Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
Intro in Product Management - Коротко про професію продакт менеджера
2010 2013 sandro suffert memory forensics introdutory work shop - public
1. Memory Forensics
(Windows, Mac and Linux)
Sandro Süffert - http://suffert.com
CTO, APURA CyberSecurity Intelligence
http://apura.com.br | twitter: @suffert
2010->2013
2. Memory Forensics: Course objectives
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
3. Agenda
Windows Memory Forensics Theory
•
•
•
•
•
•
•
•
•
•
•
Windows Memory Forensics Demos and Hands-On
References
Offline Memory Analysis vs Live Response
Acquisition / Context / Analysis
Order of Volatility
Physical Memory, Virtual Memory
Paging / Swapping / Hibernation
Kernel Modes
Memory Mapping
Processes / Threads / Services / Jobs
Acquisition details
Analysis details
•
•
•
•
•
•
•
•
•
•
•
•
•
Hands-on Bonuses:
•
•
•
•
•
MacOSX memory analysis
Linux memory analysis
Android memory analysis
Stuxnet artifacts analysis
More if time permits
MoonSols Community Edition
FastDump
FTKImager
Memoryze
Volatility
Fget
Microsoft Windows Debugger
LiveKD
Pdgmail / pdymail
Sysinternals / NirSoft / NTSecurity
AccessData FTK 4.x
Encase FIM/Enterprise 6.17
HBGary Responder Pro
5. Memory Forensics - References
Books:
I - Windows Forensic Analysis v2, Harlan Carvey
Chapter 3 – Windows Memory Analysis
II - Malware Forensics – Investigating and Analyzing Malicious Code, James Aquilina, - Eoghan Casey, Cameron Malin
Chapter 3 – Memory Forensics: Analyzing Physical and Process Memory Dumps and 9 – Analysis of a Suspect Program
III – Computer Evidence Collection & Preservation, Christopher L.T. Brown
Chapter 6 – Volatile Data and Chapter 11 – Collecting Volatile Data
IV - EnCE – The Official Encase Certified Examiner Study Guide, 2nd Edition, Steve Bunting
Chapter 3 – First Response and Chapter 9 – Windows Operating System Artifacts
V - Undocumented Windows, chapter 4, Sven B. Schreiber
VI - Windows Internals (4st editon) chapter 7, Mark Russinovich and David Salomon.
6. Memory Forensics - References
Papers:
Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis
CERT: http://www.cert.org/archive/pdf/08tn017.pdf (Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry
Rogers)
Collecting Evidence from a Running Computer - SEARCH:
http://www.search.org/files/pdf/CollectEvidenceRunComputer.pdf (Todd Shipley and Henry Reeve)
"A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer”
Lest We Remember: Cold Boot Attacks on Encryption Keys: http://citp.princeton.edu/pub/coldboot.pdf
Eletronic Crime Investigation - NIJ: http://www.ncjrs.gov/pdffiles1/nij/187736.pdf
Electronic Evidence – Guide for First Responders – http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
7. Memory Forensics - References
Papers DFRWS - Digital Forensic Research Conference:
Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert
Peterson. http://dfrws.org/2010/proceedings/2010-306.pdf
Extracting Windows Command Line Details from Physical Memory. Richard Stevens and Eoghan
Casey. http://dfrws.org/2010/proceedings/2010-307.pdf
A Novel Time-Memory Trade-Off Method for Password Recovery. Vrizlynn L. L. Thing and Hwei-Ming
Ying. http://dfrws.org/2009/proceedings/p114-thing.pdf
Extraction of Forensically Sensitive Information from Windows Physical Memory. Seyed Mahmood Hejazi,
Chamseddine Talhi and Mourad Debbabi. http://dfrws.org/2009/proceedings/p121-hedjazi.pdf
The Persistence of Memory: Forensic Identification and Extraction of Cryptographic Keys. Carsten Maartmann-Moe,
Andre Arnes and Steffen E. Thorkildsen. http://dfrws.org/2009/proceedings/p132-moe.pdf
Forensic Analysis of the Windows Registry in Memory. Brendan Dolan-Gavitt.
http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
8. Memory Forensics - References
Papers DFRWS - Digital Forensic Research Conference:
Recovering Deleted Data From the Windows Registry. Timothy Morgan.
http://www.dfrws.org/2008/proceedings/p33-morgan.pdf
Forensic Memory Analysis: Files mapped in memory. Ruud van Baar.
http://www.dfrws.org/2008/proceedings/p52-vanBaar.pdf
The impact of Microsoft Windows pool allocation strategies on memory forensics. Andreas Schuster.
http://www.dfrws.org/2008/proceedings/p58-schuster_pres.pdf
BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software. Bradley Schatz.
http://www.dfrws.org/2007/proceedings/p126-schatz.pdf
The VAD Tree: A Process-Eye View of Physical Memory. Brendan F Dolan-Gavitt.
http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf
Searching for processes and threads in Microsoft Windows memory dumps. Andreas Schuster.
http://www.dfrws.org/2006/proceedings/2-Schuster.pdf
10. Memory Analysis vs Live Response *
• Computer Forensics: Results of Live Response
Inquiry vs. Memory Image Analysis - CERT
Cal Waits, Joseph Ayo Akinyele, Richard Nolan, Larry Rogers
http://www.cert.org/archive/pdf/08tn017.pdf (2008)
“Despite the drawbacks associated with volatile memory analysis, it is the authors’
opinion that volatile memory analysis will be integral to the digital investigation
process going forward. (…) , the best approach is a hybrid based on situational
awareness and a triage mentality. (..) Full memory analysis (and the requisite
memory acquisition) should be used to augment and supplement traditional
digital forensic examination when greater understanding of the running state of
the machine is critical to resolving the case.”
12. Memory Analysis vs Live Response
http://www.cert.org/archive/pdf/08tn017.pdf
13. Live Response
• Tool execution to get data from the Windows
O.S. While it is running:
– netstat/tasklist/arp/hostname .. (native tools)
– Sysinternals Tools
– NirSoft Tools
– FoundStone Tools
– Microsoft Cofee
– Helix
– Etc..
