SlideShare ist ein Scribd-Unternehmen logo

Windows Memory Forensic Analysis using EnCase

Takahiro Haruyama
Takahiro Haruyama
Technologie
1 von 42
Downloaden Sie, um offline zu lesen
Speaker Name and info Windows Memory Forensic Analysis using EnCase® Takahiro Haruyama, Internet Initiative Japan Inc.
Speaker Name and info Plan • Memory Forensics Overview • Acquisition Hands-on • Analysis Hands-on • Anti Memory Forensics • Wrap-up • Q&A
Speaker Name and info For Starters • Make sure the evidence for hands-on is valid – Name: WindowsMemoryForensics.L01 – MD5: f7fd702b3fefad14868a759946bf6ba3 • Prepare for hands-on tools – For acquisition • WinEn (Check your EnCase-installed folder) • MoonSols Windows Memory Toolkit Community Edition – For analysis • Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript • Crash Dump Analyzer EnScript – Other tool • GetEntropy EnScript
Speaker Name and info Memory Forensics Overview
Speaker Name and info Why Memory Forensics? • Analyzing volatile data is more important than ever before – Anti disk forensic methods by malwares • Modifying file time stamps • Wiping file content • Running only in memory – Erasing or moving data from user’s HDD • Secure Web browsing • Using cloud services
Speaker Name and info Basic Flow of Memory Forensics Target Machine Investigator’s Machine Memory Image File 1. Acquire RAM data as an image file 2. Parse and analyze the image offline
Speaker Name and info Advantage to Memory Forensics • Offline parsing a memory image doesn’t use system APIs • Memory forensics can get – unallocated data (e.g., terminated process) – data hidden by malware (e.g., hidden process) 7 Live Response Tool Memory Forensic Analysis Tool Running Process Hidden Process Terminated Process Allocated Unallocated Windows API Parse binary image and extract information from it Get information through system API
Speaker Name and info Acquisition Hands-on
Speaker Name and info Memory Acquisition • EnScripts can analyze two memory image formats – raw memory image (.bin) – crash dump image (.dmp) • raw memory image + debug info • WinEn – built-in acquisition tool of EnCase – support format: raw image (but .E01) • MoonSols Windows Memory Toolkit (win32/64dd) – Free community Edition – support format: raw image and crash dump image
Speaker Name and info hands-on 1: Memory Acquisition • WinEn – Specify the following options (on execution or interactively) • -p : destination path and name to save (without extension) • -m : evidence name in EnCase view • -c : case number • -e : examiner name • -r : evidence number • -d : compression level (0=None, 1=better, 2=best) • MoonSols Windows Memory Toolkit – Execute win32dd.exe or win64dd.exe • /f : destination path and name to save (with extension) • /d : Microsoft Crash Dump Format
Speaker Name and info Analysis Hands-on
Speaker Name and info Analysis EnScripts • For raw image – Raw Image Analyzer (RIA) • Porting of Volatility Framework • Newly Added function – Keyword search specifying multilingual codepages – Calculate entropy values of processes and VADs • Support x86 Windows XP/2003/7 • For crash dump image – Crash Dump Analyzer (CDA) • Support x86 XP/2003/7 and x64 2003/2008/7
Speaker Name and info hands-on 2: Memory Analysis (Raw) • Drag and drop raw image files into EnCase • Blue-check one entry in Table Pane – Don’t blue-check folders • Make sure your image’s OS version and expand folders of RIA in Filter Pane • Run the following scripts – PsList: List all processes – KMList: List all kernel modules – DllList: List all DLLs loaded by a specified process – OpenFiles: List all files opened by a specified process – ProcDump: Extract an executable of a specified process
Speaker Name and info hands-on 3: Memory Analysis (Raw) • Blue-check hands-on3_DKOM_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan • Any difference?
Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
Speaker Name and info IA32(x86) Address Translation OS loads Directory Table Base (Start physical address for address translation) into Control Register (CR3) How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx 17
