Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

HTCIA Live Memory Forensics

advertisement 
Live Memory Forensics
Joe Riggins
HBGary Sr. Director of Incidence Response
Introduction
• Welcome to the Live Memory Forensics class!
• This is an introduction to live memory forensics
• It is designed for the investigator who has digital forensic
experience, and who has intermediate ability with the
Microsoft Windows operating system
Copyright 2010
Introductions
• Your Instructor is Joe Riggins, Senior Director of
Incidence Response for HBGary.
Copyright 2010
Agenda
• Module 1 – Live Memory Basics
• Module 2 – Windows Memory Model
• Module 3 – Live Memory Acquisition
• Module 4 – Introduction to FastDump Pro
• Lab 1 – Creating a Memory Dump File using FDPro
• Module 5 – Webmail Investigation
• Lab 2 – Creating a New Physical Memory Snapshot
Project
• Lab 3 – Webmail Investigation
Section 1
LIVE MEMORY BASICS
V1.0
© 2010
Live Memory Basics
• What is live memory?
• How to recognize it?
• How does it work?
• How is it organized?
© 2010
The Basics
• What is Live Memory?
• Live memory is the random access memory (99.99999%
of the time) used by the CPU to store data and programs
that it manipulates.
• There are different types of memory…
© 2010
The Basics
• Types of Memory used?
• RAM (random-access memory): This is the main
memory. RAM is volatile memory, which means that it
requires power and refresh to maintain its contents.
• ROM (read-only memory): Systems usually contain some
read-only memory that holds instructions for booting up
the computer. ROM memory cannot be changed, it is
non-volatile.
• PROM (programmable read-only memory): A PROM is
essentially a ROM memory chip which you program out
of the factory once. Like ROMs, PROMs are non-volatile.
© 2010
The Basics
• Types of Memory used?
• EPROM (erasable programmable read-only memory): An
EPROM is a special type of PROM that can be erased by
exposing it to ultraviolet light.
• EEPROM (electrically erasable programmable read-only
memory): An EEPROM is a special type of PROM that
can be erased by a special electrical charge.
• CMOS (Complimentary Metal Oxide Semiconductor)
CMOS usually refers to the non-volatile RAM (NVRAM).
© 2010
The Basics of RAM
• Random access memory (RAM) memory is made
of a transistor and a capacitor.
• A good jury description would be a bucket that
holds water (the charge). However the bucket has
a small hole and constantly loses water. To keep
the bucket full, every so often you have to keep
pouring water into the bucket, this is called
“Refresh”.
© 2010
The Basics of RAM
• The faster the memory loses charge, and the
faster it can be recharged, determines the memory
speed.
© 2010
What does RAM look like?
© 2010
How RAM works
• Memory is written one byte at time
• Power is applied to the two connections, and
charges the memory cell
0
0
0
0
0
© 2010
0
0
0
How RAM works
• Byte value = 10010101
1
0
0
1
0
© 2010
1
0
1
How RAM works
• Byte value = 11001000
1
1
0
0
1
© 2010
0
0
0
How RAM works
• Byte value = 00001000
0
0
0
0
1
© 2010
0
0
0
How RAM works
• Byte value = 00110001
0
0
1
1
0
© 2010
0
0
1
How RAM works
• The CPU reads and writes to RAM (technically,
the CPU reads and writes to Cache, that then
reads and writes to RAM)
• Every memory location has a unique address
• This leads us into the murky world of how
Microsoft Windows manages memory (more on
this later…)
© 2010
Section 2
WINDOWS MEMORY MODEL
© 2010
Physical Memory vs. Virtual
Memory
• Physical Memory refers to the hardware view of
memory
• Only one view of physical memory
• Virtual Memory refers to virtualized OS views of
memory
• There can be many different virtual memory spaces
Memory
Memory (RAM)
Physical Memory
Operating System
Virtual Memory
Why have Virtual Memory?
• Can provide process memory isolation (security)
• Allows more “logical” memory by increasing the
addressable space (each 32-bit process gets its
own 4GB of virtual memory).
• When combined with paging, can increase the
total available memory (more on this later).
Total Logical Memory
• Sum of all virtual memory
Physical Memory
2 GB Memory (RAM)
OS
4GB
4GB
4GB
4GB
4GB
4GB
Virtual Memory
6 x 4GB = 24 GB of Logical Memory
Virtual Memory Layout
4 GB
Kernel Memory
2 GB
• The upper 2GB* of
every Virtual Memory
space is reserved for
the Windows Kernel to
use. It is not accessible
to user mode
processes.
