SlideShare a Scribd company logo

SANS Forensics 2009 - Memory Forensics and Registry Analysis

M
mooyix
1 of 33
Download to read offline
Registry Analysis and Memory Forensics: Together at Last Brendan Dolan-Gavitt Georgia Institute of Technology
Who I Am • Developer on Volatility project • Grad student and researcher at Georgia Tech • Author of “Push the Red Button” blog
Overview
Overview • Registry Analysis
Overview • Registry Analysis • Memory Forensics +
Overview • Registry Analysis • Memory Forensics + • Combining the fields =
Overview • Registry Analysis • Memory Forensics + • Combining the fields = • Lots of examples throughout
Windows Registry • Centralized, hierarchical configuration database • Structured like a filesystem • Keys = Directories, Values = Files • Rich source of forensic information
Windows Registry (cont.) • Registry appears as unified tree, but is made up of distinct hives • Standard set of systemwide hives, as well as per-user hives • Note: Registry contains some volatile data available only at runtime
Registry Data • Removable media / USB keys • Artifacts from P2P programs • Malware persistence artifacts • Password hashes (encrypted)
Registry Forensics Tools • RegLookup • Fast, robust registry parser • Parse::Win32Registry • Lower level perl module • Good for rolling your own tools • RegRipper • Undisputed king of registry analysis • Produces reports of forensic info
Memory Forensics • Analysis of volatile data based on memory snapshots • Allows extraction of live data, with • Higher integrity (smaller attack surface) • Repeatable results • Ability to ask new questions later
Memory Forensics Tools • Memoryze • HBGary Responder • Volatility • GPL, collaborative development • Supports plugins • My favorite ;)
Data in Memory • Current tools can extract a ton of information from memory images • Processes • Loaded DLLs • Threads • Rootkit behavior • Drivers • Injected code • Open files • Encryption keys
Combining Registry and Memory Analysis • Windows keeps registry data in memory • By figuring out the internals of the Windows Configuration Manager... • We can combine these two fields!
Design Goals • Access stable registry data • Access volatile registry data • Speed up incident response • Apply existing registry analyses
Solution: VolReg • Suite of plugins for Volatility 1.3 • Provides API to access registry data from XPSP2 memory images • Adds new commands for: • Showing keys / values • Dumping registry as CSV • Extracting password hashes
VolReg: Hivescan $ volatility hivescan • Hivescan: finds raw offsets in -f image.dd Offset (hex) memory image of registry hives 42168328 42195808 0x2837008 0x283db60 47598392 0x2d64b38 • Not very useful by itself, but 155764592 155973608 0x948c770 0x94bf7e8 208587616 0xc6ecb60 needed for other plugins 208964448 234838880 0xc748b60 0xdff5b60 243852936 0xe88e688 • Once we have one hive offset, 251418760 252887048 0xefc5888 0xf12c008 256039736 0xf42db38 we can get a nicer list of all hives 269699936 339523208 0x10134b60 0x143cb688 in memory 346659680 377572192 0x14a99b60 0x16814b60
VolReg: Hivelist • Given one of the offsets from hivescan, finds all other hives in memory • Keep this list around! • The addresses in this list are what we will use for the other registry plugins
Hivelist Example $ volatility hivelist -f image.dd -o 0x2837008 Address Name 0xe2610b60 Documents and SettingsS----Local Settings[...]UsrClass.dat 0xe25f0578 Documents and SettingsS----NTUSER.DAT 0xe1d33008 Documents and SettingsLocalServiceLocal Settings[...]UsrClass.dat 0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT 0xe1c04688 Documents and SettingsNetworkServiceLocal Settings[...]UsrClass.dat 0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT 0xe1658b60 WINDOWSsystem32configsoftware 0xe1a5a7e8 WINDOWSsystem32configdefault 0xe165cb60 WINDOWSsystem32configSAM 0xe1a4f770 WINDOWSsystem32configSECURITY 0xe1559b38 [no name] 0xe1035b60 WINDOWSsystem32configsystem 0xe102e008 [no name]
VolReg: Printkey • Given a hive address and a key, prints the key and its subkeys and values • Shows last modified time, formats values according to type • Includes volatile keys & values as well • Good for just looking around
Printkey Example $ volatility printkey -f image.dd -o 0xe1035b60 Key name: $$$PROTO.HIV (Stable) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: ControlSet001 (Stable) ControlSet002 (Stable) LastKnownGoodRecovery (Stable) SYSTEM hive MountedDevices (Stable) Select (Stable) Setup (Stable) WPA (Stable) Volatile data! CurrentControlSet (Volatile) Values: $ volatility printkey -f image.dd -o 0xe1035b60 CurrentControlSet Key name: CurrentControlSet (Volatile) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: Values: REG_LINK SymbolicLinkValue : RegistryMachineSystemControlSet001 (Volatile)
VolReg: Hashdump • Local account password hashes are stored in the registry (encrypted) • Hashdump module decrypts and prints these hashes • If LanMan hash is in use, rainbow tables can recover password in minutes • Use this power for good :)
Hashdump Example System hive SAM hive $ volatility hashdump -f image.dd -y 0xe1035b60 -s 0xe165cb60 Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Hashes can now be cracked using John the Ripper, rainbow tables, etc.
Others (not shown) • Cachedump: dumps cached domain credentials • Lsadump: dumps LSA protected storage (can contain passwords) • Hivedump: dumps CSV of all keys and (optionally) values
Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [?] • Apply existing registry analyses [X]
Solution: VolRip • Python→Perl interface that makes VolReg look like Parse::Win32Registry • Now we can run RegRipper against memory! • Existing analysis plugins just work
VolRip Setup • Linux only (sorry!) • Requirements: Inline::Python, VolReg • Extract VolRip tarball into Volatility directory • Run rip.pl with the memory image and address of the hive: perl rip.pl -r image.dd@0xe1035b60 -f system
VolRip Example: Tracking USB Keys $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor Launching usbstor v.20080418 USBStor ControlSet001EnumUSBStor Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01 [Sun Jun 27 05:58:42 2004] S/N: 6&a344881&0 [Wed Jun 30 00:23:07 2004] FriendlyName : Generic STORAGE DEVICE USB Device ParentIdPrefix: 7&192c45c3&0 Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000 [Sat Jun 25 16:50:48 2005] S/N: 0A4F1011180132130804&0 [Mon Jul 4 18:17:50 2005] FriendlyName : LEXAR JUMPDRIVE SPORT USB Device ParentIdPrefix: 7&2930a404&0 $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor2 SPLATITUDE,Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01,6&a344881&0, 1088554987,Generic STORAGE DEVICE USB Device,7&192c45c3&0,DosDevicesE: SPLATITUDE,Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000,0A4F1011180132130804&0, 1120501070,LEXAR JUMPDRIVE SPORT USB Device,7&2930a404&0,DosDevicesD:
Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [✓] • Apply existing registry analyses [✓]
Caveats • Since analysis is done on memory, some things might be missing • Can be especially annoying with hash dumping -- both System and SAM must be in memory • Possible future direction: dump all available registry data, then use fragment recovery
Conclusions • Applying registry analysis to memory can give you powerful new tools! • Some existing registry tools can be coaxed into working with memory • Still need tools to analyze volatile registry data (new RegRipper plugins?)
Thanks! • To you all, for listening • To AAron Walters and the folks in #volatility • To Harlan Carvey, Tim Morgan, and many others for their work and insight on all matters registry-related ? ? ? ? ...any questions? ? ?

