Windows Memory Forensic Analysis using EnCase

Speaker Name and info

Windows Memory Forensic Analysis using EnCase®

Takahiro Haruyama,

Internet Initiative Japan Inc.


Plan

• Memory Forensics Overview

• Acquisition Hands-on

• Analysis Hands-on

• Anti Memory Forensics

• Wrap-up

• Q&A


For Starters

• Make sure the evidence for hands-on is valid – Name: WindowsMemoryForensics.L01

– MD5: f7fd702b3fefad14868a759946bf6ba3

• Prepare for hands-on tools – For acquisition

• WinEn (Check your EnCase-installed folder)

• MoonSols Windows Memory Toolkit Community Edition

– For analysis • Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript

• Crash Dump Analyzer EnScript

– Other tool • GetEntropy EnScript


Memory Forensics Overview


Why Memory Forensics?

• Analyzing volatile data is more important than ever before

– Anti disk forensic methods by malwares

• Modifying file time stamps

• Wiping file content

• Running only in memory

– Erasing or moving data from user’s HDD

• Secure Web browsing

• Using cloud services


Basic Flow of Memory Forensics

Target Machine

Investigator’s Machine

Memory Image File

1. Acquire RAM data as an image file

2. Parse and analyze the image offline


Advantage to Memory Forensics

• Offline parsing a memory image doesn’t use system APIs

• Memory forensics can get – unallocated data (e.g., terminated process)

– data hidden by malware (e.g., hidden process)

7

Live Response

Tool

Memory Forensic Analysis Tool

Running Process

Hidden Process

Terminated Process

Allocated

Unallocated

Windows API

Parse binary image and extract information from it

Get information through system API


Acquisition Hands-on


Memory Acquisition

• EnScripts can analyze two memory image formats

– raw memory image (.bin)

– crash dump image (.dmp)

• raw memory image + debug info

• WinEn

– built-in acquisition tool of EnCase

– support format: raw image (but .E01)

• MoonSols Windows Memory Toolkit (win32/64dd)

– Free community Edition

– support format: raw image and crash dump image


hands-on 1: Memory Acquisition

• WinEn – Specify the following options (on execution or

interactively) • -p : destination path and name to save (without extension) • -m : evidence name in EnCase view • -c : case number • -e : examiner name • -r : evidence number • -d : compression level (0=None, 1=better, 2=best)

• MoonSols Windows Memory Toolkit – Execute win32dd.exe or win64dd.exe

• /f : destination path and name to save (with extension) • /d : Microsoft Crash Dump Format


Analysis Hands-on


Analysis EnScripts

• For raw image

– Raw Image Analyzer (RIA)

• Porting of Volatility Framework

• Newly Added function – Keyword search specifying multilingual codepages

– Calculate entropy values of processes and VADs

• Support x86 Windows XP/2003/7

• For crash dump image

– Crash Dump Analyzer (CDA)

• Support x86 XP/2003/7 and x64 2003/2008/7


hands-on 2: Memory Analysis (Raw)

• Drag and drop raw image files into EnCase • Blue-check one entry in Table Pane

– Don’t blue-check folders

• Make sure your image’s OS version and expand folders of RIA in Filter Pane

• Run the following scripts – PsList: List all processes – KMList: List all kernel modules – DllList: List all DLLs loaded by a specified process – OpenFiles: List all files opened by a specified process – ProcDump: Extract an executable of a specified process



• Blue-check hands-on3_DKOM_XPx86.bin in WindowsMemoryForensics.L01

• Run PsList and PsScan

• Any difference?


Two Memory Analyzing Methods*1

• Tree & List Traversal

– Emulate data access performed by OS

• Translate virtual addresses to physical ones

• Traverse kernel data structure using address pointers

• Object Fingerprint Search

– Carve signatures of kernel objects

• Search data using signatures (e.g., _EPROCESS)

• Validate search-hit data

*1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf













IA32(x86) Address Translation

OS loads Directory Table Base (Start physical address for

address translation) into Control Register (CR3)

How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx

17


Implementation: Finding Directory Table Base of Windows Kernel

• OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS)

• Tree & List Traversal method of RIA scans _EPROCESS signature and get DTB of “Idle” process – Idle process is running in kernel space – The signature changes per OS versions

_EPROCESS Signature

Process ID：0 Process Name：Idle

DTB of Kernel


PsActiveProcessHead

Key Address for Traversal

• Windows has key virtual addresses of various structures – Lead addresses for linked lists

• e.g., PsActiveProcessHead for a running process list

– Root addresses for binary trees • e.g., VadRoot (explain later) for process address space

_EPROCESS “System”

_EPROCESS “smss.exe”

_EPROCESS “win32dd.exe”

FLINK

BLINK

FLINK

BLINK

FLINK

BLINK

FLINK

BLINK

...

