Upload
takahiro-haruyama
View
7.861
Download
12
Embed Size (px)
Citation preview
Speaker Name and info
Windows Memory Forensic Analysis using EnCase®
Takahiro Haruyama,
Internet Initiative Japan Inc.
Speaker Name and info
Plan
• Memory Forensics Overview
• Acquisition Hands-on
• Analysis Hands-on
• Anti Memory Forensics
• Wrap-up
• Q&A
Speaker Name and info
For Starters
• Make sure the evidence for hands-on is valid – Name: WindowsMemoryForensics.L01
– MD5: f7fd702b3fefad14868a759946bf6ba3
• Prepare for hands-on tools – For acquisition
• WinEn (Check your EnCase-installed folder)
• MoonSols Windows Memory Toolkit Community Edition
– For analysis • Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript
• Crash Dump Analyzer EnScript
– Other tool • GetEntropy EnScript
Speaker Name and info
Memory Forensics Overview
Speaker Name and info
Why Memory Forensics?
• Analyzing volatile data is more important than ever before
– Anti disk forensic methods by malwares
• Modifying file time stamps
• Wiping file content
• Running only in memory
– Erasing or moving data from user’s HDD
• Secure Web browsing
• Using cloud services
Speaker Name and info
Basic Flow of Memory Forensics
Target Machine
Investigator’s Machine
Memory Image File
1. Acquire RAM data as an image file
2. Parse and analyze the image offline
Speaker Name and info
Advantage to Memory Forensics
• Offline parsing a memory image doesn’t use system APIs
• Memory forensics can get – unallocated data (e.g., terminated process)
– data hidden by malware (e.g., hidden process)
7
Live Response
Tool
Memory Forensic Analysis Tool
Running Process
Hidden Process
Terminated Process
Allocated
Unallocated
Windows API
Parse binary image and extract information from it
Get information through system API
Speaker Name and info
Acquisition Hands-on
Speaker Name and info
Memory Acquisition
• EnScripts can analyze two memory image formats
– raw memory image (.bin)
– crash dump image (.dmp)
• raw memory image + debug info
• WinEn
– built-in acquisition tool of EnCase
– support format: raw image (but .E01)
• MoonSols Windows Memory Toolkit (win32/64dd)
– Free community Edition
– support format: raw image and crash dump image
Speaker Name and info
hands-on 1: Memory Acquisition
• WinEn – Specify the following options (on execution or
interactively) • -p : destination path and name to save (without extension) • -m : evidence name in EnCase view • -c : case number • -e : examiner name • -r : evidence number • -d : compression level (0=None, 1=better, 2=best)
• MoonSols Windows Memory Toolkit – Execute win32dd.exe or win64dd.exe
• /f : destination path and name to save (with extension) • /d : Microsoft Crash Dump Format
Speaker Name and info
Analysis Hands-on
Speaker Name and info
Analysis EnScripts
• For raw image
– Raw Image Analyzer (RIA)
• Porting of Volatility Framework
• Newly Added function – Keyword search specifying multilingual codepages
– Calculate entropy values of processes and VADs
• Support x86 Windows XP/2003/7
• For crash dump image
– Crash Dump Analyzer (CDA)
• Support x86 XP/2003/7 and x64 2003/2008/7
Speaker Name and info
hands-on 2: Memory Analysis (Raw)
• Drag and drop raw image files into EnCase • Blue-check one entry in Table Pane
– Don’t blue-check folders
• Make sure your image’s OS version and expand folders of RIA in Filter Pane
• Run the following scripts – PsList: List all processes – KMList: List all kernel modules – DllList: List all DLLs loaded by a specified process – OpenFiles: List all files opened by a specified process – ProcDump: Extract an executable of a specified process
Speaker Name and info
hands-on 3: Memory Analysis (Raw)
• Blue-check hands-on3_DKOM_XPx86.bin in WindowsMemoryForensics.L01
• Run PsList and PsScan
• Any difference?
Speaker Name and info
Two Memory Analyzing Methods*1
• Tree & List Traversal
– Emulate data access performed by OS
• Translate virtual addresses to physical ones
• Traverse kernel data structure using address pointers
• Object Fingerprint Search
– Carve signatures of kernel objects
• Search data using signatures (e.g., _EPROCESS)
• Validate search-hit data
*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
Speaker Name and info
Two Memory Analyzing Methods*1
• Tree & List Traversal
– Emulate data access performed by OS
• Translate virtual addresses to physical ones
• Traverse kernel data structure using address pointers
• Object Fingerprint Search
– Carve signatures of kernel objects
• Search data using signatures (e.g., _EPROCESS)
• Validate search-hit data
*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
Speaker Name and info
IA32(x86) Address Translation
OS loads Directory Table Base (Start physical address for
address translation) into Control Register (CR3)
How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx
17
Speaker Name and info
Implementation: Finding Directory Table Base of Windows Kernel
• OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS)
• Tree & List Traversal method of RIA scans _EPROCESS signature and get DTB of “Idle” process – Idle process is running in kernel space – The signature changes per OS versions
_EPROCESS Signature
Process ID:0 Process Name:Idle
DTB of Kernel
Speaker Name and info
PsActiveProcessHead
Key Address for Traversal
• Windows has key virtual addresses of various structures – Lead addresses for linked lists
• e.g., PsActiveProcessHead for a running process list
– Root addresses for binary trees • e.g., VadRoot (explain later) for process address space
_EPROCESS “System”
_EPROCESS “smss.exe”
_EPROCESS “win32dd.exe”
FLINK
BLINK
FLINK
BLINK
FLINK
BLINK
FLINK
BLINK
...