14. MS Cofee
Decaf
Computer Online Forensic Evidence Extractor
arp.exe ‐a
at.exe
autorunsc.exe
getmac.exe
handle.exe ‐a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report
nbtstat.exe ‐n
nbtstat.exe ‐A 127.0.0.1
nbtstat.exe ‐S
nbtstat.exe ‐c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators
/domain
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe ‐ao
netstat.exe ‐no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe ‐t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck 127.0.0.1
tasklist.exe /svc
whoami.exe
Contaminate MAC Addresses:
Spoof MAC addresses of network adapters
Kill Processes:
Quick shutdown of running processes
Shutdown Computer:
On the fly machine power down
Disable network adapters
Disable USB ports
Disable Floppy drive
Disable CD-ROM
Disable Serial/Printer Ports
Erase Data: Quick file/folder removal (Basic Windows delete)
Clear Event Viewer: Remove logs from the Event Viewer
Remove Torrent Clients: Removes Azureus and BitTorrent clients
Clear Cache: Remove cookies, cache, and history
15. Live Response - Limitations
http://decafme.org/decaf-software.html
16. Other Live Response Limitations
(when dealing with a technicaly savvy adversary)
• These tools can be easily defeated:
•
Microsoft sigverif.exe. This is a GUI File Signature Verification included with all Windows installations. It will freeze after enumerating files (but
before checking their signatures).
•
•
•
•
signtool.exe. This is a command-line tool included with Visual Studio.
signdrv.dll. The WMI provider for Signed Drivers.
sigcheck.exe. The popular tool from SysInternals will freeze after printing the version banner, regardless of what options you choose.
Mandiant Redline. A tool for streamlining forensic data acquisition and analysis. On live systems, it will attempt to verify driver signatures before
capturing memory. Unfortunately it will freeze on step 1 and never actually get to the memory step.
•
Any other forensic tools or digital signature verification utilities that use the specific APIs in wintrust.dll.
“To trigger the bug, all you have to do is create a file. It can be done from an
administrator shell as shown below, or you can do it from shell code after an exploit”
C:> echo "" >
C:WINDOWSsystem32catroot2{111111111111111111111111111111111111}
Source: http://mnin.blogspot.com.br/2013/06/how-to-dos-authenticodesignature.html (Michael Ligh)
17. Lab
– Please log into the “ACMEXP1” VM Machine:
• user: “Administrator” / password: “password”
– Configure your VMWare or Virtualbox to use the
“host-only / private network” network
configuration
– Use built in Windows commands and Freeware
tools to get volatile information from the system
(from the command prompt – cmd.exe – c:usb)
• fport/netstat -ano
• Pslist/tasklist
18. Lab
– Please log into the Forensic VM (“SIFT 2.1” / “DEFT”)
• user: “sansforensics”
• password: “forensics”
– Configure your VMWare or Virtualbox to use the
“host-only / private network” network configuration
– Use a terminal from your Forensic VM:
• connect to the 666 port (using nc or telnet) to the
“ACMEXP1” machine (keep the connection open)
• ie: $ telnet 192.168.31.133 666
19. Lab
– From the ACMEXP1 machine, probe again for
information about the proccesses executing and
the sockets that are open with “live response”
tools:
• fport/netstat –ano
• Pslist/tasklist
– Comments ?
20. Memory Forensics
– A lot of data, some structure
– A lot of internal memory structure is not
documented
– The first objective is to obtain context from
artifacts and evidence found in memory dumps
21. Memory Forensics
– Acquisition *
• executing memory
• Pagefile
• Hibernation file
– Context
• FInd offsets from the needed structures
• extract structures from memory
• Isolate processes
– Analysis
• Interation between different structures
• Recovering evidence of activity
23. Memory
• RAM: a read happens in
0.00000001 seconds (electronic)
• HD: a read happens in 0.01 sec
(for mecanic disks)
diagram: wikipedia.org
24. CPU registers, cache (10-9 seconds)
2.
Kernel Memory e Physical Memory (10-8 seconds)
3.
Network Connections (10-3 seconds)
4.
Processes (1 second)
5.
Discos Rígidos (years)
6.
Floppy, Backup Tapes, CD-ROM (years)
7.
Printed material (decades)
order of volatility
1.
http://www.ietf.org/rfc/rfc3227.txt - Guidelines for Evidence Collection and Archiving
25. Informations that can be found in Memory *
•
•
•
•
•
•
•
•
•
•
•
Processes
Drivers
Kernel Modules
Socket Information
Passwords
Crypto Passphrases
Decrypted files
Execution order
Execution state
Configuration Information
Clipboard material
•
•
•
•
•
•
•
•
•
•
•
Logged Users
Network Driver Buffers
Open Files
Unsaved documents
Live Registry
Vídeo Buffers (screen shots)
BIOS Memory
VOIP Calls
Malicious Code
IM Chats
Rootkits footprint
26. Physical Memory
– Electronic circuits / RAM chips (random memory
access), used to temporarily keep the information
on execution time
– Contains the current state of the computer
– Hardware Perspective
27. Virtual Memory
– Operational System perspective
– Maximum space that an process can
occupy
– Virtual Addresses are mapped into
physical addresses
28. Memory Paging
• Page = fixed size block from the memory that is
contiguous from the physical and virtual addresses
perspectives
• Its the Menor quantidade de dados para:
– Memory allocation
– Transfer between physical memory and swap (pagefile)
• Memory Page Sizes varies depending on the
architecture of the processor:
– x86: 4Kb (2Mb if PAE is used)
– IA64: from 4kb up to 256Mb
29. Paging/Swapping
– When a process will be loaded into memory, the pager manager decides
which pages will be used and take only the necessary pages into
memory, reducing the time and the amount of physical memory required
per process.
– When there is little RAM, virtual memory moves data from the physical
memory space (HD) called a paging file (slows your computer).