Speaker Name and info Implementation: Finding Directory Table Base of Windows Kernel • OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS) • Tree & List Traversal method of RIA scans _EPROCESS signature and get DTB of “Idle” process – Idle process is running in kernel space – The signature changes per OS versions _EPROCESS Signature Process ID:0 Process Name:Idle DTB of Kernel
Speaker Name and info PsActiveProcessHead Key Address for Traversal • Windows has key virtual addresses of various structures – Lead addresses for linked lists • e.g., PsActiveProcessHead for a running process list – Root addresses for binary trees • e.g., VadRoot (explain later) for process address space _EPROCESS “System” _EPROCESS “smss.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK FLINK BLINK ... ... ...
Speaker Name and info Implementation: Finding Key Addresses for Traversal *2 Finding some non-exported kernel variables in Windows XP http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf • Use debug structure – Kernel Processor Control Region (KPCR)*2 1. Get an address pointer to _ KDDEBUGGER_DATA32 from _KPCR – In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000) – Not fixed in Windows 7, so guessing is needed! 2. Get address pointers to the following key addresses from _KDDEBUGGER_DATA32 – PsActiveProcessHead (lead address of running processes) – PsLoadedModuleList (lead address of currently loaded kernel modules)
Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
Speaker Name and info Implementation: Object Fingerprint Search 1. Search signatures of headers – e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER – EnScripts use pooltag in _POOL_HEADER • 4-bytes value defined for each object (e.g., “Proc” for process object) 2. Validate search hit results – Check values included in headers – Check values included in objects (content) _Pool_HEADER (0x8 Bytes) _OBJECT_HEADER (0x20 Bytes) _EPROCESS (0x260 Bytes) Size and offset of headers/objects depend on OS version
Speaker Name and info Comparison of Two Methods - Miss unlinked objects (e.g., DKOM) - Unstable - Short time - No noise - Get information from pointers (e.g., process commandline) - Long time - Noisy - Find unlinked objects - Robust cons pros Tree & list traversal Object “fingerprint” searches
Speaker Name and info Memory Forensic EnScripts Usage Note • Address translation and data size vary according to machine architecture (32-bit/64-bit) • Kernel data offset/structures vary according to OS versions (XP/7/2003/2008) • Which analyzing methods each EnScript uses? Tree & List Traversal Object Fingerprint Search Others Library (Not Executed) PsList KMList DllList OpenFiles ProcDump VadSearch VadDump PsEntropyPEB PsEntropyVAD PsScan KMScan ConnScan DMP_Info x86 x86dmp x64dmp Win32 Win64 Vtypes
Speaker Name and info hands-on 4: Memory Analysis (Raw) • Blue-check hands-on4_ExitProcess_XPx86.vmem in WindowsMemoryForensics.L01 • How many processes were dropped from dw8.exe?
Speaker Name and info hands-on 5: Memory Analysis (Crash Dump) • Blue-check hands- on5_DeviceReservedSpace_XPx86.dmp in WindowsMemoryForensics.L01 or dmp file generated by you • Execute some modules in RIA
Speaker Name and info Difference between Raw Image and Crash Dump • Crash dump file doesn’t include – 1st Page – Pages reserved by devices • The file offset is different from the physical address Run[0] BasePage = 0x1, PageCount = 0x9e Run[1] BasePage = 0x100, PageCount = 0xeff Run[2] BasePage = 0x1000, PageCount = 0xeef0 Run[3] BasePage = 0xff00, PageCount = 0x100 1st Page (BIOS Reserved) Address Space Reserved by Devices (Not Included in crash dump) Physical Memory Address Space
Speaker Name and info Implementation: Crash Dump Analysis • Tree & List Traversal – performs Two-stage address translation • Virtual address -> physical address -> file offset – Crash dump includes debug information in 1st page • DMP_Info module can parse it – Stable execution • CDA never needs scanning/guessing to get the debug information • Object Fingerprint Search – Almost same as RIA’s implementation Kernel directory table base32-bit crash dump signature PsActiveProcessHeadPsLoadedModuleList
Speaker Name and info Searching/Dumping Process Memory Address Space • Virtual Address Descriptor (VAD) – Management information about process memory pages – We can read process-specific data by traversing VAD tree • loaded exe/dll image • heap/stack data Vad Root StartingVpn(Start Address) EndingVpn(End Address) Parent LeftChild RightChild VadS Vadl _EPROCESS
