Memory Forensics in Incident Response Flashcards
When did the change from rudimentary string searching to recovering process information in memory forensics?
The DFRWS 2005 challenge.
At what event did many professionals agree that “pulling the plug” is no longer acceptable?
The SANS Forensics Summit in 2008. (p8)
Why do some guides still recommend pulling the plug instead of performing memory forensics?
A lot of the guides are distributed to people with absolutely no computer training (law enforcement).
Why are memory forensics important?
Nearly everything of interest traverses RAM.
Why is memory becoming less volatile and more like a secondary file system?
It’s becoming larger.
What are volatile registry keys?
Registry keys that can be updated and only survive in memory.
p12 needed?
?
What is \Device\PhysicalMemory?
A handle in the Windows filesystem that, prior to Windows 2003 SP1, could be used to address and copy physical memory.
When did \Device\PhysicalMemory go away?
Windows 2003 SP1
What is HIPS?
Host Intrusion Protection Software
When do Windows drivers have to be signed?
64 bit systems
How do you access physical memory on Windows systems?
Pre 2003 SP1, \Devices\PhysicalMemory. Post 2003 SP1 requires a driver.
What is WinPMEM?
A memory dumping tool for Windows. It allows read only or read write access.
What is Redline?
A tool that is used for Windows memory analysis. Can also perform live memory analysis.
How can you perform memory analysis on a system that’s already been shut down?
Copies of ram that are automatically created, like hibernation files in Windows. Crash dump files as well.
What is the filename that Windows uses to create a copy of memory when the system goes into hibernation?
hiberfil.sys
What portions of memory are included in hiberfil.sys?
Everything. It’s a complete copy.
What is a Windows crash dump file named?
memory.dmp in %WINDIR%. If it’s a full crash dump, it’ll be a complete copy of memory. (See footnotes on p14)
Why is analysis of chat applications difficult?
Many don’t log communications to disk, so the only place to find the information may be in memory.
What is DumpIt?
A simple memory dumping tool from MoonSols that dumps memory from 32 or 64 bit Windows systems to the curent working directory.
Where’s the best place to run DumpIt.exe?
A large capacity thumb drive, because it dumpts to CWD.
What does DumpIt cost?
It’s free.
How is memory usually stored on disk with virtualization products?
It’s often a raw copy of memory, so can be analyzed with standard memory analysis tools.
In which virtualization products is the on-disk memory image a copy of raw memory?
VMWare, Microsoft Server 2008 Hyper-V, and Parallels.
How is the on-disk memory image for VirtualBox different from most other virtualization products?
It only holds memory in use, not a complete image of memory. (16)
What is the fallback plan to analyze memory on a virtual machine if the on-disk image analysis won’t work?
Run a memory acquisition tool within the virtual guest.
What product can be used to analyze virtualization product memory?
Volatility
What are the common file suffixed for virtual memory files?
.vmem - VMware raw memory .vmss - VMware contains memory image .vmsn - VMware contains memory image .bin - Microsoft Hyper-v memory image .vsv - Microsoft Hyper-v save state .mem - Parallels raw memory image .sav - VirtualBox partial memory image (16)
Where are memory images found?
p16.
Rajid Mitra case
p18
What is hiberfil.sys?
A Windows hibernation file a compressed copy of RAM at the time of hibernation.
How can you decompress hiberfil.sys?
Volatility’s imagecopy or MoonSols hibr2bin.exe
What files can analyze Windows hibernation files natively?
BulkExtractor
Magnet Forensics Internet Evidence Finder
Volatility
Belkasoft Evidence Center
What windows command line tool manages hibernation files?
powercfg.exe (review the options p 20)
What is memory forensics?
Study of data captured from memory of a target system, including RAM and virtual memory.
How is memory analysis different from traditional media forensics?
- Data is a snapshot in time, with dramatic changes possible moment to moment
- Complicated to establish context because there’s more information than just files and directories
- Data is formatted for execution, not to be extracted and understood, so analysis is more complicated.