– In the Windows nomenclature, "Virtual Memory" is the space available
for the paging file:
– Paging file naming:
» Windows 3.x: 386SPART.PAR
» Windows 9x: WIN386.SWP
» Windows NT: PAGEFILE.SYS
30. 32/64 bit architectures limitations
– Maximum virtual memory – available per process*)
• 32 bit *: 4 GB = 2^32 = 4.294.967.296 bits
• 64 bit: 16 TB = 2^64 = 18.446.744.073.709.551.616 bits
* Since “Pentium Pro”, 32bit CPUs are capable of addressing 36 bits of RAM. But they are still limited
to a virtual memory addressing of 32 bit (4GB) per proccess.
http://www.microsoft.com/whdc/system/platform/server/pae/pae_os.mspx
– Size limit of the page file:
• 32 bit: 16 TB
• 64 bit: 256 TB
31. Hibernation *
– The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is the sum of the
physical memory and the swap (pagination) memory – and is compressed.
– It contains data that was present at memory from the last time that the
system was “hibernated”
– The hiberfil.sys file contains a header, free pages, page tables and
compressed data
– The system can be forced to hibernate
32. maioria dos endereços de memória são virtuais
todos os endereços são virtuais
Windows Kernel Mode/User Mode
(Virtual) Memory Manager
Manages the Virtual Memory, controlling the protection and
memory paging between the physical memory and the Hard Disk.
Implements generic allocation of physical memory.
Implements a PE analyzer (portable executables) that allows an
executable file to be mapped or removed from memory in one
step
Process Manager
Responsible for creating processes and threads
33. Windows Kernel
– From the Hierarchical Domain
Protection standpoint, the
Windows Kernel is in Ring 0
– Important: Kernel components have
unrestricted access to all system
34. Windows Kernel
– Windows Executive manages memory, processes,
threads, security, objects, I/O, network
– Hardware Abstract Layer (HAL)
– USER and GUI functionality
– drivers provide support to (I/O) from hardware
35. User mode *
• Restrict access to the system (Ring 3)
– Can access resources from the system via Windows
APIs (kernel32.dll, ntdll.dll)
• Contains:
– User applications
– Support processes (logon)
– Service processes
– Environment subsystems
37. Total Logical Memory
• Sum of all Virtual Memory
Physical Memory
2 GB Memory (RAM)
OS
4GB
4GB
4GB
4GB
4GB
4GB
Virtual Memory
6 x 4GB = 24 GB <= Logical Memory
38. 2 GB
0 GB
Page Directory and Page Tables
Physical Memory
Process Virtual Memory
0 GB
4 GB
0x00C00000 – 0x00E00000
0x00CE0000 – 0x00E00000
0x00CD0000 – 0x00CDF000
PTE 0010 - 0015
0x00CE0000 – 0x00CF0000
0x00D10000 – 0x00D20000
VAD Tree
The reconstruction of theVAD Tree (Virtual Adress Descriptors) allows the reconstruction of t
memory space of a process togheter with all files mapped by this processele
Disco Rígido
HbGary
39. Virtual Address Descriptors
Volatility Modules:
vaddump
vadinfo
vadwalk
Dump the Vad sections to files
Dump the VAD info
Walk the vad tree
The reconstruction of the
VAD Tree (Virtual Adress
Descriptors) allows the
reconstruction of the
memory space of a
process togheter with all
files mapped by this
process
$ python volatility vadwalk -f <path-to-image-dump>
************************************************************************
Pid: 4
Address Parent Left Right Start End
Tag Flags
819c1300 00000000 00000000 81948bc0 00010000 00033fff Vad
0x00C00000 – 0x00E00000
81948bc0 819c1300 8185b008 00000000 7c900000 7c9b1fff Vad
8185b008 81948bc0 00000000 817dd0b0 00060000 00060fff Vad
817dd0b0 8185b008 00000000 00000000 00070000 0016ffff Vad
************************************************************************
Pid: 440
0x00CE0000 – 0x00E00000
0x00CD0000 – 0x00CDF000
Address 0010 - 0015
Parent Left Right Start End
Tag Flags
PTE
8183a210 00000000 8186b670 819806e0 48580000 4858efff Vad
8186b670 8183a210 00000000 81856080 00000000 000fffff VadS
81856080 8186b670 00000000 8184a050 00100000 00100fff VadS
8184a050 81856080 00000000 81849790 00110000 00110fff VadS
0x00CE0000 – 0x00CF0000
0x00D10000 – 0x00D20000
81849790 8184a050 00000000 81845050 00120000 0015ffff VadS
81845050 81849790 00000000 816d3030 00160000 0025ffff VadS
816d3030 81845050 00000000 816d30c0 00260000 0026ffff VadS
VAD Tree
41. Virtual Memory Layout
4 GB
Kernel Memory
2 GB
• The first 2GB* of virtual
memory are reserved for
the Windows Kernel. They
are not accessible from the
userland processes.
*
User Memory
0 GB
Except when the /3GB option is used on boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)WINNT="????" /3GB
42. Virtual Memory - userland
2 GB
Windows system specific structures
Windows System Libraries (DLLs)
Windows DLLs, Application DLLs or Allocated memory
DLLs or Allocated Memory
Application Binary
Stack
Heap or allocated memory
0 GB
43. Processes
– Processes are containers for memory address
space and threads
– Own virtual memory space
• Unique ID: Process ID (PID)
– At least one execution thread
– Security Context
44. Processes
• Processes are units of allocation of resources such
as files, I/O, memory, privileges and run in
separate address spaces
• Processes are also units for scheduling threads they might be ready, waiting or running
45. Memory Allocation
• When the program is running, each process has its own memory
address space and operating system controls this use of memory
pages in physical memory (RAM) or in "virtual memory" – paging
file: (%SYSTEMDRIVE%pagefile.sys)
• Problem for Forensics: The mapping is not consistent (*)
between versions of Windows (XP, 2000, 2003, Vista, 7) and even
windows editions (Home, Pro, Enterprise) and Service Packs (0,
1, 2, 3, …)
(*) Windows Operating System Agnostic Memory Analysis. James Okolica and Gilbert Peterson.
http://dfrws.org/2010/proceedings/2010-306.pdf
46. Virtual Memory Allocation
– Programs can allocate virtual memory dynamically
– The Windows Kernel use the Virtual Address
Descriptors data structure (VAD Trees) to control
virtual memory allocations
– Memory analysis tools combine the information
contained in VAD Trees with the page tables for
each process
47. Windows Kernel: Memory
– Analysis for identification of addresses and
memory pages used by processes:
• EPROCESS/KPROCESS/ETHREAD – structures accessed
only via kernel mode
• PEB – Process Environment Block – fixed virtual address
for 32bit: 0x7FFDF000 – can be accessed from user
mode
– Ways to verify it:
• Livekd + Microsoft Windows Debugger (online)
• volatiliy volshell (offline) <= SIFT 2.0+
48. Windows Kernel: Memory
• EPROCESS
– DirectoryTableBase (DTB) – also known as
PageDirectoryBase (PDB)
– CreateTime
– UniqueProcessId
– ImageFileName – executable name
– InheritedFromUniqueProcessID – Parent Process ID
– PEB – Process Environment Block
49. Windows Kernel: Memory
Links allow the separation between processes. ie: when a proccess runs in memory it has
aforward link (FLINK) and a backward link (BLINK) for processes that are located on close
addresses on the memory.