Speaker Name and info hands-on 6: Memory Acquisition & Analysis (VadSearch) • Blue-check the crash dump acquired in hands-on • Make sure the target process ID by PsList • Configure your keywords and blue-check them • Run VadSearch – Specify the process ID to search • Make sure the result in Bookmark tab
Speaker Name and info hands-on 7: Memory Acquisition & Analysis (VadDump) • Blue-check hands-on7_VadDump_XPx86.vmem in WindowsMemoryForensics.L01 • Run VadDump of RIA – Select a specific process (winlogon.exe, PID:644) – Dump only code-injected memory pages • VadDump checks protection flag of VAD *3 • Scan code-injected memory pages using VirusTotal *3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610
Speaker Name and info Entropy *4 • Entropy stands for randomness of data • We can detect similar files by calculating Entropy   255 0 2 )(log i ii PPH 0000000000000000000000 000000000000000000000 Entropy = 0 010101010101010101 010101010101010101 Entropy = 1 0123456789012345678901 23456789012345678901 Entropy = 8 only 1 value two values totally random *4 “Utilizing Entropy to Identify Undetected Malware” http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46 -4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf
Speaker Name and info hands-on 8: Memory Analysis (PsEntropy*) • Blue-check hands-on8_Entropy_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsEntropyPEB – uncheck Matching Mode – make sure entropy values of notepad.exe, notepad_3bytes_diff.exe and notepad_packed.exe • PsEntropyVAD – PsEntropyVAD calculates Entropy values of code- injected memory pages (experimental)
Speaker Name and info Anti Memory Forensics
Speaker Name and info hands-on 9: Memory Analysis (Anti Memory Forensics) • Blue-check hands-on9_AMF_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan of RIA • Blue-check hands-on9_AMF_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsList of CDA • Did you find any error or any suspicious processes? Why?
Speaker Name and info Anti Memory Forensic Methods (1) • Exploit Analyzing methods – Tree & List Traversal • Disable traversing – Hands-on 9: rename “Idle” process name » Prevention: use CDA instead of RIA • Cause false negatives – Hands-on 3: Direct Kernel Object Manipulation (DKOM) » Prevention: use Object Fingerprint Search – Object Fingerprint Search • Cause false positives – Hands-on 9: Insert decoy signatures » Prevention: any idea? ( The file offset is one measure. ) _EPROCESS “System” _EPROCESS “malware.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK ... malicious process unlinked by DKOM
Speaker Name and info Anti Memory Forensic Methods (2) • Other methods – Disturb correct memory acquisition • e.g., Shadow Walker – Prevention: cannot prevent but detect by checking IDT hook – Leave nothing in RAM • Hook Model-Specific Register (MSR) – Windows uses MSR for system calls • VMM/SMM rootkit – Run on Ring -1 or below
Speaker Name and info Wrap-up
Speaker Name and info Wrap-up • Memory Forensics can get unallocated/hidden data by parsing memory image offline • Two analyzing methods – You should know pros and cons of the two methods • The implementation depends on image format – I recommend to acquire/analyze crash dump image • Remember Memory Forensics is not good at everything • Use multiple analysis tools for validation
Speaker Name and info Example: TCP connections in Windows 7 Memorze output EnScript output netstat output log
Speaker Name and info Appendix: Comparison of Analysis Tools EnCase EnScript Volatility Framework HBGary Responder FTK Memoryze Support Windows OS XP/2003/7/ 2008 XP/Vista/7/ 2008 All All All Support Image Format Raw Crash dump Raw Crash dump Hibernation Raw Raw Raw Support Architecture Intel x86 AMD x64 Intel x86 Intel x86 AMD x64 Intel x86 AMD x64 Intel x86 AMD x64 Implementation T & O T & O T T & O? T & O? Swap Analysis Not support Not support Support Support Not support Feature Multilingual keyword search, Entropy Many kinds of plugin Digital DNA, static code analysis Fuzzy Hash, diffing between images Malware Rating Index T = Tree & list traversal O = Object “fingerprint” searches
Speaker Name and info Q&A