How is memory analysis similar to media forensics?
- Still requires forensically clean procedure
- Still requires putting memory in context, but memory has a more complicated architecture than disk filesystems.
- Still requires analyzing the raw results to understand what the data means
Why is forensic capture of memory more complicated than of media?
Executing a program to capture memory modifies memory.
What is the KDBG?
Kernel Debugger Datablock (lots more on p.24)
What are the three traditional malware detection methods?
Signature, contradiction, heuristic/behavioral (26)
What are the processes to find the first hit in memory analysis?
- Identify rogue processes
- Analyze process DLLs and handles
- Review network artifacts
- Look for evidence of code injection
- Check for rootkit signature
- Dump suspicious processes and drivers
Redline
p. 27-
EPROCESS blocks
p. 35-
Analyzing processes
p. 37
How does Redline identify rogue processes?
p. 40-
What is MRI?
Malware Risk Index. (42)
What are the two components in MRI?
- Behavior rule set
2. Verification of digital signatures
What are the three types of rules in the behavior rule set?
- Process path verification
- Process user verification
- Process Handle Inspection (does a process like svchost have a handle to cmd.exe?)
- DLL load order issues (evidence of DLL hijacking)
What is required for Redline digital signature checking?
It can only be done in live memory analysis.
What other things does Redline check for?
1) Unmapped processes
2) Processes started by command shell
3) DLL load order/hijacking
4) Expected command line arguments
Redline heirarchical process view?
p48
HBGary Responder product?
p48
What things should you check all processes for?
1) Correct image/executable names
2) Correct file location (path)
3) Correct parent process
4) Correct command line and parameters
5) Start time information
6) Security identifies (SID)
What is the Windows per-process limit on kernel handles?
2^24 (52)
What is a handle in windows?
A pointer to a resource such a file directory registry key, mutex or semaphore, or event.
What are the components of a process in Windows?
DLLs, handles, threads, memory sections sockets.
What is a VAD?
In Windows, it’s a Virtual Address Descriptor tree and maintains a list of assigned memory sections.
What is a socket?
A network connection endpoint.
What process does Conflicker/Kido inject itself into?
svchost.exe
How can you detect Conflicker/Kido?
Only by looking at process objects. Because it uses injection into svchost.exe, SID, launch time, path, and parent process are normal.
What is Least Frequency of Occurrence?
The principle that anything related to malware should be uncommon on a system or enterprise. Sorting a list based on occurrences and looking at the least frequently occuring items can be useful. (56)
If an object appears in one process, what does that mean?
It might be a sign of malice, but not always. There are legitimate objects that only appear in one windows process.
How many signatures does Redline ship with?
Less than 50, but you can create your own.
Poison Ivy Remote Access tool?
(62)
Creating redline signatures?
(62)
List network artifacts
- suspicious ports
- suspicious connections
- suspicious processes (should it be communicating over the network at all?)
What are some examples of unusual network behavior?
A non-browser communicating over port 80/443/8080
A browser communicating over a port other than 80/443/8080.
Connections to unexplained IP addresses
Web requests directly to an IP
RDP connections (3389) particularly from odd IPs.
DNS requests for unusual names
How are RDP connections usually managed?
They’re usually routed through a VPN concentrator.
What is TDL3/TDSS?
(69)
Redline memory string analysis
(71)
What things should you search for in memory?
Known bad IPs, domains, or filenames. http://, https://, ftp:/.
Zeus
(71)
How common is DLL injection in modern malware?
Very common.
How does DLL injection work?
Allocate space in a running process, shove the DLL into it, create a new thread to load the DLL into the process.
or
Hook a process’s filter functions using SetWindowsHookEx().
How do you load a DLL into a running process?
VirtualAllocEx()
CreateRemoteThread()
What is the symptom of DLL injection?
An unnamed memory section containing executable code attached to a victim process.
What is process hollowing?
