
Hibernation and page files
www.belkasoft.com
Role of Ephemeral Evidence
The role of Live RAM analysis
•
•
•
Essential for discovering important evidence
Accepted as or becoming a standard procedure
Part of ACPO recommendations
www.belkasoft.com
Ephemeral Evidence and Live RAM Analysis
Live RAM analysis reveals more evidence
•
•
•
•
•
•
•
Recently viewed pictures
Documents
Data from browsing sessions with enforced privacy settings
System and registry information
Recent social network communications
Chats from gaming sessions
And most important...
www.belkasoft.com
Decryption keys for encrypted volumes
Instant access to encrypted volumes
•
•
•
•
Apple FileVault 2
Microsoft BitLocker
TrueCrypt
PGP WDE




www.belkasoft.com
Limitations
Limitations of Live RAM analysis
• Ephemeral nature of evidence
• Memory is gone in seconds
• Only the most recent data (e.g. no Facebook chats like 1
year old)
www.belkasoft.com
Capturing Memory Dumps
Don’t Pull The Plug!
•
•
Still standard practice despite official recommendations
Many types of evidence permanently lost
•
•
•
•
•
•
•
Data on running processes
Running malware
Webmail
Communications in social networks
Open network connections
And much more!
1-16 Gb of potential evidence!
www.belkasoft.com
Looking for Evidence
Where to Look for Evidence:
• Volatile memory
• Virtual memory
Live RAM dumps
Hibernation files and Page files
• Memory dumps are often fragmented
• Proper acquisition technique is required
www.belkasoft.com
Ephemeral Evidence
Hibernation and page files
•
•
Contain ephemeral evidence
Help performing Live RAM analysis
Where:
•
•
Hibernation file: hiberfil.sys on primary (bootable) disk
Must be readable by the bootloader, always stored on a specific sector of
the hard drive, on the primary system partition
www.belkasoft.com
Ephemeral Evidence
Where:
•
•
Page file: pagefil.sys
Location specified in Registry
•
Key Name: HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\Memory Management\
Value Name: PagingFiles
Type: REG_MULT_SZ
Data: C:\pagefile.sys 150 500
www.belkasoft.com
Live Box or Live RAM?
Live Box vs. Offline Analysis
•
•
•
•
Careful assessment of risk vs. potential benefits
Capturing a memory dump for off-line analysis
Continuing with live box analysis:
• you know why (e.g. established secure VPN connection)
• you have evaluated the risks
A memory dump is analyzed on the investigator’s PC
www.belkasoft.com
The Standard Procedure
ACPO Guidelines recommend:
•
•
•
•
•
•
•
Perform risk assessment of the situation
Install a capturing device (e.g. USB flash drive)
Run collection script
Once complete, stop the device
Remove the device
Verify output on a separate PC
• not on the suspect’s system!
Immediately follow with standard power-off procedure
www.belkasoft.com
Ways to Acquire Memory Dumps
Hardware or software acquisition?
•
•
Different acquisition methods exist
Acquisition method of choice depends on
several factors:
• Desktop or laptop PC
• Available extension ports
• Windows, Mac OS, Linux
•
Microsoft whitepaper (January 2014):
http://www.microsoft.com/enus/download/confirmation.aspx?id=41671
?
www.belkasoft.com
DMA Attack
Direct Memory Access (DMA)
•
•
•
•
•
DMA access available to certain types of
hardware
Implementation of OHCI / IEEE 1394
(FireWire, i.Link) open for spoofing
DMA ports don’t use authentication and
access control
DMA-enabled ports often unavailable on
mobile devices
Tablets typically won’t have ports with DMA
access
Attack
www.belkasoft.com
DMA Attack (continued)
Direct Memory Access devices
•
DMA-based attacks can be performed via:
•
•
•
•
•
FireWire
Thunderbolt
ExpressCard
PCMCIA/CardBus/PC
PCI Express (PCIe)
native R/W access
native R/W access
FireWire emulation
Card
FireWire emulation
Attack
www.belkasoft.com
FireWire Attack
FireWire attack
•
•
•
•
•
Technique to capture RAM from another machine
• Works in Windows XP, Vista, Windows 7 and 8
• Windows 8.1 won’t enable newly attached DMA devices
until a user signs in
• Mac OS X already patched (sleep mode operation not
possible)
• Recent Linux kernels already patched
Does not affect source computer memory
Exploits known security issue
Based on DMA (direct memory access)
Free acquisition tools exist
www.belkasoft.com
FireWire Attack
Requirements
•
•
•
•
FireWire drivers installed and not disabled
• Mac OS disables them when OS is locked
FireWire port exists, or
special hardware inserted
• PCMCIA card
• CardBus
• ExpressCard
See http://www.hermann-uwe.de/blog/physical-memoryattacks-via-firewire-dma-part-1-overview-and-mitigation
www.belkasoft.com
Cold Boot Attack
Pre-requisites
•
•
•
A good freezer capable of reaching -50°C
Bootable media (e.g. USB stick)
with RAM acquisition tools
64-bit, tiny footprint command-line
OS recommended
www.belkasoft.com
Cold Boot Attack (continued)
How it works
•
•
•
•
RAM cleared when the PC is restarted: WRONG
Memory chips retain data for a while
Longer retention in lower temperatures
Data retained for several seconds at -50°C
• Demo video:
https://www.youtube.com/watch?v=JDaicPIgn9U
• Defence R&D Canada “In-depth analysis of the cold boot
attack”:
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078
www.belkasoft.com
Cold Boot Attack (continued)
If it feasible?