Empfohlen

Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 

Empfohlen

Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Linux forensics
Linux forensicsLinux forensics
Linux forensicsSantosh Khadsare
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Encase Forensic
Encase ForensicEncase Forensic
Encase ForensicMegha Sahu
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsVidoushi B-Somrah
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensicsprimeteacher32
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Data recovery
Data recoveryData recovery
Data recoveryMir Majid
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisitionprimeteacher32
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory ForensicsPrince Boonlia
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 

Weitere ähnliche Inhalte

Was ist angesagt?

Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - NotesKranthi
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide showtutannandi
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 

Was ist angesagt? (20)

Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes06 Computer Image Verification and Authentication - Notes
06 Computer Image Verification and Authentication - Notes
 
Network Forensic
Network ForensicNetwork Forensic
Network Forensic
 
Data recovery
Data recoveryData recovery
Data recovery
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatility
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics
 
Data Acquisition
Data AcquisitionData Acquisition
Data Acquisition
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Data recovery slide show
Data recovery slide showData recovery slide show
Data recovery slide show
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 

Andere mochten auch

One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation Damir Delija
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic ImagesCTIN
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Final Project Report Nadar
Final Project Report NadarFinal Project Report Nadar
Final Project Report NadarMaher Nadar
 
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...n|u - The Open Security Community
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Frank Boldewin
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 

Andere mochten auch (20)

One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugX
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
Winnti Polymorphism
Winnti PolymorphismWinnti Polymorphism
Winnti Polymorphism
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Accessing Forensic Images
Accessing Forensic ImagesAccessing Forensic Images
Accessing Forensic Images
 
Review of QNX
Review of QNXReview of QNX
Review of QNX
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Malware protection system
Malware protection systemMalware protection system
Malware protection system
 
Final Project Report Nadar
Final Project Report NadarFinal Project Report Nadar
Final Project Report Nadar
 
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
nullcon 2010 - Steganography & Stegananalysis: A Technical & Psychological Pe...
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
Ftk 1.80 manual
Ftk 1.80 manualFtk 1.80 manual
Ftk 1.80 manual
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 

Ähnlich wie Windows Memory Forensic Analysis using EnCase

Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smartJeff Beley
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh Naik
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsnullowaspmumbai
 
Selecting and Installing Operating System
Selecting and Installing Operating SystemSelecting and Installing Operating System
Selecting and Installing Operating SystemAmir Villas
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driverVandana Salve
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfekobelasting
 
Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10Grégory Engels
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsRhydham Joshi
 
Online Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in HyderabadOnline Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in HyderabadRavikumar Nandigam
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPTQUONTRASOLUTIONS
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-reviewabinaya m
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTraceGraeme Jenkinson
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Randphanleson
 

Ähnlich wie Windows Memory Forensic Analysis using EnCase (20)

Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Selecting and Installing Operating System
Selecting and Installing Operating SystemSelecting and Installing Operating System
Selecting and Installing Operating System
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Introduction to char device driver
Introduction to char device driverIntroduction to char device driver
Introduction to char device driver
 
AntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdfAntiForensics - Leveraging OS and File System Artifacts.pdf
AntiForensics - Leveraging OS and File System Artifacts.pdf
 
Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10Gregory engels nsd crash course - ilug10
Gregory engels nsd crash course - ilug10
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Online Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in HyderabadOnline Training in Unix Linux Shell Scripting in Hyderabad
Online Training in Unix Linux Shell Scripting in Hyderabad
 
Hardware & softwares
Hardware & softwaresHardware & softwares
Hardware & softwares
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 
Performance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTracePerformance analysis and troubleshooting using DTrace
Performance analysis and troubleshooting using DTrace
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
6.Temp & Rand
6.Temp & Rand6.Temp & Rand
6.Temp & Rand
 

