What we’re covering today…

• Increasing demand for memory analysis skills

• Evolution of FOR526 course objectives
• New bootcamp format (0900-1900)
• Annual 2018 Update Additions
• Expansion of Daily Netwars Challenges
• Support from student feedback
• Artifact research & plugin development
• FOR526 tools arsenal
The Need for Memory Analysis Skills,
for all cybersecurity professionals
Challenges: Increasingly Advanced Threat Landscape
• Evasive Memory-Only Malware Variants
• Effective Cleanup Routines of Malicious Code
• Privacy Cleaners, Anti-Forensics, and Data Destruction Tools
• Increased Use of Encryption and Private Browsing Modes

Goals: What you should learn by the end of the course

• Live Memory Analysis and Acquisition
• Windows Memory Structure Analysis
• Code Injection Detection by Various Methods
• Kernel and Usermode Rootkit Behavior Detection
• Hibernation File, Pagefile and Crash Dump Analysis
4
sans.org/for526
FOR526: Advanced Memory Analysis & Threat Detection
A Technical Specialty Class
FOR526 authors have extensive experience in digital forensics/incident response
and offensive operations. This red team/blue team perspective frames the
hands-on labs and NetWars scenarios included throughout the six days.
Anti-forensics techniques
Security analysts triage
implemented by attackers are
systems using data acquired
not only leaving little residual
from memory to determine
on the file system, but a small
evidence of execution, misuse
footprint in memory

The data in live system memory is invaluable for both offense and defense.

6
Value of Live System Memory
Red Team vs Blue Team

“Offense” “Defense”
System Memory
“shared battlefield”

Internal Reconnaissance Triage System State

Running processes, network

Credential Harvesting connections, mounted devices, Activity Reconstruction
memory-mapped files
Memory Scraping Root Cause Analysis

Deprecate
7
/Bypass EDR
If you are not analyzing memory,
what are you missing?

Running Views of the Browser/IM

Metadata
Processes past History

Full content Hidden

Encryption keys network Injected code processes, files,
packets communication

Unpacked Memory-
Registry Clipboard Data
versions of mapped files
keys/values
programs
sans.org/for526
8
History of FOR526 NEW
you
Things
ow
Since the course launch in Aug 2012: don’t kn

• 8 updates in the last 6 years

• Moved from academic to
you
practitioner-based hands-on Things
now
don’t k
• Expanded focus to include
memory analysis of Windows,
Linux & macos
• Added Day 6: NetWars Challenge
• Distribution of Windows 10
Enterprise and Ubuntu SIFT VMs

sans.org/for526
Feedback from FOR526 Students
Q1 2017-Q2 2018
• “I think this class needs bootcamp.” SANS2018 Orlando
• “Due to the lack of time the teacher has to go fast. I would prefer to stay 1 hour
more and go deep in several content sometimes is complex and needs more
time to be understood.” London May 18
• “Definitely more Netwars in the afternoon. If possible, I would like to have
Netwars every day in the afternoon.” Prague 2017
• “Daily Challenges really help cement knowledge going through the course.”
London May 18
• “Netwars was really great.” Day 4 - London May 18
• “Add a new rating choice - Amazing!” Day 6 - London May 18
• “Sometimes too much guided [exercises]” - London May 18
6-Day Bootcamp Course Agenda

Section 1: Foundations in Memory Analysis and Acquisition

Section 2: Unstructured Analysis and Process Exploration

Section 3: Malicious Code Detection Methods

Section 4: Investigating the User via Memory Artifacts

Section 5: Platforms Other than Windows

Section 6: Final NetWars Tournament

FOR526 | Advanced Memory Forensics and Threat Detection 11

 Day 1: Foundations in Day 2: Unstructured Day 5: Platforms
Day 3: Malicious Code Day 4: Investigating the
Memory Analysis and Analysis & Process Other Than Day 6
Detection Methods User via Memory
Bootcamp
Acquisition
FOR526 Content
Exploration
Intro to Memory Forensics Unstructured Analysis of
Layout
Pool Memory Crash Dump Acquisition &
Windows
Linux Acquisition