Start a copy of a legitimate system process, pause the process, de-allocate some of the original code and replace it with malicious code.
What is the advantage of process hollowing?
It retains the original executable’s process image name, path, and command line. Camouflage.
How is a memory page marked executable?
Page_Execute_ReadWrite (72)
What does it mean for a memory page to be unmapped?
It’s not backed by a file on disk.
How do you identify process hollowing?
If the image binary is not backed by a file on disk (unmapped), it’s a strong indicator of process hollowing. (77)
Zeus
(78-9)
Stuxnet
(83-5)
Process hollowing example
(83-5)
Why have malware authors resorted to techniques like hiding in plain sight?
More advanced techniques like code injection are easy to find with memory analysis, and tools like Redline makes it easy.
How do most rootkits work?
By hooking legitimate system functions and redirecting output.
What is SSDT?
The System Service Descriptor Table (89)
What is IDT?
(89)
What is IAT?
(90)
What is IRP?
(90)
Storm/SSDT hooking
(91)
Commonly hooked functions?
NtEnumerateKey
NtEnumerateValueKey
NtQueryDirectoryFile
(91(
Why is it hard to identify malicious I/O Request Packet hooks?
There are so many legitimate hooks that have to be eliminated first. Lots of 3rd party drivers.
What is a good method to identify malicious I/O Request Packet hooks?
Least Frequency of Occurrence. Most malware hooks sparingly and may hook functions that no or few other applications do.
What is the Storm Worm?
A spam bot.
How does Storm hide network activity?
It hooks IRP_MJ_DEVICE_CONTROL function within tcpip.sys.
openports?
93
What does a rootkit do?
It hides the existence of system object like processes, files, registry keys, and network artifacts.
How do you dump a process in Redline?
Processes tab in Analysis Data Pane, double click the process of interest within the Table View pane and select MRI Report from the Full Detailed Information tabs at the bottom fo the window. That contains “Acquire Process Address Space”
Where does Redline dump a process memory image?
By default %user profile%\AppData\Local\Temp\AgentAcquisition in a password protected zip archive (prevents AV quarantining)
Driver aquisition
99
What does \??\ indicate?
An “extended length path” in Windows. (99)
What options exist for analyzing a process and drivers once they’ve been extracted?
- Scan for malware
* Study the assembly code (ugh…)
What does virustotal.com do?
Scans a file with over 40 different AV engines.
Is there a drawback to virustotal.com?
Anything you upload is public domain. A safer option is to upload a MD5 of the suspect file.
List free, automated tools for examining extracted binaries.
Threat Expert and GFI Sandbox.
What are the benefits of live memory analysis?
- Faster triage
- Includes the system pagefile
- More accurate heuristic matching
- Digital signature checks of process executables, DLLs, drivers with a known good whitelist
- Indicator of Compromise searches using pre-defined IOC files.
Why is live analysis effective at defeating advanced malware?
It accesses physical memory, not relying on API calls, open handles, or debuggers.
What is Shadow Walker?
Proof of concept code that pages itself out of memory when a memory acquisition tool is detected. (107)
107 last para
x
p 108-118
x
What is Volatility?
A framework for performing digital investigations on Windows, Linux, and Mac memory images. (121)
Where can you get Volatility?
It’s open source, from https://code.google.com/p/volatility/
Where is the command reference for Volatility?
The Volatility wiki: https://code/google.com/p/volatility/wiki/CommandReference23 (for version 2.3)
What is volatility written in ?
Python
How do you execute Volatility?
vol.py -f [image] [plugin] –profile=[PROFILE]
What are plugins for in volatility?
They tell the program what to do.
What are profiles for in Volatility?
They specify which operating system version you’re analyzing.
How can you pre set the memory image information in Volatility?
Use the VOLATILITY_LOCATION environment variable.
For example export VOLATILITY_LOCATION=file://(path)
What Volatility plugin will determine what operating system a memory image came from?
imageinfo (p124)
What flag in Volatility gives help?