...
...
Speaker Name and info
Implementation: Finding Key Addresses for Traversal
*2 Finding some non-exported kernel variables in Windows XP http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
• Use debug structure
– Kernel Processor Control Region (KPCR)*2
1. Get an address pointer to _ KDDEBUGGER_DATA32 from _KPCR – In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000)
– Not fixed in Windows 7, so guessing is needed!
2. Get address pointers to the following key addresses from _KDDEBUGGER_DATA32 – PsActiveProcessHead (lead address of running processes)
– PsLoadedModuleList (lead address of currently loaded kernel modules)
Speaker Name and info
Two Memory Analyzing Methods*1
• Tree & List Traversal
– Emulate data access performed by OS
• Translate virtual addresses to physical ones
• Traverse kernel data structure using address pointers
• Object Fingerprint Search
– Carve signatures of kernel objects
• Search data using signatures (e.g., _EPROCESS)
• Validate search-hit data
*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf
Speaker Name and info
Implementation: Object Fingerprint Search
1. Search signatures of headers – e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER
– EnScripts use pooltag in _POOL_HEADER • 4-bytes value defined for each object (e.g., “Proc” for process object)
2. Validate search hit results – Check values included in headers
– Check values included in objects (content)
_Pool_HEADER (0x8 Bytes)
_OBJECT_HEADER (0x20 Bytes)
_EPROCESS (0x260 Bytes)
Size and offset of headers/objects depend on OS version
Speaker Name and info
Comparison of Two Methods
- Miss unlinked objects
(e.g., DKOM)
- Unstable
- Short time
- No noise
- Get information from pointers
(e.g., process commandline)
- Long time
- Noisy
- Find unlinked objects
- Robust
cons pros
Tree & list traversal
Object “fingerprint” searches
Speaker Name and info
Memory Forensic EnScripts Usage Note
• Address translation and data size vary according to machine architecture (32-bit/64-bit)
• Kernel data offset/structures vary according to OS versions (XP/7/2003/2008)
• Which analyzing methods each EnScript uses?
Tree & List Traversal
Object Fingerprint Search
Others Library (Not Executed)
PsList KMList DllList OpenFiles ProcDump VadSearch VadDump PsEntropyPEB PsEntropyVAD
PsScan KMScan ConnScan
DMP_Info x86 x86dmp x64dmp Win32 Win64 Vtypes
Speaker Name and info
hands-on 4: Memory Analysis (Raw)
• Blue-check hands-on4_ExitProcess_XPx86.vmem in WindowsMemoryForensics.L01
• How many processes were dropped from dw8.exe?