MEMORY FORENSICS NETWARS

Memory Kernel Objects Analysis & Analysis
Windows Debugger
Windows Memory Lab: Bulk Extractor Deciphering Volatility Plugins Analysis Lab: Linux
Management Acquisition and
Lab: Crash Dump Analysis
Lab: Plugin Development Analysis
Volatility Framework Page File Analysis Dynamic Link Libraries Credential Harvesting
Techniques
Lab: Process Hiding YARA Rules Creation & Lab: Analysis of Malicious DLLS Lab: Mimikatz with macos Acquisition
Application Windows Debugger & Analysis
Triage & Acquisition Lab: Page file Analysis Network Connections Registry Forensics via Lab: Mac Memory
Memory Analysis
Virtualized Memory Windows Internals (Process VAD Analysis Rootkit
Management Deep-dive) User Artifacts
Implementations
Lab: Rekall Live Analysis Combatting anti-analysis Lab: Process Hollowing File System Artifacts Rootkits
techniques Detection & Analysis Implementations
Hibernation File/Baseline Lab: Volshell PE File Lab: Insider Investigation
Analysis Extraction Lab: Rootkit
Code Injection Techniques and Additional Extraction
Detection
Lab: Hibernation File Threat Detection their Detection Techniques
Analysis Techniques (Step 1) Mitre ATT&CK: Persistence
In-line Exercise Day 6 NetWars
Analysis
Bootcamp FOR526 Drivers
Prep Time
In-line Exercise
Format (Update 18) sans.org/for526
Daily Netwars Challenges
What’s New in FOR526? Challenge Me!

More Case Study • Phishing attack compromise

with Java backdoor malware
Oriented Hands-on • Hibernation File Conversion &
Labs Analysis

Extension • File-system artifact recovery

and application from memory
Challenges for • Root-cause Analysis
Advanced Students

Gamefication for • NetWars scoreboards for Day 1-

3, Day 5
more Muscle • Final NetWars Day 6 challenge
Memory

FOR526 | Advanced Memory Forensics and Threat Detection

Bootcamp Hours:
Advanced Memory Forensics and Threat Detection
FOR526: Advanced Memory Analysis & Threat Detection
Bootcamp Hours

Day 1 Day 2 Day 3 Day 4 Day 5 Day 6

Windows 10 Unstructured PE File Artifact Detecting DAY 6
17134 Analysis of Extraction with Research Rootkits in MEMORY
Hibernation Pagefile volshell Project; yara & Linux FORENSICS
File Analysis Plugin Dev NETWARS
COMPETITION
Trivia YARA Rules Code Injection Day 1-3 Trivia Review
Questions Creation & Detection and NetWars on Macos &
Application Root Cause Linux

Daily “Level-Up” Challenges

Know Normal,
Find Evil
§ The Shadow Brokers dropped
some exploits, tools, research
and cheatsheets from the
Equation Group
§ Included:
§ Known processes list
§ Known drivers list
§ Jake authored two plugins that
bring in these definitions
Know Normal,
Find Evil eqmodules plugin
Know Normal,
Find Evil eqpslist plugin

Course Agenda
• Section 1: Foundations in Memory
Analysis and Acquisition
• Section 2: Unstructured Analysis and
Process Exploration
• Section 3: Malicious Code Detection
Methods
• Section 4: Investigating the User via
Memory Artifacts
• Section 5: Platforms Other than
Windows (POTW)
• Section 6: Final NetWars Tournament
FOR526.3
Dynamic Link Libraries
DLL Static Analysis via Memory
Import Address Table Hash Analysis
Exercise: Find ALL the Malware
Overview of Volatility Plugin Creation
Exercise: Volatility Plugin Development
Network Activity Reconstruction
Network Artifacts in Memory
Virtual Address Descriptors
Exercise: VAD Analysis: Stuxnet Deep Dive
Code Injection Techniques and Detection
Kernel Drivers
Driver Stacking
Driver Analysis and Extraction
Persistence Mechanisms
Exercise: Detecting Persistence Mechanisms
Artifact Research & Plugin Development
Example Research Project:
Timeline Feature (Redstone 4)

• Introduced in Windows 10 April 2018 Update

• Organizational productivity “User Experience”
focused tool
• Allows easy access to Recent Docs, webpages
from the last weeks/months
• Added as a feature of Task View
• Options can be set here:
Settings>Privacy>Activity
• Database lives at this location:

C:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\L.<profile>\ActivitiesCache.db