50. Creation and Ending of Processes *
• Process Creation Triggers:
•
•
•
•
•
system startup
actions of other processes;
user actions
manager actions
batch jobs
• Process Ending Triggers:
–
–
–
–
–
Normal exit
Forced error
Unforced error
Killed by an user
Killed by an process
51. Creation of Processes
common internal structures and commands
•
•
•
•
•
CreateProcess
Rundll32.exe
cmd.exe
cmd /c
command.com /c
•
•
•
•
•
•
•
•
ShellExec
ShellExecute
ShellExecuteA
WinExec
Shell32.DLL
exec
execve
system
52. Threads
– A Thread is a container for execution
•
•
•
•
•
Private storage Thread Local Storage / TLS
Unique ID: Thread ID (TID)
CPU states (register counters)
Execution stack (stack / LIFO)
Security Context
54. Process, Thread, Job *
• Process – at least one thread, can be more
(multi-threaded applications)
– used space in memory and resources controlled
by the process
• Thread – basic unit of execution
– The O.S. Schedules threads for execution
• Job – when the execution is controled by
programs (userland) – exists on Windows
since the 2000 version
55. Device Drivers
– Dynamic modules that are loaded into the Kernel
to provide support for I/O or I/O interface with
the user
– Like all kernel components, drivers have
unrestricted access to the system (Ring 0)
56. Services
– Programs (user mode) that provide functions
independent of the logged user
– Examples:
• Task Manager
• Print Spooler
• Windows Update
57. Windows Registry
– A hierarchical database that contains
configuration information
• Registry on disk (windowssystem32config)
• LIVE Registry (Memory)
– Examples:
•
•
•
•
•
•
Startup Settings
Driver Settings
Hardware Configuration
Users settings
Application settings
Current User Settings
59. Memory Forensics
– Is independent of the operating system (that may be
deceived)
– Anti-Forensics Tools/Malware/Rootkits
– Can detect malicious code that bypass other security tools
such as antivirus and HIPS
– The goal is to reconstruct the information from the physical
layer, checking the system runtime state
60. Memory Forensics – advantages
– Rootkits bypass the usermode and act in kernel mode,
tricking the O.S. and applications used in "Live Response"
– Password in clear text in memória (ie: mimikatz)
– Programs running
– Open Documents / Files
– Open content of compressed programs (packers)
– Network Connections – current and recent
– Crypto Keys (BitLocker, PGP Whole Disk Encryption,
TrueCrypt, etc...)
– Command Line parameters (DOSKEY/cmd.exe)
61. Memory Forensics: Hacking
– Always remember: do not trust on the O.S.
– Memory injection attacks do not touch the disk.
Hacker tools use these techniques for years:
• Metasploit Framework/Meterpreter (www.metasploit.com)
• Canvas (www.immunitysec.com)
• Core Impact (www.coresecurity.com)
– For certain attacks, there is no detection mechanism
via software and the acquisition and preservation of
physical memory and later offline analysis is the best
approach
62. “Trojan Defense” *
– “I did nothing, it was the Trojan horse/backdoor”
• “There was a hacker controlling my PC”
– Defense used for the first time in the United
Kingdom, in 2003
• Plausible deniability because LEO did not generate a
physical memory image
– “Law Enforcement destroyed 4GB of evidence”
• 4GB = more than a million pages of paper
• Objective: Analysis to prove that there was no trojan or
other malicious software running on the machine to
contradict this possible defense claim.
63. History of process acquisition
•
•
•
•
Pmdump – Arne Vidstrom
Process Dumper – Tobias Klein
Userdump – Microsoft
Adplus.vbs – Microsoft Debugging Tools
– It may be useful to generate a memory dump of a
specific process of interest (MSN, GTALK, IE, FF, ...)
64. Memory Acquisition via Hardware
– CPU Suspension and and use of Direct Memory Access
(DMA) to copy the physical memory
• Tribble (2004). By Brian Carrier e Joe Grand
• needs to be installed prior to data acquisition
• Similar devices are useful for hardware debugging
– Firewire / Thunderbolt
• IEEE 1394 - Specification allows direct memory access (DMA)
• Memory mapping is done by hardware
• References:
– Firewire: http://blogs.gnome.org/muelli/2010/04/04/reading-ram-using-firewire/
– Thunderbolt: http://www.breaknenter.org/projects/inception/
» Demo: http://www.youtube.com/watch?v=V1MBrwkB
65. Memory Acquisition
• Crash Dumps
• Advantages:
– System state is frozen
– ensures that no changes are made
– Microsoft provides “Microsoft Debugging Tools” and “Kernel
Memory Space Analyzer”
• Limitations:
– Systems with more than 2GB of memory do not generate
complete dumps
– By default, Windows do not generate crash dumps via
commands
– Some windows versions do not generate complete dumps
Tool: NotmyFault - Sysinternals (Mark Russinovich)
66. Memory Acquisition
• Memparser – Chris Betz
– DFRWS 2005
• Just for Windows 2000
• http://sourceforge.net/projects/memparser/
• dd for windows – dd.exe
• dd.exe if=.PhysicalMemory of=<…>memorydump.img
• http://gmgsystemsinc.com/fau/
67. Memory Acquisition
– Nigilant32 – Agile Risk Management (GUI)
– ProDiscover IR (GUI)
– Problems/Limitations: (dd.exe/Nigilant32/Prodiscover IR)
• Userland access to physical memory (=.PhysicalMemory) was blocked
since Windows 2003 SP 1 / Windows XP SP2
68. Memory Acquisition
– KnTDD (George Garner) – free for LE
•
•
•
•
Runs on 32 & 64 bit machines
Capable of generating Microsoft Crash Dumps
Local dump (usb/firewire) or remote dump (tcp/ip)
Audit registry and integrity checking
– MDD (Mantech)
• Newer Systems (up to Vista)
• Cannot acquire more than 4Gb of memory
69. Memory Acquisition *
• Virtualization Technologies
– VMWare
• VM Suspension creates .vmem file (similar to raw
dump)
• SnapShots
– VirtualPC
– Xen
– Qemu
70. Memory Acquisition: Hibernation *
• The hibernation file (%SYSTEMDRIVE%hiberfil.sys) is
the sum of the physical memory and the swap
memory (or paging) - compressed.