-h
Where do you find the Volatility options in the SANS books?
Book 2 p. 125.
Where do you find the list of all volatility plugins in the SANS books?
Book 2, p. 126-9.
What is Rekall?
A fork of Volatility that focuses on speed and performance.
How do you execute Rekall?
rekall -f memory.img psscan (130)
What is GRR?
Google Rapid Response (research this) p. 130.
Which memory forensics tool requires an OS profile and which doesn’t?
Volatility does, Rekall doesn’t.
Which memory forensics tool tends to lead in supporting OS versions out of Volatility and Rekall?
Rekall
What is winpmem and osxpem?
p. 130
Where can you get rekall?
https://code.google.com/p/rekall
What does the imageinfo plugin do?
It’s a Volatility plugin that returns information like system date and time when the image was collected, KPCR, number of processors, operating system and service pack information.
How can you speed up most Volatility plugins?
Give them the location of the KDBG using -g 0xADDRESS. Use imageinfo to get it.
How do you find the KDBG address in Volatility?
imageinfo. Also the virtual address of the KdCopyDataBlock found via the kdbgscan plugin.
What is imagecopy?
A volatility plugin that prepares non-standard memory images for analysis.
What tool other than imagecopy can be used to convert hibernation images?
hibr2bin.exe (134)
What are the parameters to Volatility’s imagecopy?
-f -O
What Volatility plugins can be used to identify rogue processes?
pslist
psscan
pstree
pstotal
Review Rogue Process plugins in Volatility
(138)
What does Volatility’s pslist doe?
Print all running processes by following the EPROCESS linked list (even in LInux?)
What are the important parameters of pslist?
-p (show information for specific process IDs)
What does Volatility’s pslist provide for each process?
Virtual offset of EPROCESS block Process name Process ID (PID) Parent Process ID Number of threads Number of handles Process start time
What limitation does pslist have?
Rootkits can unlink malicious processes from the linked list rendering them invisible (really? how do they run?)
How can you identify a terminated process?
It should have zero handles and zero threads.
Note: Finding a system process with a terminated parent is suspicious.
.
What is psscan?
A Volatility plugin that scans physical memory for EPROCESS pool allocations.
What important parameters does psscan have?
None.
How does psscan differ from pslist?
Psscan scans memory rather than following the EPROCESS list, so it can find unlinked/hidden processes, and processes that are no longer running.
What information does psscan provide?
Physical offset of EPROCESS block Process name Process ID Parent Process ID Page directory base offset (PDB) Process start time Process exit time
What’s the difference between a physical memory offset and a virtual memory offset?
(143)
What is -p for Volatility plugins?
Process ID
What is -o usually used for in Volatility plugins?
Physical offset in memory
What does a process appearing more than once in psscan results likely mean?
Just that it was moved around in physical memory.
What is pstree?
A volatility plugin that displays the process list as a tree.
What important parameters does pstree have?
-v for verbose information including image path and command line for each process.
What limitation does pstree have?
It uses the EPROCESS linked list, so doesn’t show unlinked/hidden processes.
What is pstree useful for?
Visually identifying malicious processes spawned by the wrong parent process.
What information does pstree provide?
Virtual offset of EPROCESS block Process name PID PPID Number of threads number of handles process start time (146)
What is pstotal?
A Volatility plugin that scans physical memory for EPROCESS pool allocations and identifies hidden processes only found in psscan output.
What important parameters does pstotal have?
- -output-file=OUTPUT FILE
- -output=dot for vector capable output
- c or –cmd to display command line including path
What do the pstotal color outputs mean?
Red - Process is absent from pslist and has no exit time. Investigate.
Grey - Process is absent from pslist but has an exit timestamp. Probably just an exited process.
Light blue - Exit time is before the most recent boot. Probably leftover in memory image.
Dark blue - Exit time is after the most recent boot
Yellow - Indication of potential PID reuse.
What should you check all processes for when trying to identify rogue processes?