Recommended

Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 
Visite guidée au pays de la donnée - Du modèle conceptuel au modèle physique
Visite guidée au pays de la donnée - Du modèle conceptuel au modèle physiqueVisite guidée au pays de la donnée - Du modèle conceptuel au modèle physique
Visite guidée au pays de la donnée - Du modèle conceptuel au modèle physiqueGautier Poupeau
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 

Recommended

Exploring the x64
Exploring the x64Exploring the x64
Exploring the x64FFRI, Inc.
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsAnshul Tayal
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
Module 02 ftk imager
Module 02 ftk imagerModule 02 ftk imager
Module 02 ftk imagerParminderKaurBScHons
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 
Visite guidée au pays de la donnée - Du modèle conceptuel au modèle physique
Visite guidée au pays de la donnée - Du modèle conceptuel au modèle physiqueVisite guidée au pays de la donnée - Du modèle conceptuel au modèle physique
Visite guidée au pays de la donnée - Du modèle conceptuel au modèle physiqueGautier Poupeau
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Enjeux et évolutions de la sécurite informatique
Enjeux et évolutions de la sécurite informatiqueEnjeux et évolutions de la sécurite informatique
Enjeux et évolutions de la sécurite informatiqueMaxime ALAY-EDDINE
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensicsTaha İslam YILMAZ
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Slides itil v3 vf
Slides itil v3 vfSlides itil v3 vf
Slides itil v3 vfSAAD Mohamed, MBA,CISA, ITIL, PMP, ISO 27001 LA, CRISC
 