• Matthieu Suiche decoded the Windows hibernation
file format (BH 2008 – “SandMan project”)
– Moonsols Community Edition – hibr2bin.exe for XP, 2003,
2008 and Vista 32bits (comercial version: for 32 e 64 bit
up to Windows 7)
71. Forcing the Hibernation
• 1) configuration
Windows XP,2000,2003
» powercfg.exe /HIBERNATE on
Windows Vista, 7, 2008
» powercfg.exe –h on
• 2) rundll32.exe powrprof.dll,SetSuspendState Hibernate
» Or you can use the GUI
» or c:> psshutdown.exe –h (sysinternals binary)
• <%SYSTEMDRIVE%>/hiberfil.sys is generated (overwrites previous hiberfil.sys)
72. Memory Acquisition
• Princeton – Cold Boot (True hibernation)
– Lest We Remember: Cold Boot Attacks on
Encryption Keys (2006)
– http://citp.princeton.edu/pub/coldboot.pdf
• DRAM submerged in liquid nitrogen ( -196
degrees Celsius) - loss of only 0.17% of the
data after 60 min off the computer
73. Memory Acquisition
• Memoryze (Jamie Butler e Peter Silberman)
– The Memoryze tool provides a batch script for the
acquisition of physical memory.
– cd %SystemVolume%%ProgramFiles%MandiantMemoryze”
• Execute “MemoryDD.bat –output <directory_name>”
– Advantage: colects at the same time the pagefile and the
physical memory
– To install it on a pendrive:
• msiexec /a MemoryzeSetup.msi /qb TARGETDIR=<pendrive>:Memoryze
75. FTK Imager
• AccessData – http://www.accessdata.com
– GUI or CLI
– raw format / converts from E01 to raw
76. Memory Acquisition
• FastDump / FastDump Pro (Greg Hoghlund)
– HBGary (http://www.hbgary.com)
• Includes the page file on the dump (pagefile.sys)
77. Memory Acquisition
• MoonSols / win32dd, win64dd, Dumpit
(Matthieu Suiche)
– Free (community edition)
– All windows 32-64bit
– Open Source
– Can create windbg crash dumps
– Remote acquisition using tcp sockets
– Generates cryptographic Hashes (MD5/SHA1/SHA-256)
78. Moonsools community edition:
http://moonsols.com | http://msuiche.net
README:
- win32dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits Edition.
- win64dd works for Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 64-bits (x64)
hibr2dmp and hibr2bin only works with Microsoft Windows XP, 2003, 2008, Vista 32-bits
Edition Microsoft Windows hibernation files, including corrupted hibernation files.
- dmp2bin only works with Microsoft Windows XP, 2003, 2008, Vista, 2008 R2, 7 32-bits
Edition of Microsoft full memory crash dump files.
- bin2dmp works with Microsoft Windows XP, 2003, 2008, Vista 32-bits Edition raw
memory snapshots (windd, VMWare -- Can also work with Live VMWare Virtual Machine
but only in the Professional Edition).).
83. Remote Imaging
EnCase Enterprise EnCase FIM
Edition
Edition
Web Site
www.encase.com
Pro-Disccover
Agile Risk
Management
Software Company/Developer Guidance Software
F-Response
Tech Pathways
www.fresponse.com
www.techpathways.com
Connectivity
One to many
connections
One to one
One to one or one One to one or one to
to many
many
Imaging Option
Yes
Yes
No
Yes
64 BIT
Yes
Yes
Yes
No
Yes
Yes
Yes
No
Windows 7
Yes
Yes
Yes
Yes
Windows Server 2008
Yes
Yes
Yes
Yes
Windows Vista
Yes
Yes
Yes
Yes
Windows XP
Yes
Yes
Yes
Yes
4GB Limit
84. Memory Analysis
– “old-school” – strings & grep/findstr on a memory
dump to lookup for ASCII and UNICODE strings
(manual carving)
• Can be useful to include as a target for search indexing
and/or names (documents, programs, passwords ...)
• Restricted functionality by inability to differentiate the
mailings and memory pages used by each process
• Produces large amounts of data without
contextualization
85. Analysis of Physical Memory
• Some artifacts that might exist in memory
– Running processes
– Open files
– Network connections and listening ports
– Open registry keys
– Application information
– Passwords in clear text
5-
86. Analysis of Physical Memory
–
–
–
–
–
–
–
–
–
–
–
Unencrypted data
Instant messenger chat sessions
Document data
Web based email
Malware
Rootkits & Trojans
Internet History
MFT Records
Pictures
Image data and time
BIOS details
5-
87. Linking Memory Image to
Computer
• Forensically speaking it is important to be able to produce
repeatable processes
• Therefore linking a particular memory image to a computer
could be an important aspect of any analysis
• This can be achieved by using a GREP expression to extract
the BIOS information of the host computer from the memory
dump
• EnCase, SMART, FTK can all be used to carryout the search
5-
88. Locating BIOS Information
• The BIOS information may include;
– Make
– Model
– Serial number
• Richard McQuown
(http://forensiczone.blogspot.com/search?q=bio
s) posted the GREP expression on his blog to
locate the BIOS details;
x00x14x00x00x01x02..x03
5-
89. Using GREP to locate BIOS
Information
• Use GREP tool GUI or Command line capable of
searching binary files
• Use term;
x00x14x00x00x01x02..x03
95. Volatility
The Volatility Framework is a completely open collection of tools, implemented in
Python under the GNU General Public License, for the extraction of digital artifacts
from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the system being
investigated but offer unprecedented visibilty into the runtime state of the system.