...

...


Implementation: Finding Key Addresses for Traversal

*2 Finding some non-exported kernel variables in Windows XP http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf

• Use debug structure

– Kernel Processor Control Region (KPCR)*2

1. Get an address pointer to _ KDDEBUGGER_DATA32 from _KPCR – In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000)

– Not fixed in Windows 7, so guessing is needed!

2. Get address pointers to the following key addresses from _KDDEBUGGER_DATA32 – PsActiveProcessHead (lead address of running processes)

– PsLoadedModuleList (lead address of currently loaded kernel modules)













Implementation: Object Fingerprint Search

1. Search signatures of headers – e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER

– EnScripts use pooltag in _POOL_HEADER • 4-bytes value defined for each object (e.g., “Proc” for process object)

2. Validate search hit results – Check values included in headers

– Check values included in objects (content)

_Pool_HEADER (0x8 Bytes)

_OBJECT_HEADER (0x20 Bytes)

_EPROCESS (0x260 Bytes)

Size and offset of headers/objects depend on OS version


Comparison of Two Methods

- Miss unlinked objects

(e.g., DKOM)

- Unstable

- Short time

- No noise

- Get information from pointers

(e.g., process commandline)

- Long time

- Noisy

- Find unlinked objects

- Robust

cons pros

Tree & list traversal

Object “fingerprint” searches


Memory Forensic EnScripts Usage Note

• Address translation and data size vary according to machine architecture (32-bit/64-bit)

• Kernel data offset/structures vary according to OS versions (XP/7/2003/2008)

• Which analyzing methods each EnScript uses?

Tree & List Traversal

Object Fingerprint Search

Others Library (Not Executed)

PsList KMList DllList OpenFiles ProcDump VadSearch VadDump PsEntropyPEB PsEntropyVAD

PsScan KMScan ConnScan

DMP_Info x86 x86dmp x64dmp Win32 Win64 Vtypes



• Blue-check hands-on4_ExitProcess_XPx86.vmem in WindowsMemoryForensics.L01

• How many processes were dropped from dw8.exe?


hands-on 5: Memory Analysis (Crash Dump)

• Blue-check hands-on5_DeviceReservedSpace_XPx86.dmp in WindowsMemoryForensics.L01 or dmp file generated by you

• Execute some modules in RIA


Difference between Raw Image and Crash Dump

• Crash dump file doesn’t include – 1st Page – Pages reserved by devices

• The file offset is different from the physical address

Run[0] BasePage = 0x1, PageCount = 0x9e

Run[1] BasePage = 0x100, PageCount = 0xeff

Run[2] BasePage = 0x1000, PageCount = 0xeef0

Run[3] BasePage = 0xff00, PageCount = 0x100

1st Page (BIOS Reserved)

Address Space Reserved by Devices (Not Included in crash dump)

Physical Memory Address Space


Implementation: Crash Dump Analysis

• Tree & List Traversal – performs Two-stage address translation

• Virtual address -> physical address -> file offset

– Crash dump includes debug information in 1st page • DMP_Info module can parse it

– Stable execution • CDA never needs scanning/guessing to get the debug information

• Object Fingerprint Search – Almost same as RIA’s implementation

Kernel directory table base 32-bit crash dump signature

PsActiveProcessHead PsLoadedModuleList


Searching/Dumping Process Memory Address Space

• Virtual Address Descriptor (VAD)

– Management information about process memory pages

– We can read process-specific data by traversing VAD tree

• loaded exe/dll image

• heap/stack data

Vad Root

StartingVpn(Start Address)

EndingVpn(End Address)

Parent

LeftChild

RightChild

VadS Vadl

_EPROCESS


hands-on 6: Memory Acquisition & Analysis (VadSearch)

