1. Speaker Name and info
Windows Memory Forensic Analysis
using EnCase®
Takahiro Haruyama,
Internet Initiative Japan Inc.
2. Speaker Name and info
Plan
• Memory Forensics Overview
• Acquisition Hands-on
• Analysis Hands-on
• Anti Memory Forensics
• Wrap-up
• Q&A
3. Speaker Name and info
For Starters
• Make sure the evidence for hands-on is valid
– Name: WindowsMemoryForensics.L01
– MD5: f7fd702b3fefad14868a759946bf6ba3
• Prepare for hands-on tools
– For acquisition
• WinEn (Check your EnCase-installed folder)
• MoonSols Windows Memory Toolkit Community Edition
– For analysis
• Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript
• Crash Dump Analyzer EnScript
– Other tool
• GetEntropy EnScript
5. Speaker Name and info
Why Memory Forensics?
• Analyzing volatile data is more important than
ever before
– Anti disk forensic methods by malwares
• Modifying file time stamps
• Wiping file content
• Running only in memory
– Erasing or moving data from user’s HDD
• Secure Web browsing
• Using cloud services
6. Speaker Name and info
Basic Flow of Memory Forensics
Target Machine
Investigator’s Machine
Memory Image
File
1. Acquire RAM data
as an image file
2. Parse and analyze
the image offline
7. Speaker Name and info
Advantage to Memory Forensics
• Offline parsing a memory image doesn’t use system APIs
• Memory forensics can get
– unallocated data (e.g., terminated process)
– data hidden by malware (e.g., hidden process)
7
Live
Response
Tool
Memory Forensic
Analysis Tool
Running Process
Hidden Process
Terminated Process
Allocated
Unallocated
Windows
API
Parse binary image and
extract information from it
Get information
through system API
9. Speaker Name and info
Memory Acquisition
• EnScripts can analyze two memory image formats
– raw memory image (.bin)
– crash dump image (.dmp)
• raw memory image + debug info
• WinEn
– built-in acquisition tool of EnCase
– support format: raw image (but .E01)
• MoonSols Windows Memory Toolkit (win32/64dd)
– Free community Edition
– support format: raw image and crash dump image
10. Speaker Name and info
hands-on 1: Memory Acquisition
• WinEn
– Specify the following options (on execution or
interactively)
• -p : destination path and name to save (without extension)
• -m : evidence name in EnCase view
• -c : case number
• -e : examiner name
• -r : evidence number
• -d : compression level (0=None, 1=better, 2=best)
• MoonSols Windows Memory Toolkit
– Execute win32dd.exe or win64dd.exe
• /f : destination path and name to save (with extension)
• /d : Microsoft Crash Dump Format
12. Speaker Name and info
Analysis EnScripts
• For raw image
– Raw Image Analyzer (RIA)
• Porting of Volatility Framework
• Newly Added function
– Keyword search specifying multilingual codepages
– Calculate entropy values of processes and VADs
• Support x86 Windows XP/2003/7
• For crash dump image
– Crash Dump Analyzer (CDA)
• Support x86 XP/2003/7 and x64 2003/2008/7
13. Speaker Name and info
hands-on 2: Memory Analysis (Raw)
• Drag and drop raw image files into EnCase
• Blue-check one entry in Table Pane
– Don’t blue-check folders
• Make sure your image’s OS version and expand
folders of RIA in Filter Pane
• Run the following scripts
– PsList: List all processes
– KMList: List all kernel modules
– DllList: List all DLLs loaded by a specified process
– OpenFiles: List all files opened by a specified process
– ProcDump: Extract an executable of a specified process
14. Speaker Name and info
hands-on 3: Memory Analysis (Raw)
• Blue-check hands-on3_DKOM_XPx86.bin in
WindowsMemoryForensics.L01
• Run PsList and PsScan
• Any difference?
15. Speaker Name and info
Two Memory Analyzing Methods*1
• Tree & List Traversal
– Emulate data access performed by OS
• Translate virtual addresses to physical ones
• Traverse kernel data structure using address pointers
• Object Fingerprint Search
– Carve signatures of kernel objects
• Search data using signatures (e.g., _EPROCESS)
• Validate search-hit data
*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/
forensics-waits-live-memory-forensics-doha-feb-08.pdf
16. Speaker Name and info
Two Memory Analyzing Methods*1
• Tree & List Traversal
– Emulate data access performed by OS
• Translate virtual addresses to physical ones
• Traverse kernel data structure using address pointers
• Object Fingerprint Search
– Carve signatures of kernel objects
• Search data using signatures (e.g., _EPROCESS)
• Validate search-hit data
*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/
forensics-waits-live-memory-forensics-doha-feb-08.pdf
17. Speaker Name and info
IA32(x86) Address Translation
OS loads Directory Table Base
(Start physical address for
address translation)
into Control Register (CR3)
How PAE X86 Works
http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx
17
18. Speaker Name and info
Implementation: Finding Directory
Table Base of Windows Kernel
• OS switches its context by loading Directory Table Base
(DTB) of each process
– DTB is stored in each process object (_EPROCESS)
• Tree & List Traversal method of RIA scans _EPROCESS
signature and get DTB of “Idle” process
– Idle process is running in kernel space
– The signature changes per OS versions
_EPROCESS
Signature
Process ID:0
Process Name:Idle
DTB of Kernel
19. Speaker Name and info
PsActiveProcessHead
Key Address for Traversal
• Windows has key virtual addresses of various
structures
– Lead addresses for linked lists
• e.g., PsActiveProcessHead for a running process list
– Root addresses for binary trees
• e.g., VadRoot (explain later) for process address space
_EPROCESS
“System”
_EPROCESS
“smss.exe”
_EPROCESS
“win32dd.exe”
FLINK
BLINK
FLINK
BLINK
FLINK
BLINK
FLINK
BLINK
...
