Memory Forensics • Key component in DFIR • Consider a second hobby (knitting) • Get a rocking chair • You still want to do this? • Fine..... Stuff to keep in mind • If the machine is x64 use the right imager – If you BSOD the machine you destroyed the info Get memory image • F-Response – I have yet to play with this – If you have... I dislike you – Uses iSCSI protocol – blocks write operations – Allows you to use other tools to get image – What other tools? Glad you asked... Win32dd/Moonsols • Started life as Win32dd • Hashes – MD5, SHA-1 and SHA-256 • You can set up a listener on your system – Default is port 1337 • Will convert memory to MS crashdump Mandiant • Memoryze – will acquire and analyze • You can analyze a saved image • Also required Audit Viewer • Mandiant has a newer product... Redline • By Mandiant • Free to use • www.mandiant.com/resources/downloads • Pretty slick / Sloooooooooooooooow at times And a bunch more • WinPmem – this is very good: Windows XP to Windows 8, both 32 and 64 bit • Dumpit – eh not bad we like ^^ better Volatility • We like this... • Written in Python – Has API so you can make stuff with it – Has plugins that are pretty cool – Works fairly fast – Not as nice as Redline but a lot of options Volatility – Install • Stand alone exe for Windows – You’re not left out – Easy install for Linux • • • • • Download install: Distorm3 – https://code.google.com/p/distorm Yara - https://code.google.com/p/yara-project/ PyCrypto - https://www.dlitz.net/software/pycrypto/ PIL - http://www.pythonware.com/products/pil/ Volatility – Install • sudo python setup.py install • Flipping hard huh? Volatility – Using • When in doubt --help it out • Python vol.py –h • Mmmmkey so?!? Volatility – Do eeeet • What OS was image from: • Python vol.py –f <imagename> -imageinfo – It will do best guess, you should know already – Some tools only work on Vista/2003 – You can get modules from the community – Use an verbose and output file • –v –output-file=$path Volatility – Still waiting to do eeet • To save typing assume all commands are prefaced with – • python vol.py –f <name path of memory image> --profile=<OS> • ............. Volatility – XP/2003/Vista • • • • • Network connections: Connections (Standard netstat –an info) Connscan (looks for _TCPT_OBJECTS) Look to see what is running: Pslist – typical tasklist – not cool like tasklist /SVC – Name, Pid, Ppid, Threads, handles, time Volatility • • • • Look for: svchost and != svchosts/svch0st/scvhost lsass != Lssas etc Csrss != cssrs etc Wanna see something dirty? • 0x01795c18 jqs.exe 1720 676 0x098c01a0 2010-02-03 20 • 0x01797020 nc.exe 1508 1124 0x098c0200 2010-02-03 20 • 0x01842900 nc.exe 1888 1124 0x098c03c0 2010-02-03 20 • 0x0185a2d0 hot_pics.exe 1124 380 0x098c03a0 2010-02-03 20 psscan • Uses _EPROCESS structure different • Can find stuff that is not double linked or unlinked Dlllist • • • • • • • • • • • • • • • • If you see a process you want to know more about Take the PID: Dlllist –p 420 Will show you Base Addy, size, path: Base Size Path 0x1000000 0x6000 C:\WINDOWS\system32\svchost.exe 0x7c900000 0xb0000 C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 C:\WINDOWS\system32\RPCRT4.dll 0x5cb70000 0x26000 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x77d40000 0x90000 C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll Win7/2008 • Ton more stuff we can do: • Malfind - The second memory segment (starting at 0x015D0000) was detected because it contained an executable that isn't listed in the PEB's module lists. • If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with -D or --dump-dir=DIR. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk. • ---- From WIKI -----• While there read – Yarascan, Svcscan, Ldrmodules, Apihooks, psxview Way more stuff • https://code.google.com/p/volatility/ • http://www.mandiant.com/resources/downlo ads/ L2Read • Malware Analyst's Cookbook: Tools and Techniques for Fighting Malicious Code • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software • A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security • Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7, Third Edition Well screw it... L2listen • Forensics • SANS – sans.org d’uh you know they got some good stuff • Security in general: • Exotic Liability – can be spotty F’ing good in general • Pauldotcom – not so much forensics but in general