Correct image/executable name Correct file location (path) Correct parent process Correct command line and parameters Correct start time information
What Volatility plugins can be used for analyzing process objects?
dlllist cmdline getsids handles filescan svcscan cmdscan consoles
What is dlllist?
A Volatility plugin that displays loaded DLLs and the command line to start each process.
What important parameters does dlllist have?
-p
How can you get the base offset for a DLL?
Use the Volatility dlldump plugin.
What is a PEB?
Process Environment Block (156)
What does dlllist provide for each DLL?
Base offset
DLL size
DLL file path
What plugin can provide more information about DLLs than dlllist?
ldrmodules (156, more)
What is getsids?
A volatility plugin that displays Security IDentifiers for each process?
What important parameters does dlllist have?
-p
What is S-I-5-18?
The SID for LocalSystem (161)
What is S-I-5-32-544?
The SID for Administrators
What is S-I-1-0
The SID for Everyone
What is S-I-5-11?
The SID for Authenticated Users
What is S-I-16-16384
The SID for System Mandatory Level
Read “How access tokens Work”
http://technet.microsoft.com/en-us/libraray/cc783557(v=ws.10).aspx
What is S-I-5-32-546?
The SID for Guests
What is S-I-5-32-545?
The SID for Users.
SIDs are unique within…?
A Windows instance. Domain SIDs are unique throughout the enterprise.
What are the three most popular SIDs?
LocalSystem, LocalService, NetworkService.
What does the Volatility module handles do?
Prints a list of handles opened by a process
What are the important parameters for the handles Volatility module?
- p PID (can comma separate multiple)
- t type (there are about a dozen on p 165.)
What other Volatility module besides handles can be used for more rigorous searching of file handles and mutants?
mutantscan
What does the Volatility svcscan module do?
Scans memory image for Windows service records, giving information on associated processes and drivers
What are the important parameters for the svcscan Volatility module?
-v (show service DLL)
What is a common persistence mechanism for malware?
Windows Service
What should be considered suspicious if found using Volatility’s svcscan module?
SERVICE_AUTO_START entries should be examined.
What is one method for finding malicious drivers?
Drivers can be loaded via a service, so can be found using Volatility’s svcscan module.
What method can identify processes stopped by malware?
Volatility’s svcscan module.
What capability does Volatility have that Redline doesn’t?
Enumeration of services
What is a Windows Service?
A special type of process that is intended to be run in the background without user input.
Windows Services canload…
…both process executables and drivers.
What is the only memory analysis tool that can identify services?
Volatility.
What information does svcscan provide?
Offset Order Start method (Disabled, System_Start, Boot_Start, Auto_Start, Demand_Start) Process ID Service Name Display Name Type (Process or driver) State (Running or stopped) Full path
What does the -v option to svcscan do?
Identifies what DLL started a service by parsing the SYSTEM\CurrentControlSet\Services\Parameters\ServiceDLL registry key.
Other than finding malicious services, what is important to do when reviewing the services that were running when a memory image was captured?
Also identify services which should be running, but which have been stopped.
What services might malware stop?
Windows updates and antivirus. (170)
What does SERVICE_AUTO_START indicate?
That a service will start on system boot.
What is the wuaserv service?
(171)
What are cmdscan and consoles?
Volatility modules that carve out full command histories and text console output from a memory image.
What is csrss.exe?
173
What is conhost.exe?
173
How does cmdscan and consoles work?
By scanning the VAC tree of csrss.exe and conhost.exe, in particular the DOSKEY command history buffer kept by cmd.exe.
How many entries does cmd.exe keep in its buffer by default?
50
What structure does consoles look for?
CONSOLE_INFORMATION
What is CONSOLE_INFORMATION?
A memory structurethat includes the console buffer, showing input and output those commands generated. It is parsed by the consoles Volatility plugin.
What’s the difference between cmdscan and consoles?