•
0 GB
User Memory
*
Note: except with the rarely used /3GB switch
How 2GB becomes 24GB (or
more)
• The OS utilizes CPU features to create page
directories and page tables which can be used to
divide physical memory among multiple virtual
memory spaces
Physical   Virtual
2 GB
Page Directories and Page Tables
Physical Memory
Virtual Memory for Process A
0 GB
4 GB
Virtual Memory for Process B
0 GB
4 GB
Virtual Memory for Process C
0 GB
0 GB
4 GB
What happens when all
Physical Memory is used?
• Paging to the hard disk drive (SLOW!)
• Pagefile.sys
Paging to Disk
• When Physical Memory is getting full, the least
used pages of memory are written to disk
• When those pages are needed again, they are
read back into Physical Memory and some other
pages are written to disk. This is called Swapping.
• Swapping reduces system performance.
Physical  Virtual
Memory Dump
• To get a complete collection of memory you need
to collect two pieces:
• Physical Memory
• The on-disk pagefile
Virtual Memory Allocation
• Programs can allocate virtual memory dynamically
• The size can range from a single byte to several
GBs (or 8192 GBs in x64 OS versions)
How is this tracked?
• The Windows kernel uses a data structure known
as Virtual Address Descriptors (VADs) to track
virtual memory allocations
• Responder™ combines this information with page
table data for each process, and displays it in the
Memory Map detail panel
Memory Map
Memory Block
Block Length
Individual Pages for this Block
Unreferenced Pages
Section 3
MEMORY ACQUISITION
© 2010
Memory Acquisition
Methodology
• Goal – Be minimally invasive to suspect machine
1. DO NOT acquire RAM to the local system hard drive
•
Invasive – possibly destroy important data
2. Use external thumb drive – (USB Mass Storage Device)
3. Image the RAM to sterile media
•
•
Freshly wiped drive preferably with all zeros.
Reformat the drive to NTFS
•
•
•
FAT32 file system has 2GB file size limitation
FDPro cannot split up the file into chunks
Generate MD-5 hash at time of collection – save with memory
image
•
Used to verify integrity of file to that point in time.
© 2010
Acquiring Memory
• Software creates a “smear” image
• Not a “true” duplicate image
• This process is not reproducible
• In order to create a “true” image
•
•
•
•
Hardware is required
Virtualization can “pause” the processor
Crash Dump
Hibernation file (hiberfil.sys)
© 2010
Acquiring Memory
• Software used to dump physical RAM
• HBGary FastDump™ and FastDump™ Pro
• Fastdump (free)
• Windows 2000 – 2008 Server, Windows 7
• 32-bit
• 6GB maximum file size
• FastDump™ Pro
• Windows 2000 – 2008 Server, Windows 7
• 32- and 64-bit
• 64GB+ tested maximum file size
© 2010
Preparing to Image
• When collecting the tools to image live memory,
you need to anticipate the likely possibilities of
what you will encounter on the source end.
1. Will your imaging tool run on the source computer (the
computer where you want to image the live memory)?
2. Will the destination storage device be recognized by
the source computer? Can you save the image on a
storage device?
© 2010
Preparing to Image
• Is there a way to run FastDump Pro?
• USB 1.1, 2.0 or 3.0 port
• Place FastDump Pro on a USB storage device such as a thumb
drive, or external USB hard drive.
• CD/DVD-ROM drive
• Place FastDump Pro on a CD/DVD-ROM. It does not have to be
bootable.
© 2010
Preparing to Image
• Is there a way to run FastDump Pro?
• FireWire port – 400/800
• Place FastDump Pro on a external FireWire hard drive
• PCMCIA or CardBus port
• Place FastDump Pro on a CardBus flash card or hard drive. There
are several cards that use a Compact Flash media card for
storage.
© 2010
Preparing to Image
• Does it have a way to attach a storage device for
memory dumping?
• The amount of storage should be 10-15% larger than the
biggest amount of memory you expect the computer to
have.
• In today’s world (the year 2012) 8GBs is safe.
• Keep in mind you should have something that has more
than 8GBs to call on when needed.
• Speed can also be an issue
• Thumb drives can be slow
© 2010
Preparing to Image
• Windows does not create files larger than 4GBs on
Windows 2000 or Windows XP operating systems using
FAT32.