The framework is intended to introduce people to the techniques and complexities
associated with extracting digital artifacts from volatile memory samples and provide a
platform for further work into this exciting area of research.
96. Volatility Capabilities
The Volatility Framework currently provides the following extraction capabilities for memory samples
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Image information (date, time, CPU count)
Running processes
Process SIDs and environment variables
Open network sockets
Open network connections
DLLs loaded for each process
Open handles to all kernel/executive objects (files, keys, mutexes)
OS kernel modules
Dump any process, DLL, or module to disk
Mapping physical offsets to virtual addresses
Virtual Address Descriptor information
Addressable memory for each process
Memory maps for each process
Extract executable samples
•
•
•
•
•
•
•
•
•
•
•
•
Scanning examples: processes, threads, sockets, connectio
modules
Command histories (cmd.exe) and console input/output b
Imported and exported API functions
PE version information
System call tables (IDT, GDT, SSDT)
API hooks in user- and kernel-mode (inline, IAT, EAT, NT sys
winsock)
Explore cached registry hives
Dump LM/NTLM hashes and LSA secrets
User assist and shimcache exploration
Scan for byte patterns, regular expressions, or strings in m
Analyze kernel timers and callback functions
Report on windows services
97. Volatility
Usually you run “vol.py” to execute volatility, but on the Linux
VM we have 3 versions of volatility installed (* 1.3, 2.2 and
2.3)
For this reason, to execute each version please type:
$ “volatility” for 1.3
$ volatility-2.2 for 2.2
$ volatility-2.3 for 2.3
98. Volatility Commands
$ volatility-2.3 --info
Volatile Systems Volatility Framework 2.3_beta
Profiles
-------LinuxEvo4GARM
- A Profile for Linux Evo4G ARM
MacLion_10_7_5_AMDx64 - A Profile for Mac Lion_10.7.5_AMD x64
VistaSP0x64
- A Profile for Windows Vista SP0 x64
VistaSP0x86
- A Profile for Windows Vista SP0 x86
VistaSP1x64
- A Profile for Windows Vista SP1 x64
VistaSP1x86
- A Profile for Windows Vista SP1 x86
VistaSP2x64
- A Profile for Windows Vista SP2 x64
VistaSP2x86
- A Profile for Windows Vista SP2 x86
Win2003SP0x86
- A Profile for Windows 2003 SP0 x86
Win2003SP1x64
- A Profile for Windows 2003 SP1 x64
Win2003SP1x86
- A Profile for Windows 2003 SP1 x86
Win2003SP2x64
- A Profile for Windows 2003 SP2 x64
Win2003SP2x86
- A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64
- A Profile for Windows 2008 SP1 x64
Win2008SP1x86
- A Profile for Windows 2008 SP1 x86
Win2008SP2x64
- A Profile for Windows 2008 SP2 x64
Win2008SP2x86
- A Profile for Windows 2008 SP2 x86
Win7SP0x64
- A Profile for Windows 7 SP0 x64
Win7SP0x86
- A Profile for Windows 7 SP0 x86
Win7SP1x64
- A Profile for Windows 7 SP1 x64
Win7SP1x86
- A Profile for Windows 7 SP1 x86
WinXPSP1x64
- A Profile for Windows XP SP1 x64
WinXPSP2x64
- A Profile for Windows XP SP2 x64
WinXPSP2x86
- A Profile for Windows XP SP2 x86
WinXPSP3x86
- A Profile for Windows XP SP3 x86
99. Volatility Roadmap
•
Volatility 2.1 (Official x64 Support)
•
RC1: July 8, 2012 Release: August 3, 2012
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
* New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
* Majority of Existing Plugins Updated with x64 Support
* Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
* WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
* Now supports the following profiles:
o Windows XP SP1, SP2 and SP3 x86
o Windows XP SP1 and SP2 x64 (there is no SP3 x64)
o Windows Server 2003 SP0, SP1, and SP2 x86
o Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
o Windows Vista SP0, SP1, and SP2 x86
o Windows Vista SP0, SP1, and SP2 x64
o Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
o Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
o Windows Server 2008 R2 SP0 and SP1 x64
o Windows 7 SP0 and SP1 x86
o Windows 7 SP0 and SP1 x64
•
•
•
•
•
* Plugin Additions
o Printing Process Environment Variables (envvars)
o Inspecting the Shim Cache (shimcache)
o Profiling Command History and Console Usage (cmdscan, consoles)
o Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
100. Volatility Roadmap
•
Volatility 2.2 (Official Linux Support)
•
RC1: Sept 10, 2012 Release: Oct 2, 2012
•
•
•
•
•
•
* Linux Support (Intel x86, x64) kernels 2.6.11 - 3.x
* Over 25+ Linux plugins
* Windows win32k suite (14+ plugins, classes, algorithms and APIs for analyzing GUI memory)
* New or Updated Plugins
o eventlogs
o getservicesids
•
Volatility 2.3 (Official Mac/Android/ARM Support)
•
RC1: N/A Release: June 2013
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
* Mac Support (x86, x64)
* Android/Arm Support
* New Address Spaces (VMWareSnapshotFile, VirtualBoxCoreDumpElf64, HpakAddressSpace, MachOAddressSpace)
* New or Updated Plugins
o shellbags
o mbr/vbr parser
o mftparser
o dumpfiles
o iehistory
* Plugin Enhancements
o Verbose details for kdbgscan and kpcrscan
o idt/gdt/timers plugins cycle automatically for each CPU
o apihooks detects LSP/winsock procedure tables
* New Output Formatting Support (Table Rendering)
* New Mechanism for Profile Modifications
* New Registry API Support
* New Volshell Commands
* Updated Documentation and Command Reference
101. •
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Volatility Roadmap
Volatility 3.0 (Official Tech Preview Merge) - RC1: Late 2013 Release: Late 2013
* A refactor and clean up of the vtype language/profiles/object system
* Plugin management and the session object
* Interactive IPython shell
* Unified Plugin Output Format (+ JSON renderers)
* Updated Registry Hive and PE File Address Spaces
* Performance Profiling and Regression Testing Framework
* Updates to Config System
* Improved Framework Support (Use as a Library)
* Application Profiles and WOW64
* Addition of Windows 8/Server 2012 Support/Testing
* New or Updated Plugins
o privileges
o pktscan
o cachedump
o dnscache
o stack, heaps
* x64 Updates to Malware Plugins (timers, callbacks, idt/gdt, apihooks)
* Pool Scanner Updates
* Unicode improvements
* KDBG/DTB Improvements
* Profile Selection Enhancements
Volatility Future
* Update to Python 3.0
* Updates to PDBParse
* PyVmiAddressSpace
* Pagefile.sys
* support single process dumps
* Multiprocessing module
* Performance profiling (C modules for some functions?)