Kürzlich hochgeladen

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 

Windows Memory Forensic Analysis using EnCase

  • 1. Speaker Name and info Windows Memory Forensic Analysis using EnCase® Takahiro Haruyama, Internet Initiative Japan Inc.
  • 2. Speaker Name and info Plan • Memory Forensics Overview • Acquisition Hands-on • Analysis Hands-on • Anti Memory Forensics • Wrap-up • Q&A
  • 3. Speaker Name and info For Starters • Make sure the evidence for hands-on is valid – Name: WindowsMemoryForensics.L01 – MD5: f7fd702b3fefad14868a759946bf6ba3 • Prepare for hands-on tools – For acquisition • WinEn (Check your EnCase-installed folder) • MoonSols Windows Memory Toolkit Community Edition – For analysis • Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript • Crash Dump Analyzer EnScript – Other tool • GetEntropy EnScript
  • 4. Speaker Name and info Memory Forensics Overview
  • 5. Speaker Name and info Why Memory Forensics? • Analyzing volatile data is more important than ever before – Anti disk forensic methods by malwares • Modifying file time stamps • Wiping file content • Running only in memory – Erasing or moving data from user’s HDD • Secure Web browsing • Using cloud services
  • 6. Speaker Name and info Basic Flow of Memory Forensics Target Machine Investigator’s Machine Memory Image File 1. Acquire RAM data as an image file 2. Parse and analyze the image offline
  • 7. Speaker Name and info Advantage to Memory Forensics • Offline parsing a memory image doesn’t use system APIs • Memory forensics can get – unallocated data (e.g., terminated process) – data hidden by malware (e.g., hidden process) 7 Live Response Tool Memory Forensic Analysis Tool Running Process Hidden Process Terminated Process Allocated Unallocated Windows API Parse binary image and extract information from it Get information through system API
  • 8. Speaker Name and info Acquisition Hands-on
  • 9. Speaker Name and info Memory Acquisition • EnScripts can analyze two memory image formats – raw memory image (.bin) – crash dump image (.dmp) • raw memory image + debug info • WinEn – built-in acquisition tool of EnCase – support format: raw image (but .E01) • MoonSols Windows Memory Toolkit (win32/64dd) – Free community Edition – support format: raw image and crash dump image
  • 10. Speaker Name and info hands-on 1: Memory Acquisition • WinEn – Specify the following options (on execution or interactively) • -p : destination path and name to save (without extension) • -m : evidence name in EnCase view • -c : case number • -e : examiner name • -r : evidence number • -d : compression level (0=None, 1=better, 2=best) • MoonSols Windows Memory Toolkit – Execute win32dd.exe or win64dd.exe • /f : destination path and name to save (with extension) • /d : Microsoft Crash Dump Format
  • 11. Speaker Name and info Analysis Hands-on
  • 12. Speaker Name and info Analysis EnScripts • For raw image – Raw Image Analyzer (RIA) • Porting of Volatility Framework • Newly Added function – Keyword search specifying multilingual codepages – Calculate entropy values of processes and VADs • Support x86 Windows XP/2003/7 • For crash dump image – Crash Dump Analyzer (CDA) • Support x86 XP/2003/7 and x64 2003/2008/7
  • 13. Speaker Name and info hands-on 2: Memory Analysis (Raw) • Drag and drop raw image files into EnCase • Blue-check one entry in Table Pane – Don’t blue-check folders • Make sure your image’s OS version and expand folders of RIA in Filter Pane • Run the following scripts – PsList: List all processes – KMList: List all kernel modules – DllList: List all DLLs loaded by a specified process – OpenFiles: List all files opened by a specified process – ProcDump: Extract an executable of a specified process
  • 14. Speaker Name and info hands-on 3: Memory Analysis (Raw) • Blue-check hands-on3_DKOM_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan • Any difference?
  • 15. Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
  • 16. Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
  • 17. Speaker Name and info IA32(x86) Address Translation OS loads Directory Table Base (Start physical address for address translation) into Control Register (CR3) How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx 17