Test d’intrusion dans le cadre du cycle de développement (Vumetric)
Test d’intrusion dans le cadre du cycle de développement (Vumetric)Test d’intrusion dans le cadre du cycle de développement (Vumetric)
Test d’intrusion dans le cadre du cycle de développement (Vumetric)Vumetric
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifactsn|u - The Open Security Community
 

More Related Content

What's hot

Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Enjeux et évolutions de la sécurite informatique
Enjeux et évolutions de la sécurite informatiqueEnjeux et évolutions de la sécurite informatique
Enjeux et évolutions de la sécurite informatiqueMaxime ALAY-EDDINE
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesMaxim Suhanov
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 eventsMichael Gough
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Test d’intrusion dans le cadre du cycle de développement (Vumetric)
Test d’intrusion dans le cadre du cycle de développement (Vumetric)Test d’intrusion dans le cadre du cycle de développement (Vumetric)
Test d’intrusion dans le cadre du cycle de développement (Vumetric)Vumetric
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniqueAngel Boy
 

What's hot (20)

Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
Enjeux et évolutions de la sécurite informatique
Enjeux et évolutions de la sécurite informatiqueEnjeux et évolutions de la sécurite informatique
Enjeux et évolutions de la sécurite informatique
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System Forensics
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Slides itil v3 vf
Slides itil v3 vfSlides itil v3 vf
Slides itil v3 vf
 
Test d’intrusion dans le cadre du cycle de développement (Vumetric)
Test d’intrusion dans le cadre du cycle de développement (Vumetric)Test d’intrusion dans le cadre du cycle de développement (Vumetric)
Test d’intrusion dans le cadre du cycle de développement (Vumetric)
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Play with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit TechniquePlay with FILE Structure - Yet Another Binary Exploit Technique
Play with FILE Structure - Yet Another Binary Exploit Technique
 

Viewers also liked

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkKapil Soni
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Li-Fi : Future Technology in Wireless Communication
Li-Fi : Future Technology in Wireless CommunicationLi-Fi : Future Technology in Wireless Communication
Li-Fi : Future Technology in Wireless CommunicationKapil Soni
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginSam Bowne
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)Sam Bowne
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblySam Bowne
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgSam Bowne
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)Sam Bowne
 

Viewers also liked (12)

Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
Windows forensic artifacts
Windows forensic artifactsWindows forensic artifacts
Windows forensic artifacts
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
Li-Fi : Future Technology in Wireless Communication
Li-Fi : Future Technology in Wireless CommunicationLi-Fi : Future Technology in Wireless Communication
Li-Fi : Future Technology in Wireless Communication
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
 
CNIT 126 9: OllyDbg
CNIT 126 9: OllyDbgCNIT 126 9: OllyDbg
CNIT 126 9: OllyDbg
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
 

Similar to SANS Forensics 2009 - Memory Forensics and Registry Analysis

Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware WalletsPriyanka Aash
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labslosalamos
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS StatsGeorge Ang
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisDmitry Vostokov
 
MeetBSD2014 Performance Analysis
MeetBSD2014 Performance AnalysisMeetBSD2014 Performance Analysis
MeetBSD2014 Performance AnalysisBrendan Gregg
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesSatpal Parmar
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
All of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) WrongAll of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) Wrongice799
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
 

Similar to SANS Forensics 2009 - Memory Forensics and Registry Analysis (20)

Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Debugging TV Frame 0x12
Debugging TV Frame 0x12Debugging TV Frame 0x12
Debugging TV Frame 0x12
 
Sourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team LabsSourcefire Vulnerability Research Team Labs
Sourcefire Vulnerability Research Team Labs
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Building OpenDNS Stats
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS Stats
 
Analyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE MethodAnalyzing OS X Systems Performance with the USE Method
Analyzing OS X Systems Performance with the USE Method
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance Tools
 
Fundamentals of Physical Memory Analysis
Fundamentals of Physical Memory AnalysisFundamentals of Physical Memory Analysis
Fundamentals of Physical Memory Analysis
 
MeetBSD2014 Performance Analysis
MeetBSD2014 Performance AnalysisMeetBSD2014 Performance Analysis
MeetBSD2014 Performance Analysis
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 
200.1,2-Capacity Planning
200.1,2-Capacity Planning200.1,2-Capacity Planning
200.1,2-Capacity Planning
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
 
Debugging TV Frame 0x16
Debugging TV Frame 0x16Debugging TV Frame 0x16
Debugging TV Frame 0x16
 