Consoles only parses records from consoles active when memory was dumped. cmdscan can recover current and old remnants of command history buffers.
What information does cmdscan provide?
Command process (where was history information found)
PID
CommandHistory (offset where history structure found)
(more on 174)
What information does consoles provide?
175
What process objects might provide a clue something is amiss?
DLLs, Handles, Services.
What Volatility plugins provide network artifacts?
connections connscan sockets sockscan netscan
What is notable about the network artifact plugins in Volatility?
They’re the only ones that are operating system dependent. Radical changes were made starting in Vista. With Vista or later netscan must be used.
What do connections and connscan do?
They are Volatility plugins that identify network connections.
What does the Volatility connections plugin do?
It wanks the TCP connections singly linked list to find active network connections when the memory image was taken.
What does the Volatility connscan module do?
It takes a brute force approach scanning anything in memory that resembles a _TCPT_OBJECT and tries to parse it.
What is a drawback of connscan?
It attempts to parse objects which might no longer be in use, and which might have been partially overwritten. The results can be incorrect.
What information does the connscan and connections plugin provide?
memory offset
local ip address
remote ip address
PID
What network artifact can signal a malicious process?
A PID that shouldn’t be communicating on the network but that is. A legitimate PID that exhibits this behavior may have been compromised.
What is the effect of hibernation on Windows connections?
They’re all closed prior to hibernation, so connscan is still effective, but connections wouldn’t return any results.
What should the network profile of svchost.exe be?
It generally shouldn’t have any external connections.
What do the sockets and sockscan modules do?
They’re Volatility plugins that enumerate network sockets.
What does the sockets plugin do?
It walks the singly linked list and reports information on the socket objects.
What does the sockscan module do?
It scans memory images looking for _ADDRESS_OBJECT objects and parses them.
What information does sockets and sockscan provide?
182
What is an important bit of information in the socket structure, and why?
Creation time.
A process with a passive listening socket on a suspicious port.
What can you learn by comparing sockets and sockscan output?
Which sockets were alive and which were terminated or unlinked.
What should you focus on when reviewing network artifacts?
Suspicious ports
Suspicious connections
Known bad IPs
Suspicious network behavior from processes
Interesting creation times of network sockets
What happens if you use the wrong module for network artifact scanning in Volatility?
No errors are generated, so you can use the wrong one without realizing it.
What automated analysis plugins exist for Volatility
malsysproc openioc_scan baseline processbl servicebl driverbl
What does malsysproc do?
Automatically identifies suspicous processes
What does openioc_scan?
Scans memory objects using OpenIOC signature files.
What does baseline do?
Provides processbl servicebl, driverbl for baseline comparisons.
What does processbl do?
Compare processes and loaded DLLs with a baseline image.
What does servicebl do?
Comapres services with a baseline image.
What does driverbl do?
Compares drivers with a baseline image.
What is malsysproc designed to do?
Scan system processes for anomalies to find malware pretending to be legitimate system processes.
Limitations of malsysproc?
Only scans common system processes (smss, csrss, winlogon, services, lsass, svchost, spoolsv, wininit), and common misspellings. (188)
What does malprocfind do?
It’s a fork of malsysproc that adds useful checks like anomalous process SIDs and process hollowing.
What does baseline do?
Compares memory objects found in a suspect image to those present in a known good image.
What parameters does baseline take?
- B (baseline image)
- U (only show items not found in the baseline)
- K (only show items present in the baseline) (190)
190
190
List Volatility code injection plugins
malfind, ldrmodules
What does malfind do?
It’s a Volatility plugin that scans process memory sections looking for indications of code injection, then extracts those sections for further analysis.
What parameters does malfind take?
195
195
195
MZ portable executable header?
196
PAGE_EXECUTE_READWRITE?
Is this suspicous in itself? (202)
What assembly identifies a function?
PUSH EBP
MOV EBP, ESP
What does ldrmodules do?
(203)
Volatility rootkit identification plugins
(210)
DKOM
211