  • 18. Speaker Name and info Implementation: Finding Directory Table Base of Windows Kernel • OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS) • Tree & List Traversal method of RIA scans _EPROCESS signature and get DTB of “Idle” process – Idle process is running in kernel space – The signature changes per OS versions _EPROCESS Signature Process ID:0 Process Name:Idle DTB of Kernel
  • 19. Speaker Name and info PsActiveProcessHead Key Address for Traversal • Windows has key virtual addresses of various structures – Lead addresses for linked lists • e.g., PsActiveProcessHead for a running process list – Root addresses for binary trees • e.g., VadRoot (explain later) for process address space _EPROCESS “System” _EPROCESS “smss.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK FLINK BLINK ... ... ...
  • 20. Speaker Name and info Implementation: Finding Key Addresses for Traversal *2 Finding some non-exported kernel variables in Windows XP http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf • Use debug structure – Kernel Processor Control Region (KPCR)*2 1. Get an address pointer to _ KDDEBUGGER_DATA32 from _KPCR – In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000) – Not fixed in Windows 7, so guessing is needed! 2. Get address pointers to the following key addresses from _KDDEBUGGER_DATA32 – PsActiveProcessHead (lead address of running processes) – PsLoadedModuleList (lead address of currently loaded kernel modules)
  • 21. Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
  • 22. Speaker Name and info Implementation: Object Fingerprint Search 1. Search signatures of headers – e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER – EnScripts use pooltag in _POOL_HEADER • 4-bytes value defined for each object (e.g., “Proc” for process object) 2. Validate search hit results – Check values included in headers – Check values included in objects (content) _Pool_HEADER (0x8 Bytes) _OBJECT_HEADER (0x20 Bytes) _EPROCESS (0x260 Bytes) Size and offset of headers/objects depend on OS version
  • 23. Speaker Name and info Comparison of Two Methods - Miss unlinked objects (e.g., DKOM) - Unstable - Short time - No noise - Get information from pointers (e.g., process commandline) - Long time - Noisy - Find unlinked objects - Robust cons pros Tree & list traversal Object “fingerprint” searches
  • 24. Speaker Name and info Memory Forensic EnScripts Usage Note • Address translation and data size vary according to machine architecture (32-bit/64-bit) • Kernel data offset/structures vary according to OS versions (XP/7/2003/2008) • Which analyzing methods each EnScript uses? Tree & List Traversal Object Fingerprint Search Others Library (Not Executed) PsList KMList DllList OpenFiles ProcDump VadSearch VadDump PsEntropyPEB PsEntropyVAD PsScan KMScan ConnScan DMP_Info x86 x86dmp x64dmp Win32 Win64 Vtypes
  • 25. Speaker Name and info hands-on 4: Memory Analysis (Raw) • Blue-check hands-on4_ExitProcess_XPx86.vmem in WindowsMemoryForensics.L01 • How many processes were dropped from dw8.exe?
  • 26. Speaker Name and info hands-on 5: Memory Analysis (Crash Dump) • Blue-check hands- on5_DeviceReservedSpace_XPx86.dmp in WindowsMemoryForensics.L01 or dmp file generated by you • Execute some modules in RIA
  • 27. Speaker Name and info Difference between Raw Image and Crash Dump • Crash dump file doesn’t include – 1st Page – Pages reserved by devices • The file offset is different from the physical address Run[0] BasePage = 0x1, PageCount = 0x9e Run[1] BasePage = 0x100, PageCount = 0xeff Run[2] BasePage = 0x1000, PageCount = 0xeef0 Run[3] BasePage = 0xff00, PageCount = 0x100 1st Page (BIOS Reserved) Address Space Reserved by Devices (Not Included in crash dump) Physical Memory Address Space
  • 28. Speaker Name and info Implementation: Crash Dump Analysis • Tree & List Traversal – performs Two-stage address translation • Virtual address -> physical address -> file offset – Crash dump includes debug information in 1st page • DMP_Info module can parse it – Stable execution • CDA never needs scanning/guessing to get the debug information • Object Fingerprint Search – Almost same as RIA’s implementation Kernel directory table base32-bit crash dump signature PsActiveProcessHeadPsLoadedModuleList
  • 29. Speaker Name and info Searching/Dumping Process Memory Address Space • Virtual Address Descriptor (VAD) – Management information about process memory pages – We can read process-specific data by traversing VAD tree • loaded exe/dll image • heap/stack data Vad Root StartingVpn(Start Address) EndingVpn(End Address) Parent LeftChild RightChild VadS Vadl _EPROCESS