• FAT32 has a limit of 4GBs for a single file
• Format your destination drive with NTFS if possible.
• Carry a second drive with FAT32 formatting
© 2010
Preparing to Image
• Buy a moderately fast USB 4-8GB thumb drive. It should
conform to the USB Mass Storage specification.
• Format it with NTFS and place FDPro.exe on it.
© 2010
Section 4
FASTDUMP PRO
© 2010
FastDump™ Pro
• FastDump Pro™ (FDPro™) is a command-line
based memory dumping utility that comes
packaged with both the Responder™ Professional
and the Responder™ Field products. A copy of
FDPro.exe is located in the FastDump folder in the
directory where Responder™ is installed on the
local hard drive.
© 2010
FastDump™ Pro
• FDPro™ supports:
• all versions of the Windows™ operating systems and
service packs (2000, XP, 2003, Vista, 2008 Server, 7) 32and 64-bit, including systems with more than 4GBs of
RAM (up to 64GBs of RAM).
• acquisition of the Windows™ pagefile included with the
acquisition of RAM.
• a variety of memory probing features that can assist with
malware analysis.
© 2010
FastDump™ Pro
• To peform a RAM dump:
• Command: fdpro.exe c:\memdump.bin
• Action: FDPro.exe acquires the local system physical memory to
the file c:\memdump.bin in literal/standard .bin format using the
default 1MB read/write sizes.
• Command: fdpro.exe c:\memdump.bin –strict
• Action: FDPro.exe acquires the local system physical memory to
the file c:\memdump.bin in literal/standard .bin format using the
strict 4kb read/write sizes.
© 2010
FastDump™ Pro
• To perform a RAM and Pagefile dump:
• Command: fdpro.exe c:\memdump.hpak
• Action: FDPro.exe acquires the local system memory into the
HPAK archive file c:\memdump.hpak using the default 1MB
read/write sizes
• Command: fdpro.exe c:\memdump.hpak –strict
• Action: FDPro.exe acquires the local system memory into the
HPAK archive file c:\memdump.hpak using the strict 4kb read/write
sizes
© 2010
Goal of Process Probe
• The goal of Process Probe is to force all executable code
into RAM for one or all processes on the system.
• This includes code that is swapped out to the Pagefile.sys,
and code still contained in the executable on disk but not in
use. This code is called into RAM prior to the acquisition of
physical memory.
Why Process Probe?
• Because Process Probe provides the investigator
with a more accurate and complete picture of the
executable code and the data.
• The process probe feature allows the investigator
to control what memory is “paged-in” to RAM from
SWAP and the File System before FDPro
performs RAM acquisition.
• The Probe feature even forces code from the file
system into RAM for a specific process.
Why Process Probe?
• User Process Probe
during any LIVE
network intrusion
investigation, malware
analysis case, or
computer forensic
investigation where the
running applications on
the computer could play
a role
• . Applications include:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Instant messengers
IP telephony
Internet browsers
Malware
Encryption applications
Databases
Media players
Encrypted data
Passwords
Unencrypted chat sessions
Documents
Emails
Internet searches
Internet postings
Password protected websites
Probe Smart
• When using the –probe smart feature,
FDPro.exe walks the entire process list and makes
sure all code is called into RAM, resulting in the
ability to recover almost 100% of the user-land
process memory by causing these pages to be
activated and paged-in on the fly.
Process Probe Best
Practices
• Forensic best practices dictate that an investigator
or analyst should always acquire RAM and
Pagefile without running the -Probe Feature.
• After freezing the current state of RAM, the
investigator/analyst should run FDPro again using
the -probe Feature. Even when grabbing the
pagefile, the -probe feature forces unused code
from the file system into RAM.
Process Probe Best
Practices
• Example steps:
1. Arrive at server or workstation suspected in the computer
incident or forensic investigation
2. Collect RAM to “freeze the runtime state of the
machine”. This is a full RAM image with Pagefile
• If you’re doing any sort of malware analysis, Reverse
Engineering, or know for a fact that you will never have to
use the RAM acquisition in litigation, then you can go
ahead and probe –smart on your very first image to
save you time.
• Note: This technique instruments a larger footprint in RAM than only
performing a memory acquisition.