• Blue-check the crash dump acquired in hands-on

• Make sure the target process ID by PsList

• Configure your keywords and blue-check them

• Run VadSearch

– Specify the process ID to search

• Make sure the result in Bookmark tab


hands-on 7: Memory Acquisition & Analysis (VadDump)

• Blue-check hands-on7_VadDump_XPx86.vmem in WindowsMemoryForensics.L01

• Run VadDump of RIA

– Select a specific process (winlogon.exe, PID:644)

– Dump only code-injected memory pages

• VadDump checks protection flag of VAD *3

• Scan code-injected memory pages using VirusTotal

*3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610


Entropy *4

• Entropy stands for randomness of data

• We can detect similar files by calculating Entropy

255

0

2 )(logi

ii PPH

0000000000000000000000000000000000000000000 Entropy = 0

010101010101010101 010101010101010101 Entropy = 1

012345678901234567890123456789012345678901 Entropy = 8

only 1 value

two values

totally random

*4 “Utilizing Entropy to Identify Undetected Malware” http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46 -4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf


hands-on 8: Memory Analysis (PsEntropy*)

• Blue-check hands-on8_Entropy_XPx86.dmp in WindowsMemoryForensics.L01

• Run PsEntropyPEB

– uncheck Matching Mode

– make sure entropy values of notepad.exe, notepad_3bytes_diff.exe and notepad_packed.exe

• PsEntropyVAD

– PsEntropyVAD calculates Entropy values of code-injected memory pages (experimental)


Anti Memory Forensics


hands-on 9: Memory Analysis (Anti Memory Forensics)

• Blue-check hands-on9_AMF_XPx86.bin in WindowsMemoryForensics.L01

• Run PsList and PsScan of RIA

• Blue-check hands-on9_AMF_XPx86.dmp in WindowsMemoryForensics.L01

• Run PsList of CDA

• Did you find any error or any suspicious processes? Why?


Anti Memory Forensic Methods (1)

• Exploit Analyzing methods – Tree & List Traversal

• Disable traversing – Hands-on 9: rename “Idle” process name

» Prevention: use CDA instead of RIA

• Cause false negatives – Hands-on 3: Direct Kernel Object Manipulation (DKOM)

» Prevention: use Object Fingerprint Search

– Object Fingerprint Search • Cause false positives

– Hands-on 9: Insert decoy signatures » Prevention: any idea? ( The file offset is one measure. )

_EPROCESS “System”

_EPROCESS “malware.exe”

_EPROCESS “win32dd.exe”

FLINK

BLINK

FLINK

BLINK

FLINK

BLINK

...

malicious process unlinked by DKOM


Anti Memory Forensic Methods (2)

• Other methods

– Disturb correct memory acquisition

• e.g., Shadow Walker – Prevention: cannot prevent but detect by checking IDT hook

– Leave nothing in RAM

• Hook Model-Specific Register (MSR) – Windows uses MSR for system calls

• VMM/SMM rootkit – Run on Ring -1 or below


Wrap-up


Wrap-up

• Memory Forensics can get unallocated/hidden data by parsing memory image offline

• Two analyzing methods – You should know pros and cons of the two methods

• The implementation depends on image format – I recommend to acquire/analyze crash dump image

• Remember Memory Forensics is not good at everything

• Use multiple analysis tools for validation


Example: TCP connections in Windows 7

Memorze output

EnScript output netstat output log


Appendix: Comparison of Analysis Tools

EnCase EnScript

Volatility Framework

HBGary Responder

FTK Memoryze

Support Windows OS

XP/2003/7/ 2008

XP/Vista/7/ 2008

All All All

Support Image Format

Raw Crash dump

Raw Crash dump Hibernation

Raw Raw Raw

Support Architecture

Intel x86 AMD x64

Intel x86 Intel x86 AMD x64

Intel x86 AMD x64

Intel x86 AMD x64

Implementation T & O T & O T T & O? T & O?

Swap Analysis Not support Not support Support Support Not support

Feature Multilingual keyword search, Entropy

Many kinds of plugin

Digital DNA, static code

analysis

Fuzzy Hash, diffing

between images

Malware Rating Index

T = Tree & list traversal O = Object “fingerprint” searches


Q&A

Technology

Windows Memory Forensic Analysis using EnCase