  • 30. Speaker Name and info hands-on 6: Memory Acquisition & Analysis (VadSearch) • Blue-check the crash dump acquired in hands-on • Make sure the target process ID by PsList • Configure your keywords and blue-check them • Run VadSearch – Specify the process ID to search • Make sure the result in Bookmark tab
  • 31. Speaker Name and info hands-on 7: Memory Acquisition & Analysis (VadDump) • Blue-check hands-on7_VadDump_XPx86.vmem in WindowsMemoryForensics.L01 • Run VadDump of RIA – Select a specific process (winlogon.exe, PID:644) – Dump only code-injected memory pages • VadDump checks protection flag of VAD *3 • Scan code-injected memory pages using VirusTotal *3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610
  • 32. Speaker Name and info Entropy *4 • Entropy stands for randomness of data • We can detect similar files by calculating Entropy   255 0 2 )(log i ii PPH 0000000000000000000000 000000000000000000000 Entropy = 0 010101010101010101 010101010101010101 Entropy = 1 0123456789012345678901 23456789012345678901 Entropy = 8 only 1 value two values totally random *4 “Utilizing Entropy to Identify Undetected Malware” http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46 -4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf
  • 33. Speaker Name and info hands-on 8: Memory Analysis (PsEntropy*) • Blue-check hands-on8_Entropy_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsEntropyPEB – uncheck Matching Mode – make sure entropy values of notepad.exe, notepad_3bytes_diff.exe and notepad_packed.exe • PsEntropyVAD – PsEntropyVAD calculates Entropy values of code- injected memory pages (experimental)
  • 34. Speaker Name and info Anti Memory Forensics
  • 35. Speaker Name and info hands-on 9: Memory Analysis (Anti Memory Forensics) • Blue-check hands-on9_AMF_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan of RIA • Blue-check hands-on9_AMF_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsList of CDA • Did you find any error or any suspicious processes? Why?
  • 36. Speaker Name and info Anti Memory Forensic Methods (1) • Exploit Analyzing methods – Tree & List Traversal • Disable traversing – Hands-on 9: rename “Idle” process name » Prevention: use CDA instead of RIA • Cause false negatives – Hands-on 3: Direct Kernel Object Manipulation (DKOM) » Prevention: use Object Fingerprint Search – Object Fingerprint Search • Cause false positives – Hands-on 9: Insert decoy signatures » Prevention: any idea? ( The file offset is one measure. ) _EPROCESS “System” _EPROCESS “malware.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK ... malicious process unlinked by DKOM
  • 37. Speaker Name and info Anti Memory Forensic Methods (2) • Other methods – Disturb correct memory acquisition • e.g., Shadow Walker – Prevention: cannot prevent but detect by checking IDT hook – Leave nothing in RAM • Hook Model-Specific Register (MSR) – Windows uses MSR for system calls • VMM/SMM rootkit – Run on Ring -1 or below
  • 38. Speaker Name and info Wrap-up
  • 39. Speaker Name and info Wrap-up • Memory Forensics can get unallocated/hidden data by parsing memory image offline • Two analyzing methods – You should know pros and cons of the two methods • The implementation depends on image format – I recommend to acquire/analyze crash dump image • Remember Memory Forensics is not good at everything • Use multiple analysis tools for validation
  • 40. Speaker Name and info Example: TCP connections in Windows 7 Memorze output EnScript output netstat output log
  • 41. Speaker Name and info Appendix: Comparison of Analysis Tools EnCase EnScript Volatility Framework HBGary Responder FTK Memoryze Support Windows OS XP/2003/7/ 2008 XP/Vista/7/ 2008 All All All Support Image Format Raw Crash dump Raw Crash dump Hibernation Raw Raw Raw Support Architecture Intel x86 AMD x64 Intel x86 Intel x86 AMD x64 Intel x86 AMD x64 Intel x86 AMD x64 Implementation T & O T & O T T & O? T & O? Swap Analysis Not support Not support Support Support Not support Feature Multilingual keyword search, Entropy Many kinds of plugin Digital DNA, static code analysis Fuzzy Hash, diffing between images Malware Rating Index T = Tree & list traversal O = Object “fingerprint” searches
  • 42. Speaker Name and info Q&A
  • 43. Speaker Name and info Contact • Blog: http://cci.cocolog-nifty.com/blog/ • Email: t-haruyama@iij.ad.jp • Twitter ID: @cci_forensics