Windows 10 Forensic Analysis

Example Research Project:
Timeline Feature (Redstone 4)
Windows Search Service must be enabled
Timeline (April 2018 Update - Redstone 4)
Parsing ActivitiesCache.db
• Parse the ActivitiesCache.db with Eric Zimmerman’s WxTCmd

https://binaryforay.blogspot.com/2018/05/introducing-wxtcmd.html

Windows 10 Forensic Analysis

Timeline (April 2018 Update - Redstone 4)
Parsing ActivitiesCache.db with WxTCmd (Activities Table)

Windows 10 Forensic Analysis

Step 1:
Capture Memory and convert to raw dump
Acquire Win10 Memory using favorite acquisition tool, winpmem.
c:\> winpmem-2.1.4.post.exe -o c:\cases\timeline.aff4

Windows 10 Forensic Analysis

Step 1:
Capture Memory and convert to raw dump
Volatility does not parse aff4 evidence files.
Winpmem creates aff4. We must convert.

$ rekal -f timeline.aff4 imagecopy --output-

image=“c:\\cases\\timeline.img”

Windows 10 Forensic Analysis

Step 2: Determine Volatility profile
getting it wrong
Attempting to parse memory dump with standard Win10x64 profile yields poor results

Windows 10 Forensic Analysis

Step 2: Determine Volatility profile
With the newest profiles for Volatility Framework 2.6, imageinfo identifies proper profile.
$ vol.py -f timeline.img imageinfo

Windows 10 Forensic Analysis

Step 2: Determine Volatility profile
OS Build Number
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild

• Asset Management tools should be keeping track of CurrentBuild Number

• Querying the registry will also provide this insight.

Windows 10 Forensic Analysis

Step 3: Identify Process Handles
Identify which process has an open handle to the ActivitiesCache.db file object with
handles, filtering with the -t option.

$ vol.py -f timeline.img --profile=Win10x64_17134 handles -t File | grep

Activities

Windows 10 Forensic Analysis

Step 3: Identify Process Handles
Determine additional details (command line, path) about the owning process
svchost.exe -k unistacksvcgroup with pstree -v.
$ vol.py -f timeline.img --profile=Win10x64_17134 pstree -v |grep -C5 2860

Windows 10 Forensic Analysis

 Step 3: Recover Data from Process Memory
Dump Read/Write sections of the svchost process and find ActivitiesCache entries
$ vol.py -f timeline.img --profile=Win10x64_17134 dumpwmem -p 2860 -D dumpRW

Windows 10 Forensic Analysis

Step 3: Recover Data from Process Memory
Strings output files then search for a url that was shown WxTCMD output “Rendition”
$ strings -f -td dumpRW/* > stringsRW.txt
$ grep Rendition stringsRW.txt |less

Windows 10 Forensic Analysis

Step 3: Recover Data from Process Memory
Identify keywords for a yarascan
$ grep -C3 UserEngaged stringsRW.txt |less

Windows 10 Forensic Analysis

Frequently Asked Questions:
“What tools will we use?
Memory Forensics Weapons Arsenal

Ubuntu and Win10 SIFT Workstations

Volatility Memory Forensics Framework

Rekall Memory Forensic Framework

Hibernation Recon

Bulk Extractor with packet carving

Page_Brute with yara

WinDbg: Windows Debugger

 Hibernation Recon by Arsenal Recon

• Converts WinXP-Win10+ hibernation files and file slack to

raw data dumps
• Carves $I30 and $ObjID entries from hiberfil.sys
Signature Detection yara analysis
Crash Dump Analysis with Windows Debugger
Exercise: Crash Dump Analysis with WinDbg

The objective of this exercise is analyze a Windows 10

active crash dump obtained from a potentially
compromised system using Windows Debugger and
determine the cause of the crash.

Lab Components
1. Open crash dump with WinDbg.
2. Enumerate processes and loaded modules from dump.
3. Using Swishdbg WinDbg extension, obtain list of loaded hives.
NetWars Day 6 Challenge:
“May the odds be ever in your favor”
Tournament Level Progression
All Levels, All Modules
Total 2,460 Points

MEMORY IMAGES (825 PTS)

Unlock Level 3
300 Points
MEMORY IMAGES (755 PTS)
Unlock Level 2
150 Points
TRIVIA QUESTIONS (100 PTS) +
MEMORY IMAGES (780 PTS)
SecEast FOR526: Day 6 NetWars Scoreboard #RESPECT
FOR526:
Advanced Memory Forensics
and Threat Detection

SANS London SANS 2019 Orlando

11-16 March 2019 1 -6 April 2019