Debugging linux kernel tools and techniques
Debugging linux kernel tools and techniquesDebugging linux kernel tools and techniques
Debugging linux kernel tools and techniques
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
All of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) WrongAll of Your Network Monitoring is (probably) Wrong
All of Your Network Monitoring is (probably) Wrong
 
Finding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated DisassemblyFinding Xori: Malware Analysis Triage with Automated Disassembly
Finding Xori: Malware Analysis Triage with Automated Disassembly
 

SANS Forensics 2009 - Memory Forensics and Registry Analysis

  • 1. Registry Analysis and Memory Forensics: Together at Last Brendan Dolan-Gavitt Georgia Institute of Technology
  • 2. Who I Am • Developer on Volatility project • Grad student and researcher at Georgia Tech • Author of “Push the Red Button” blog
  • 6. Overview • Registry Analysis • Memory Forensics + • Combining the fields =
  • 7. Overview • Registry Analysis • Memory Forensics + • Combining the fields = • Lots of examples throughout
  • 8. Windows Registry • Centralized, hierarchical configuration database • Structured like a filesystem • Keys = Directories, Values = Files • Rich source of forensic information
  • 9. Windows Registry (cont.) • Registry appears as unified tree, but is made up of distinct hives • Standard set of systemwide hives, as well as per-user hives • Note: Registry contains some volatile data available only at runtime
  • 10. Registry Data • Removable media / USB keys • Artifacts from P2P programs • Malware persistence artifacts • Password hashes (encrypted)
  • 11. Registry Forensics Tools • RegLookup • Fast, robust registry parser • Parse::Win32Registry • Lower level perl module • Good for rolling your own tools • RegRipper • Undisputed king of registry analysis • Produces reports of forensic info
  • 12. Memory Forensics • Analysis of volatile data based on memory snapshots • Allows extraction of live data, with • Higher integrity (smaller attack surface) • Repeatable results • Ability to ask new questions later
  • 13. Memory Forensics Tools • Memoryze • HBGary Responder • Volatility • GPL, collaborative development • Supports plugins • My favorite ;)
  • 14. Data in Memory • Current tools can extract a ton of information from memory images • Processes • Loaded DLLs • Threads • Rootkit behavior • Drivers • Injected code • Open files • Encryption keys
  • 15. Combining Registry and Memory Analysis • Windows keeps registry data in memory • By figuring out the internals of the Windows Configuration Manager... • We can combine these two fields!
  • 16. Design Goals • Access stable registry data • Access volatile registry data • Speed up incident response • Apply existing registry analyses
  • 17. Solution: VolReg • Suite of plugins for Volatility 1.3 • Provides API to access registry data from XPSP2 memory images • Adds new commands for: • Showing keys / values • Dumping registry as CSV • Extracting password hashes
  • 18. VolReg: Hivescan $ volatility hivescan • Hivescan: finds raw offsets in -f image.dd Offset (hex) memory image of registry hives 42168328 42195808 0x2837008 0x283db60 47598392 0x2d64b38 • Not very useful by itself, but 155764592 155973608 0x948c770 0x94bf7e8 208587616 0xc6ecb60 needed for other plugins 208964448 234838880 0xc748b60 0xdff5b60 243852936 0xe88e688 • Once we have one hive offset, 251418760 252887048 0xefc5888 0xf12c008 256039736 0xf42db38 we can get a nicer list of all hives 269699936 339523208 0x10134b60 0x143cb688 in memory 346659680 377572192 0x14a99b60 0x16814b60
  • 19. VolReg: Hivelist • Given one of the offsets from hivescan, finds all other hives in memory • Keep this list around! • The addresses in this list are what we will use for the other registry plugins
  • 20. Hivelist Example $ volatility hivelist -f image.dd -o 0x2837008 Address Name 0xe2610b60 Documents and SettingsS----Local Settings[...]UsrClass.dat 0xe25f0578 Documents and SettingsS----NTUSER.DAT 0xe1d33008 Documents and SettingsLocalServiceLocal Settings[...]UsrClass.dat 0xe1c73888 Documents and SettingsLocalServiceNTUSER.DAT 0xe1c04688 Documents and SettingsNetworkServiceLocal Settings[...]UsrClass.dat 0xe1b70b60 Documents and SettingsNetworkServiceNTUSER.DAT 0xe1658b60 WINDOWSsystem32configsoftware 0xe1a5a7e8 WINDOWSsystem32configdefault 0xe165cb60 WINDOWSsystem32configSAM 0xe1a4f770 WINDOWSsystem32configSECURITY 0xe1559b38 [no name] 0xe1035b60 WINDOWSsystem32configsystem 0xe102e008 [no name]
