39 - Physical Memory Forensics
39 - Physical Memory Forensics
Mariusz Burdach
Overview
Introduction
Anti-forensics
Acquisition methods
Memory analysis of Windows & Linux
Recovering memory mapped files
Detecting hidden data
Verifying integrity of core memory components
Tools
Q&A
Analysis Types
Application
Analysis
Swap Space
Analysis
File System
Analysis
Volume Analysis
Database
Analysis
Memory Analysis
Network Analysis
RAM Forensics
Memory resident data
Correlation with Swap Areas
Anti-Forensics against the data:
Data contraception
Data hiding
Data destruction
Anti-Forensic methods:
Data contraception against File System Analysis
Data hiding against Memory Analysis
In-memory data
Current running processes and terminated processes
Open TCP/UDP ports/raw sockets/active connections
Memory mapped files
Executable, shared, objects (modules/drivers), text files
Caches
Web addresses, typed commands, passwords, clipboards,
SAM database, edited files
Anti-forensics
Syscall proxying - it transparently proxies a
process system calls to a remote server:
CORE Impact
Anti-forensics
Anti-forensic projects focused on data
contraception:
Remote Execution of binary without creating a file on disk
by grugq (Phrack #62)
Advanced Antiforensics : SELF by Pluf & Ripe (Phrack
#63)
DEMO
In memory worms/rootkits
Their codes exist only in a volatile memory and
they are installed covertly via an exploit
Example: Witty worm (no file payload)
Anti-forensics
Hiding data in memory:
Advanced rootkits
Evidence gathering or incident response tools
can be cheated
Examples:
Hacker Defender/Antidetection suspended
FUTo/Shadow Walker
Anti-forensics
DKOM (Direct Kernel Object Manipulation)
Doubly Linked List can be abused
The FU rootkit by Jamie Butler
BEFORE
AFTER
Pr
s
es
oc
to
de
hi
EPROCESS
EPROCESS
EPROCESS
EPROCESS
EPROCESS
EPROCESS
FLINK
FLINK
FLINK
FLINK
FLINK
FLINK
BLINK
BLINK
BLINK
BLINK
BLINK
BLINK
SELF
Executed in memory as an additional process
memory mapped files can be recovered even
after process termination
Acquisition methods
All data in a main memory is volatile it refers to
data on a live system. A volatile memory loses its
contents when a system is shut down or rebooted
It is impossible to verify an integrity of data
Acquisition is usually performed in a timely manner
(Order of Volatility - RFC 3227)
Physical backup instead of logical backup
Volatile memory acquisition procedures can be:
Hardware-based
Software-based
Hardware-based methods
Hardware-based memory acquisitions
We can access memory without relying on the
operating system, suspending the CPU and using
DMA (Direct Memory Access) to copy contents of
physical memory (e.g. TRIBBLE PoC Device)
Related work (Copilot Kernel Integrity Monitor, EBSA285)
Software-based method
Software-based memory acquisitions:
A trusted toolkit has to be used to collect volatile
data
DD for Windows - Forensic Acquisition Utilities & KNTDD are
available at http://users.erols.com/gmgarner/
DD for Linux by default included in each distribution (part of
GNU File Utilities)
Rootkit technologies
Many memory and swap space modification
Preparation
Useful files (acquired from a file system):
Kernel image files (ntoskrnl.exe, vmlinux-2.x)
Drivers/modules/libraries
Configuration files (i.e. SAM file, boot.ini)
Map of Symbols
System.map file
Some symbols are exported
by core operating system files
System identification
Information about the analysed memory dump
The size of a page =4096 (0x1000) bytes
The total size of the physical memory
Physical Address Extension (PAE)
HIGHMEM = 896 MB
Architecture 32-bit/64-bit/IA-64/SMP
Memory layout
Virtual Address Space/Physical Address Space
User/Kernel land
Windows kernel offset at 0x80000000
Linux kernel offset at 0xC0000000
color 0
Methods of analysis
Strings searching and signatures
matching
extracting strings from images (ASCII &
UNICODE)
identifying memory mapped objects by
using signatures (e.g. file headers, .text
sections)
DEMO
mem_map array
Page descriptor structure
Relations
between
structures
Enumerating processes
Linux
init_task_union (process number 0)
The address is exported by a kernel image file
The address is available in the System.map file
String searches method
Windows
PsInitialSystemProcess (ntoskrnl.exe) = _EPROCESS
(System)
_EPROCESS blocks are linked by a doubly linked list
Required information:
the Page Directory of the Process (for dumping process
image file)
the Page Directory of the System process (for dumping
drivers/modules)
Integrity verification
Recovered file
Original file
IAT in .rdata
Original file
kd> u 0x77e42cd1
kernel32!GetModuleHandleA:
77e42cd1 837c240400
cmp
77e42cd6 7418
jz
77e42cd8 ff742404
push
...
Recovered file
Grepping Objects
Objects like Driver, Device or Process have static
signatures
Data inside object
Data outside object
color 0
025687 Active
Modified
DEMO
Detours
Jump instructions
Cross-view verification
.text sections of core kernel components
values stored in internal kernel tables (e.g. SCT)
SSDT
Verification of core functions by
comparing first few bytes
Self-modifying kernel code
Ntoskrnl.exe & Hall.dll
Finding an address of
KiServiceTable
Memory image file: _KTHREAD (TCB)
*ServiceTable = 80567940
Available tools
Debugging tools (kcore & crashdump)
Analysis of Windows memory images
KNTTools by George M. Garner Jr.
KNTDD & KNTLIST
KNTTOOLS
KNTDD
MS Windows 2000SP4/XP+/2003+/Vista
Conversion to MS crash dump format
KNTLIST
Information about system configuration
WMFT
Support for Windows XP & 2003
Functionality
Enumerating processes, modules, libraries (doubly linked
list)
Finding hidden data processes and modules (grepping
objects & correlating pages)
Verifying integrity of functions
Dumping process image file and modules
Detailed info about processes
Access Token, Handle Table, Control Area & Subsections, etc
To do:
The disassembly functionality
Support for Vista
Conclusion
Memory analysis as an integral part of
Forensic Analysis
Evidence found in physical memory can be
used to reconstruct crimes:
Temporal (when)
Relational (who, what, where)
Functional (how)
Q&A
Thank you.
[email protected]
http://forensic.seccure.net