112. Lab – procdump (1.3) / procexedump & procmemdump (2.3)
“..changes between the in-memory representation of the file and the disk representation the file”
“Visualizing Recovered Executables from Memory Images”
http://jessekornblum.livejournal.com/294997.html
114. Lab : Conclusion *
• Offline memory analysis generates identical or better
information and is less invasive than "live response“
• Process and established connections review through the
memory dump analysis enables more data recovery
• This is true even when the machine has usermode and
kernel mode rootkits installed
115. Lab : Hash Dump
Goal: to Transform the hibernation file on a memory dump and recover user passwords
Obtaining the hibernation file:
With the machine off: traditional disk Forensics: Boot with usb or CD / linux Live (helix/caine/deft/etc..)
or extract hiberfil.sys from a .DD or .E01 image (ftkimager/encase/etc..)
With the machine on : FGET.exe HBGARY
Convert the hibernation file to a memory dump (raw):
using Volatility:
python volatility hibinfo –f <path-to-hiberfil.sys> -d <hiberfil.memory.img>
using Moonsols:
hibr2bin.exe <path-to-hiberfil.sys> -d <hiberfil.memory.img>
116. Lab
– Volatility & RegRipper
– Steps:
• Find the registry hive locations on memory
• find and dump the SAM e SYSTEM hives
• crack the users passwords
– Volatility modules used:
• hivescan, hivelist, hashdump
122. Lab *
• Cracking the hashes using RainbowTables
• Offline
– OphCrack / rcrack / PRTK-DNA / EDPR / Passware
• Online:
– http://www.onlinehashcrack.com
– http://www.objectif-securite.ch/en/products.php?hash=<hash>#Demo
The volatility plugins used on this lab were developed
by Brendan Dolan-Gavitt: http://moyix.blogspot.com
125. Lab: Live Registry
root@SIFT-Workstation:/usr/local/src/volatility# perl rip.pl -r
/media/usb/fdpro_dump/20100817_fdpro_acmexp_dump.bin@0xe17c9888 -f sam
Parsed Plugins file.
Launching samparse v.20080415
User Information
------------------------Username
: Administrator [500]
Full Name
:
User Comment : Built-in account for administering the computer/domain
Last Login Date : Fri Aug 13 21:47:26 2010 Z
Pwd Reset Date : Wed Jun 27 22:54:58 2007 Z
Pwd Fail Date : Fri Aug 13 00:59:01 2010 Z
Login Count : 55
--> Password does not expire
(...)
126. Lab: Photorec with mounted memory image
• PhotoRec Is an open source file recovery (aka carving) program
• Recovers video, photos, documents, archive files and EXE files from
volumes and physical disks
• A memory image needs to be mounted as a physical device (ie FTK Imager)
to perform a search
• Can also be run against running memory using F-Response
Site: http://www.cgsecurity.org/wiki/PhotoRec
137. Bonus - Stuxnet analysis with Volatility
How To:
http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html
Or
Stuxnet Memory Dump:
/cases/01/MEMORYDUMP/stuxnet.vmem
SHA256:
5f19ff1333fc3901fbf3fafb50d2adb0c495cf6d33789e5a959499a92aeefe77
Commands: volatility (1.3) and volatility2 (2.2)
139. Bonus – MacOSX, Linux and
Android memory Analysis
1.1: The OSX profiles can be found here: https://code.google.com/p/volatility/downloads/detail?name=MacProfilesAll.zip. We used to have a 10.8.3 x64 sample online,
but it seems to have been misplaced (link is 404). Give me a day or two to ping some people and see if they have a copy and if so I'll re-upload it and let you know.
1.2: I believe you'll have to contact osxreverser for the sample, its not available publicly to the best of my knowledge.
2.1: The avgcoder sample can be downloaded from http://secondlookforensics.com/linux-memory-images/centos-6.3-x86_64-LiveDVD-avgcoder.mem.bz2. The profile to
work with the sample is http://code.google.com/p/volatility/downloads/detail?name=CentOS63.zip.
2.2. The android sample can be downloaded from http://dfrws.org/2012/Rodeo2012.tgz. The Volatility profile is also inside.
Just copy Evo4G.zip into your volatility/plugins/overlays/linux directory.
140. Bonus - Linux
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
Bash History:
$ volatility2 -f centos-6.3-x86_64-LiveDVDavgcoder.mem --profile=LinuxCentOS63x64
linux_bash -H 0x6e0950
linux_arp
- Print the ARP table
linux_bash
- Recover bash history from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_cpuinfo
- Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg
- Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_find_file - Recovers tmpfs filesystems from memory
linux_ifconfig - Gathers active interfaces
linux_iomem
- Provides output similar to /proc/iomem
linux_lsmod
- Gather loaded kernel modules
linux_lsof
- Lists open files
linux_memmap
- Dumps the memory map for linux tasks
linux_mount
- Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netstat
- Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_proc_maps - Gathers process maps for linux
linux_psaux
- Gathers processes along with full command line and start time
linux_pslist
- Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_pstree
- Shows the parent/child relationship between processes
linux_psxview
- Find hidden processes with various process listings
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_tmpfs
- Recovers tmpfs filesystems from memory
linux_vma_cache - Gather VMAs from the vm_area_struct cache
141. Bonus - MacOSX RootKit
$ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_psxview
$ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64 mac_lsmod
$ volatility-2.3 -f Mac OS X 10.7 64-bit-800c275a.vmem --profile=MacLion_10_7_5_AMDx64
mac_check_syscalls |grep HOOKED
Volatile Systems Volatility Framework 2.3_beta
SyscallTable
222 0xffffff7f807ff41d HOOKED
SyscallTable
344 0xffffff7f807ff2ee HOOKED
SyscallTable
397 0xffffff7f807ffa7e HOOKED
calls:
(getdirentriesattr)
(getdirentries64)
(write_nocancel)
http://volatility-labs.blogspot.com.br/2013/06/movp-ii-45-mac-volatility-vs-rubilyn.html
142. Bonus - MacOSX password dumper
• https://github.com/juuso/keychaindump
Keychaindump is a proof-of-concept tool for reading OS X keychain
passwords as root. It hunts for unlocked keychain master keys located
in the memory space of the securityd process, and uses them to
decrypt keychain files.