  • 21. VolReg: Printkey • Given a hive address and a key, prints the key and its subkeys and values • Shows last modified time, formats values according to type • Includes volatile keys & values as well • Good for just looking around
  • 22. Printkey Example $ volatility printkey -f image.dd -o 0xe1035b60 Key name: $$$PROTO.HIV (Stable) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: ControlSet001 (Stable) ControlSet002 (Stable) LastKnownGoodRecovery (Stable) SYSTEM hive MountedDevices (Stable) Select (Stable) Setup (Stable) WPA (Stable) Volatile data! CurrentControlSet (Volatile) Values: $ volatility printkey -f image.dd -o 0xe1035b60 CurrentControlSet Key name: CurrentControlSet (Volatile) Last updated: Mon Jul 4 18:16:59 2005 Subkeys: Values: REG_LINK SymbolicLinkValue : RegistryMachineSystemControlSet001 (Volatile)
  • 23. VolReg: Hashdump • Local account password hashes are stored in the registry (encrypted) • Hashdump module decrypts and prints these hashes • If LanMan hash is in use, rainbow tables can recover password in minutes • Use this power for good :)
  • 24. Hashdump Example System hive SAM hive $ volatility hashdump -f image.dd -y 0xe1035b60 -s 0xe165cb60 Administrator:500:08f3a52bdd35f179c81667e9d738c5d9:ed88cccbc08d1c18bcded317112555f4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:ddd4c9c883a8ecb2078f88d729ba2e67:e78d693bc40f92a534197dc1d3a6d34f::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8bfd47482583168a0ae5ab020e1186a9::: phoenix:1003:07b8418e83fad948aad3b435b51404ee:53905140b80b6d8cbe1ab5953f7c1c51::: ASPNET:1004:2b5f618079400df84f9346ce3e830467:aef73a8bb65a0f01d9470fadc55a411c::: S----:1006:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Hashes can now be cracked using John the Ripper, rainbow tables, etc.
  • 25. Others (not shown) • Cachedump: dumps cached domain credentials • Lsadump: dumps LSA protected storage (can contain passwords) • Hivedump: dumps CSV of all keys and (optionally) values
  • 26. Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [?] • Apply existing registry analyses [X]
  • 27. Solution: VolRip • Python→Perl interface that makes VolReg look like Parse::Win32Registry • Now we can run RegRipper against memory! • Existing analysis plugins just work
  • 28. VolRip Setup • Linux only (sorry!) • Requirements: Inline::Python, VolReg • Extract VolRip tarball into Volatility directory • Run rip.pl with the memory image and address of the hive: perl rip.pl -r image.dd@0xe1035b60 -f system
  • 29. VolRip Example: Tracking USB Keys $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor Launching usbstor v.20080418 USBStor ControlSet001EnumUSBStor Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01 [Sun Jun 27 05:58:42 2004] S/N: 6&a344881&0 [Wed Jun 30 00:23:07 2004] FriendlyName : Generic STORAGE DEVICE USB Device ParentIdPrefix: 7&192c45c3&0 Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000 [Sat Jun 25 16:50:48 2005] S/N: 0A4F1011180132130804&0 [Mon Jul 4 18:17:50 2005] FriendlyName : LEXAR JUMPDRIVE SPORT USB Device ParentIdPrefix: 7&2930a404&0 $ perl rip.pl -r image.dd@0xe1035b60 -p usbstor2 SPLATITUDE,Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_0.01,6&a344881&0, 1088554987,Generic STORAGE DEVICE USB Device,7&192c45c3&0,DosDevicesE: SPLATITUDE,Disk&Ven_LEXAR&Prod_JUMPDRIVE_SPORT&Rev_1000,0A4F1011180132130804&0, 1120501070,LEXAR JUMPDRIVE SPORT USB Device,7&2930a404&0,DosDevicesD:
  • 30. Design Goals • Access stable registry data [✓] • Access volatile registry data [✓] • Speed up incident response [✓] • Apply existing registry analyses [✓]
  • 31. Caveats • Since analysis is done on memory, some things might be missing • Can be especially annoying with hash dumping -- both System and SAM must be in memory • Possible future direction: dump all available registry data, then use fragment recovery
  • 32. Conclusions • Applying registry analysis to memory can give you powerful new tools! • Some existing registry tools can be coaxed into working with memory • Still need tools to analyze volatile registry data (new RegRipper plugins?)
  • 33. Thanks! • To you all, for listening • To AAron Walters and the folks in #volatility • To Harlan Carvey, Tim Morgan, and many others for their work and insight on all matters registry-related ? ? ? ? ...any questions? ? ?