Speaker Name and info
hands-on 5: Memory Analysis (Crash Dump)
• Blue-check hands-on5_DeviceReservedSpace_XPx86.dmp in WindowsMemoryForensics.L01 or dmp file generated by you
• Execute some modules in RIA
Speaker Name and info
Difference between Raw Image and Crash Dump
• Crash dump file doesn’t include – 1st Page – Pages reserved by devices
• The file offset is different from the physical address
Run[0] BasePage = 0x1, PageCount = 0x9e
Run[1] BasePage = 0x100, PageCount = 0xeff
Run[2] BasePage = 0x1000, PageCount = 0xeef0
Run[3] BasePage = 0xff00, PageCount = 0x100
1st Page (BIOS Reserved)
Address Space Reserved by Devices (Not Included in crash dump)
Physical Memory Address Space
Speaker Name and info
Implementation: Crash Dump Analysis
• Tree & List Traversal – performs Two-stage address translation
• Virtual address -> physical address -> file offset
– Crash dump includes debug information in 1st page • DMP_Info module can parse it
– Stable execution • CDA never needs scanning/guessing to get the debug information
• Object Fingerprint Search – Almost same as RIA’s implementation
Kernel directory table base 32-bit crash dump signature
PsActiveProcessHead PsLoadedModuleList
Speaker Name and info
Searching/Dumping Process Memory Address Space
• Virtual Address Descriptor (VAD)
– Management information about process memory pages
– We can read process-specific data by traversing VAD tree
• loaded exe/dll image
• heap/stack data
Vad Root
StartingVpn(Start Address)
EndingVpn(End Address)
Parent
LeftChild
RightChild
VadS Vadl
_EPROCESS
Speaker Name and info
hands-on 6: Memory Acquisition & Analysis (VadSearch)
• Blue-check the crash dump acquired in hands-on
• Make sure the target process ID by PsList
• Configure your keywords and blue-check them
• Run VadSearch
– Specify the process ID to search
• Make sure the result in Bookmark tab
Speaker Name and info
hands-on 7: Memory Acquisition & Analysis (VadDump)
• Blue-check hands-on7_VadDump_XPx86.vmem in WindowsMemoryForensics.L01
• Run VadDump of RIA
– Select a specific process (winlogon.exe, PID:644)
– Dump only code-injected memory pages
• VadDump checks protection flag of VAD *3
• Scan code-injected memory pages using VirusTotal
*3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610
Speaker Name and info
Entropy *4
• Entropy stands for randomness of data
• We can detect similar files by calculating Entropy
255
0
2 )(logi
ii PPH
0000000000000000000000000000000000000000000 Entropy = 0
010101010101010101 010101010101010101 Entropy = 1
012345678901234567890123456789012345678901 Entropy = 8
only 1 value
two values
totally random
*4 “Utilizing Entropy to Identify Undetected Malware” http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46 -4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf
Speaker Name and info
hands-on 8: Memory Analysis (PsEntropy*)
• Blue-check hands-on8_Entropy_XPx86.dmp in WindowsMemoryForensics.L01
• Run PsEntropyPEB
– uncheck Matching Mode
– make sure entropy values of notepad.exe, notepad_3bytes_diff.exe and notepad_packed.exe
• PsEntropyVAD
– PsEntropyVAD calculates Entropy values of code-injected memory pages (experimental)
Speaker Name and info
Anti Memory Forensics
Speaker Name and info
hands-on 9: Memory Analysis (Anti Memory Forensics)
• Blue-check hands-on9_AMF_XPx86.bin in WindowsMemoryForensics.L01
• Run PsList and PsScan of RIA
• Blue-check hands-on9_AMF_XPx86.dmp in WindowsMemoryForensics.L01
• Run PsList of CDA
• Did you find any error or any suspicious processes? Why?
Speaker Name and info
Anti Memory Forensic Methods (1)
• Exploit Analyzing methods – Tree & List Traversal
• Disable traversing – Hands-on 9: rename “Idle” process name
» Prevention: use CDA instead of RIA
• Cause false negatives – Hands-on 3: Direct Kernel Object Manipulation (DKOM)
» Prevention: use Object Fingerprint Search
– Object Fingerprint Search • Cause false positives
– Hands-on 9: Insert decoy signatures » Prevention: any idea? ( The file offset is one measure. )
_EPROCESS “System”
_EPROCESS “malware.exe”
_EPROCESS “win32dd.exe”
FLINK
BLINK
FLINK
BLINK
FLINK
BLINK
...
malicious process unlinked by DKOM
Speaker Name and info
Anti Memory Forensic Methods (2)
• Other methods
– Disturb correct memory acquisition
• e.g., Shadow Walker – Prevention: cannot prevent but detect by checking IDT hook
– Leave nothing in RAM
• Hook Model-Specific Register (MSR) – Windows uses MSR for system calls
• VMM/SMM rootkit – Run on Ring -1 or below
Speaker Name and info
Wrap-up
Speaker Name and info
Wrap-up
• Memory Forensics can get unallocated/hidden data by parsing memory image offline
• Two analyzing methods – You should know pros and cons of the two methods
• The implementation depends on image format – I recommend to acquire/analyze crash dump image
• Remember Memory Forensics is not good at everything
• Use multiple analysis tools for validation
Speaker Name and info
Example: TCP connections in Windows 7
Memorze output
EnScript output netstat output log
Speaker Name and info
Appendix: Comparison of Analysis Tools
EnCase EnScript
Volatility Framework
HBGary Responder
FTK Memoryze
Support Windows OS
XP/2003/7/ 2008
XP/Vista/7/ 2008
All All All
Support Image Format
Raw Crash dump
Raw Crash dump Hibernation
Raw Raw Raw
Support Architecture
Intel x86 AMD x64
Intel x86 Intel x86 AMD x64
Intel x86 AMD x64
Intel x86 AMD x64
Implementation T & O T & O T T & O? T & O?
Swap Analysis Not support Not support Support Support Not support
Feature Multilingual keyword search, Entropy
Many kinds of plugin
Digital DNA, static code
analysis
Fuzzy Hash, diffing
between images
Malware Rating Index
T = Tree & list traversal O = Object “fingerprint” searches
Speaker Name and info
Q&A