...
...
20. Speaker Name and info
Implementation: Finding Key
Addresses for Traversal
*2 Finding some non-exported kernel variables in Windows XP
http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
• Use debug structure
– Kernel Processor Control Region (KPCR)*2
1. Get an address pointer to _ KDDEBUGGER_DATA32 from
_KPCR
– In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000)
– Not fixed in Windows 7, so guessing is needed!
2. Get address pointers to the following key addresses from
_KDDEBUGGER_DATA32
– PsActiveProcessHead (lead address of running processes)
– PsLoadedModuleList (lead address of currently loaded kernel
modules)
21. Speaker Name and info
Two Memory Analyzing Methods*1
• Tree & List Traversal
– Emulate data access performed by OS
• Translate virtual addresses to physical ones
• Traverse kernel data structure using address pointers
• Object Fingerprint Search
– Carve signatures of kernel objects
• Search data using signatures (e.g., _EPROCESS)
• Validate search-hit data
*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/
forensics-waits-live-memory-forensics-doha-feb-08.pdf
22. Speaker Name and info
Implementation: Object Fingerprint
Search
1. Search signatures of headers
– e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER
– EnScripts use pooltag in _POOL_HEADER
• 4-bytes value defined for each object (e.g., “Proc” for process object)
2. Validate search hit results
– Check values included in headers
– Check values included in objects (content)
_Pool_HEADER (0x8 Bytes)
_OBJECT_HEADER (0x20 Bytes)
_EPROCESS (0x260 Bytes)
Size and offset of
headers/objects depend on
OS version
23. Speaker Name and info
Comparison of Two Methods
- Miss unlinked
objects
(e.g., DKOM)
- Unstable
- Short time
- No noise
- Get information
from pointers
(e.g., process
commandline)
- Long time
- Noisy
- Find unlinked
objects
- Robust
cons pros
Tree & list traversal
Object “fingerprint” searches
24. Speaker Name and info
Memory Forensic EnScripts
Usage Note
• Address translation and data size vary according to
machine architecture (32-bit/64-bit)
• Kernel data offset/structures vary according to OS
versions (XP/7/2003/2008)
• Which analyzing methods each EnScript uses?
Tree & List
Traversal
Object
Fingerprint
Search
Others Library
(Not Executed)
PsList
KMList
DllList
OpenFiles
ProcDump
VadSearch
VadDump
PsEntropyPEB
PsEntropyVAD
PsScan
KMScan
ConnScan
DMP_Info x86
x86dmp
x64dmp
Win32
Win64
Vtypes
25. Speaker Name and info
hands-on 4: Memory Analysis (Raw)
• Blue-check hands-on4_ExitProcess_XPx86.vmem
in WindowsMemoryForensics.L01
• How many processes were dropped from
dw8.exe?