Process Probe Commands
• To probe processes into memory and RAM:
• Command: fdpro.exe c:\memdump.bin –probe all
• Action: fdpro.exe probes all processes into memory before
acquiring the local system memory into the file c:\memdump.bin
• Command: fdpro.exe c:\memdump.bin –probe smart
• Action: fdpro.exe probes only user processes into memory before
acquiring the local system memory into the file c:\memdump.bin
• Command: fdpro.exe c:\memdump.bin –probe pid 123
• Action: fdpro.exe probes process with PID 123 into memory before
acquiring the local system memory into the file c:\memdump.bin
© 2010
FastDump to Local VMware
Drive
• Take a snapshot to the local hard drive
• C:\fdpro.exe
c:\RAMdump.bin
• Copy (using drag-and-drop) from VMware
• Field option – take snapshot to USB drive
• Add USB controller via Hardware Panel if needed
• No perturbation of the local hard drive
Lab Exercise
• Complete Lab Exercises 1 & 2
• 30 minutes to complete lab exercises
© 2010
Section 5
WEB MAIL INVESTIGATION
© 2010
Investigating Applications
• Goal: Identify artifacts that lead you to other
pieces of information
• Finding bread crumbs, then following the bread crumbs…
Analyzing Applications
• Try to find objects and artifacts that tell you:
• Who, What, Where, When, Why, How
© 2010
Investigation Preparation
Who?
• Names of People
•Email addresses
What?
Carefully
create a
search term
list
Spending time
up front can
save lots of time
on the back end
When?
Where?
How?
•Project Names
•Filenames
•File format(s)
•Usernames
•Passwords
• Dates
• Times
• Domains
• URLs
Analyzing Applications
• Approach:
• Knowledge is helpful…
•
•
•
•
•
Google: “skype”
What is it?
How is it used? How does it work?
Why is my suspect using it?
Is there data in memory that might not be available by performing
disk based forensics?
© 2010
Analyzing Applications
• Create a list of things you know
• Names involved in the investigation
•
•
•
•
Domain names
Project names
Filenames
Websites
• Applications in question
•
•
•
•
Office applications
Internet browser
Encryption
Chat
© 2010
Web Mail
• Start with the browsers…
•
•
•
•
Internet Explorer
Firefox
Opera
Google Chrome
© 2010
Web Mail
• Then go to browser artifacts
• Web sites visited
• Files downloaded
• Dates and timestamps
© 2010
Web Mail
• Things to consider
• Web server applications act differently
• Gmail stores passwords differently than hushmail.
© 2010
Web Mail
• Search terms that can be used
•
•
•
•
•
•
•
•
gmail.com
@hotmail.com
@yahoo.com
@hushmail.com
Attachment
&passwd=
&login=
messageID=
© 2010
Webmail Considerations
• More…
•
•
•
•
•
•
•
•
•
Mail applications
Chat Applications
Names of Webmail Services
Email addresses
Passwords
Content of emails
Dates & Time Stamps
Web Sites Visited – History
Attachments
Initial Triage
• First Steps - Browse and collect
• Browse the list of processes and applications running…
• Do I see internet browsers? Yes.
• Do I see any instant messenger applications?
• Do I see any other applications that might be useful for my
investigation?
• Add Artifacts to your Report
• Export to excel
• Right click send to report
Web Mail
• Focus: Intellectual Property Investigation
• Type: Private data sent via Email
• Description: Search for indications of files, email
addresses, and other related info to the data theft.
© 2010
The Scenario
• Beginning a search based on suspicion
• Press release from competitor having similar data
• Searching for private content
• What do we search for?
• Understanding search hits
• Process name/module/unidentified
• Adding webmail data/artifacts to the report
© 2010
Searching
• Beginning a search based on suspicion
• Press release from competitor having similar data
• FIRST - Search for content we know
• We know we are looking for “Pluripotent”
• Searching for email addresses to corroborate
suspicion
• Search terms (@gmail.com, gmailchat=
• Understanding search hits
• Process name/module/unidentified
• SECOND - Search for content we learn
• Adding webmail data/artifacts to the report
© 2010
Lab Exercise
• Complete Lab Exercise 3
• 30 minutes to complete lab exercises
© 2010
Related documents
Assignment 1TB - Introduction to Basic Computer Terminology
Assignment 1TB - Introduction to Basic Computer Terminology
Computer Hardware Worksheet
Computer Hardware Worksheet
Recent Advances in Manufacturing (RAM) is a database
Recent Advances in Manufacturing (RAM) is a database
Computer Component Checklist
Computer Component Checklist
Memory - Jack Ou
Memory - Jack Ou
Download
advertisement