• Generally unreliable
• User may enable Secure Boot option in UEFI
• Moving memory chips onto another device is
possible but even less reliable
• Many types of RAM completely immune to
this attack
www.belkasoft.com
Freezer attack on mobile device
• Attack to encrypted smartphone memory
• Use ordinary freezer to slow down RAM leak
• Cooled phone is reset in fastboot mode
• Then special FROST software used
• Result:
• encryption keys found
• RAM memory captured
• lock screen keys cracked
www.belkasoft.com
Memory Acquisition: Software
Pre-requisites
•
•
•
•
Kernel-mode operation
Smallest footprint possible
Portability
Read-only access
Collecting volatile data that can withstand legal scrutiny is tricky
www.belkasoft.com
Acquiring Memory Dumps
Kernel mode operation
• What is kernel mode?
• Why is it needed?
•
Proactive RAM protection
• What if a tool runs in user mode?
•
•
•
•
Zeroes instead of actual content
Faked memory
Destroyed evidence
Locked up or rebooted PC
www.belkasoft.com
Check Your Acquisition Tools
Some tools do not comply
• FTK Imager
• PMDump
• Both executing in user mode (Ring 3)
• Test your memory dumping tool!
www.belkasoft.com
Performing Memory Acquisition
Acquiring protected memory sets
• Test setup: Karos (MMORPG)
•
Made Karos chats, captured RAM dumps
•
•
•
FTK Imager
PMDump
Belkasoft Live RAM Capturer
all zeroes
no chats found
all chats found
www.belkasoft.com
Footprint
Achieving minimum footprint
• Some footprint is inevitable
• Must be properly documented
• Loading capturer application takes space in volatile
memory
• Potentially overwriting evidence or important data
• The smallest footprint is desired
www.belkasoft.com
Portability
Usable in the field
• The tool must be able to run from a thumb drive
• No installation allowed
• No third-party libraries should be counted on
www.belkasoft.com
Read Only
Read-only operation
• All data should be dumped to a removable device
• No data alterations allowed on suspect’s PC
www.belkasoft.com
Capturing Memory Dumps
Live RAM Capturer
• Free forensically sound memory acquisition tool
• True kernel-mode operation in 32-bit and 64-bit
environments
• Bypasses active anti-debugging and anti-dumping
protection
• Forensically tested with minimum footprint
• Portable operation
• Produces binary memory dumps that are usable
in Belkasoft and third-party tools
www.belkasoft.com
Belkasoft Live RAM Capturer
Features
•
•
•
•
•
•
•
32-bit and 64-bit drivers supplied
Small footprint
140Kb (32-bit), 167Kb (64 bit)
Runs in kernel mode
Portable
Read-only
Successfully passes the “Karos test”
• Download from
belkasoft.com/ram-capturer
www.belkasoft.com
Analyzing Memory Dumps
RAM analysis tools
•
•
No all-in-one solution exists
Belkasoft Evidence Center
• Finds documents, pictures, Windows Registry and Event Logs, social
network communications, browsing activities, webmails etc.
• Memory dumps defragmented with BelkaCarving
•
Elcomsoft Forensic Disk Decryptor
• Extracts decryption keys for encrypted volumes
Passware Kit Forensic
• Extracts decryption keys for encrypted volumes
• Captures RAM using the FireWire attack
•
www.belkasoft.com
Memory Fragmentation
RAM content is fragmented
•
•
•
•
Live RAM fragmentation is an issue
Straightforward approach only works for small data chunks,
does not work for larger chunks
Smart RAM carving highly recommended
BelkaCarving™ defragments memory dumps
www.belkasoft.com
Hands On Experience
Belkasoft Live RAM Capturer:
• Completely free: http://belkasoft.com/ram-capturer
Belkasoft Evidence Center:
• Commercial tool
• Request a free fully featured license:
http://belkasoft.com/trial
www.belkasoft.com
Contacts
Interested to get this presentation?
• Leave me your business card
• Send me an email at yug@belkasoft.com
• Add me in LinkedIn (http://ru.linkedin.com/in/yurigubanov
or search for Yuri Gubanov)
Also
• Write us to contact@belkasoft.com
• Attend our FREE webinar at
http://belkasoft.com
www.belkasoft.com
Related documents
Assignment 1TB - Introduction to Basic Computer Terminology
Assignment 1TB - Introduction to Basic Computer Terminology
Computer Hardware Worksheet
Computer Hardware Worksheet
Recent Advances in Manufacturing (RAM) is a database
Recent Advances in Manufacturing (RAM) is a database
Computer Component Checklist
Computer Component Checklist
SATEC @ W.A. Porter CI Entrance Test – Math Sample Questions
SATEC @ W.A. Porter CI Entrance Test – Math Sample Questions
Memory - Jack Ou
Memory - Jack Ou
Download
advertisement