26. Speaker Name and info
hands-on 5: Memory Analysis
(Crash Dump)
• Blue-check hands-
on5_DeviceReservedSpace_XPx86.dmp in
WindowsMemoryForensics.L01 or dmp file
generated by you
• Execute some modules in RIA
27. Speaker Name and info
Difference between Raw Image and
Crash Dump
• Crash dump file doesn’t
include
– 1st Page
– Pages reserved by devices
• The file offset is different
from the physical address
Run[0]
BasePage = 0x1, PageCount = 0x9e
Run[1]
BasePage = 0x100,
PageCount = 0xeff
Run[2]
BasePage = 0x1000,
PageCount = 0xeef0
Run[3]
BasePage = 0xff00, PageCount = 0x100
1st Page (BIOS Reserved)
Address Space
Reserved by Devices
(Not Included in crash dump)
Physical
Memory
Address
Space
28. Speaker Name and info
Implementation: Crash Dump
Analysis
• Tree & List Traversal
– performs Two-stage address translation
• Virtual address -> physical address -> file offset
– Crash dump includes debug information in 1st page
• DMP_Info module can parse it
– Stable execution
• CDA never needs scanning/guessing to get the debug information
• Object Fingerprint Search
– Almost same as RIA’s implementation
Kernel directory table base32-bit crash dump signature
PsActiveProcessHeadPsLoadedModuleList
29. Speaker Name and info
Searching/Dumping Process Memory
Address Space
• Virtual Address Descriptor (VAD)
– Management information about process memory pages
– We can read process-specific data by traversing VAD tree
• loaded exe/dll image
• heap/stack data
Vad Root
StartingVpn(Start Address)
EndingVpn(End Address)
Parent
LeftChild
RightChild
VadS
Vadl
_EPROCESS
30. Speaker Name and info
hands-on 6: Memory Acquisition &
Analysis (VadSearch)
• Blue-check the crash dump acquired in hands-on
• Make sure the target process ID by PsList
• Configure your keywords and blue-check them
• Run VadSearch
– Specify the process ID to search
• Make sure the result in Bookmark tab
31. Speaker Name and info
hands-on 7: Memory Acquisition &
Analysis (VadDump)
• Blue-check hands-on7_VadDump_XPx86.vmem
in WindowsMemoryForensics.L01
• Run VadDump of RIA
– Select a specific process (winlogon.exe, PID:644)
– Dump only code-injected memory pages
• VadDump checks protection flag of VAD *3
• Scan code-injected memory pages using
VirusTotal
*3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610
32. Speaker Name and info
Entropy *4
• Entropy stands for randomness of data
• We can detect similar files by calculating Entropy
255
0
2 )(log
i
ii PPH
0000000000000000000000
000000000000000000000 Entropy = 0
010101010101010101
010101010101010101 Entropy = 1
0123456789012345678901
23456789012345678901 Entropy = 8
only 1 value
two values
totally random
*4 “Utilizing Entropy to Identify Undetected Malware”
http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46
-4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf
33. Speaker Name and info
hands-on 8: Memory Analysis
(PsEntropy*)
• Blue-check hands-on8_Entropy_XPx86.dmp in
WindowsMemoryForensics.L01
• Run PsEntropyPEB
– uncheck Matching Mode
– make sure entropy values of notepad.exe,
notepad_3bytes_diff.exe and notepad_packed.exe
• PsEntropyVAD
– PsEntropyVAD calculates Entropy values of code-
injected memory pages (experimental)
35. Speaker Name and info
hands-on 9: Memory Analysis (Anti
Memory Forensics)
• Blue-check hands-on9_AMF_XPx86.bin in
WindowsMemoryForensics.L01
• Run PsList and PsScan of RIA
• Blue-check hands-on9_AMF_XPx86.dmp in
WindowsMemoryForensics.L01
• Run PsList of CDA
• Did you find any error or any suspicious
processes? Why?
36. Speaker Name and info
Anti Memory Forensic Methods (1)
• Exploit Analyzing methods
– Tree & List Traversal
• Disable traversing
– Hands-on 9: rename “Idle” process name
» Prevention: use CDA instead of RIA
• Cause false negatives
– Hands-on 3: Direct Kernel Object Manipulation (DKOM)
» Prevention: use Object Fingerprint Search
– Object Fingerprint Search
• Cause false positives
– Hands-on 9: Insert decoy signatures
» Prevention: any idea? ( The file offset is one measure. )
_EPROCESS
“System”
_EPROCESS
“malware.exe”
_EPROCESS
“win32dd.exe”
FLINK
BLINK
FLINK
BLINK
FLINK
BLINK
...
malicious process
unlinked by DKOM
37. Speaker Name and info
Anti Memory Forensic Methods (2)
• Other methods
– Disturb correct memory acquisition
• e.g., Shadow Walker
– Prevention: cannot prevent but detect by checking IDT hook
– Leave nothing in RAM
• Hook Model-Specific Register (MSR)
– Windows uses MSR for system calls
• VMM/SMM rootkit
– Run on Ring -1 or below
39. Speaker Name and info
Wrap-up
• Memory Forensics can get unallocated/hidden data
by parsing memory image offline
• Two analyzing methods
– You should know pros and cons of the two methods
• The implementation depends on image format
– I recommend to acquire/analyze crash dump image
• Remember Memory Forensics is not good at
everything
• Use multiple analysis tools for validation
40. Speaker Name and info
Example: TCP connections in
Windows 7
Memorze output
EnScript output
netstat output log
41. Speaker Name and info
Appendix: Comparison of Analysis
Tools
EnCase
EnScript
Volatility
Framework
HBGary
Responder
FTK Memoryze
Support
Windows OS
XP/2003/7/
2008
XP/Vista/7/
2008
All All All
Support Image
Format
Raw
Crash dump
Raw
Crash dump
Hibernation
Raw Raw Raw
Support
Architecture
Intel x86
AMD x64
Intel x86 Intel x86
AMD x64
Intel x86
AMD x64
Intel x86
AMD x64
Implementation T & O T & O T T & O? T & O?
Swap Analysis Not support Not support Support Support Not support
Feature Multilingual
keyword
search,
Entropy
Many kinds
of plugin
Digital DNA,
static code
analysis
Fuzzy Hash,
diffing
between
images
Malware
Rating Index
T = Tree & list traversal
O = Object “fingerprint” searches