$ sudo ./keychaindump
[*] Searching process 15 heap range 0x7fa809400000-0x7fa809500000
(..)
[*] Searching process 15 heap range 0x7fa80a900000-0x7fa80ac00000
[*] Found 17 master key candidates
[*] Trying to decrypt wrapping key in /Users/juusosalonen/Library/Keychains/login.keychain
(…)
[*] Trying master key candidate: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found master key: 88edbaf22819a8eeb8e9b75120c0775de8a4d7da842d4a4a
[+] Found wrapping key: e9acc39947f1996df940fceb1f458ac74b877579f54409b7
xxxxxxx:192.168.1.1:xxxxxxx
xxxxxxx@gmail.com:login.facebook.com:xxxxxxx
xxxxxxx@gmail.com:smtp.google.com:xxxxxxx
xxxxxxx@gmail.com:imap.google.com:xxxxxxx
xxxxxxx:twitter.com:xxxxxxx
xxxxxxx@gmail.com:www.google.com:xxxxxxx
143. Bonus - Android Memory Forensics
• Acquisition – LiME ()
• Analysis:
– List all the executed processes:
• $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_pslist_cache
– List opened / mapped files:
• $ volatility-2.3 --profile=LinuxEvo4GARM -f Evo4GRodeo.lime linux_dentry_cache
– List mount points:
• $ volatility-2.3q --profile=LinuxEvo4GARM -f Evo4GRodeo.lime
linux_mount_cache
• TIP: adding the “–u” option to the command and you get the previous
executed processes, previous opened files and mount points that
previously existed on the Android system.
144. Bonus - Zeus Banking Trojan
Analysis
http://malwarereversing.wordpress.com/2011/0
9/23/zeus-analysis-in-volatility-2-0/
145. Bonus - Recovering Twitter and Facebook artifacts from the
Memory
Jeff Bryner with the Facebook and Twitter artifact extraction
Description:
This submission provides plugins for carving Twitter and Facebook artifacts from a process' address space. This is accomplished
by scanning the address space for the json/html structures that are used by the social media applications. Examples of
information extracted include: Twitter direct messages, identifying user information, Facebook direct messages, etc.
Download Link:
www.volatilityfoundation.org/contest/2013/JeffBryner_FacebookTwitter.zip
Related Links:
https://github.com/jeffbryner/volatilityPlugins
http://www.youtube.com/watch?v=K_gBpdK936o
Author's Twitter: @0x7eff
146. Bonus - Lab: Twitter
$ volatility-2.3 -f twitter-ACMEXP1-20130822-064258.raw twitter –p 2536
Volatile Systems Volatility Framework 2.3_beta
searching for browser processes...
found browser pid: 3684, chrome.exe
examining 35917410 bytes
twitter cookie found for userid:1690220420
found browser pid: 2536, chrome.exe
examining 45819060 bytes
11 s (Thu Aug 22 06:42:41 2013)
@suffert
Sandro Sffert
DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway.
1 m (Thu Aug 22 06:40:19 2013)
Sent
AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: Hi Suffert, how are you my friend?
1 m (Thu Aug 22 06:41:04 2013)
Received
AuthorImage: https://twimg0-a.akamaihd.net/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg
DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you?
agora (Thu Aug 22 06:42:14 2013)
Sent
AuthorImage: https://twimg0a.akamaihd.net/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right?
2 m (Thu Aug 22 06:40:19 2013)
Sent
AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: Hi Suffert, how are you my friend?
1 m (Thu Aug 22 06:41:04 2013)
Received
AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg
DM: Very well Sergio, I'm a little busy right now, but tell me, how can I help you?
39 s (Thu Aug 22 06:42:14 2013)
Sent
AuthorImage: https://si0.twimg.com/profile_images/378800000337895199/950747dc2b7d9151972d95e9cb37cd9e_normal.jpeg
DM: I am testing a new volatility plugin that extracts the JSON information from twitter directly from a memory dump, cool right?
12 s (Thu Aug 22 06:42:41 2013)
Received
AuthorImage: https://si0.twimg.com/profile_images/2543804704/j4ubpxd6cy2p2w8cqmrp_normal.jpeg
DM: You are a strang being Sergio. If you think this is cool. But I'm glad to help, anyway.
195.831911087 seconds
How to Convert “User_id” to username => https://twitter.com/intent/user?user_id=1690220420
152. Advanced Malware Analysis and
Memory Forensics Training
•
•
•
•
5 days of intense hands-on training by the Volatility Development Team
1200+ slides, 150+ page lab guide, exclusive plugins and tools
Amsterdam 9/2013 [sold out], Reston VA 11/2013 [available]
Keep an eye on http://volatility-labs.blogspot.com and @volatility for
2014 events (including one in Brazil! ;)
• Email voltraining@memoryanalysis.net for a detailed course outline
• Discounts for full-time students, law enforcement, and government
employees
• See http://volatility-labs.blogspot.com/2013/06/the-perfect-combinationof-ir-malware.html for student feedback
• (http://volatility-labs.blogspot.fr/2013/08/results-are-in-for-1stannual.html)
153. Other alternatives to Live Respose
and Memory Forensics:
HotPlug by WiebieTech:
https://www.youtube.com/watch?v=eraq4TO_a3z8