DATA DUPLICATION VILLAGE - The Memory Remains: Cold Disk forensics 101

Video thumbnail (Frame 0) Video thumbnail (Frame 1936) Video thumbnail (Frame 4390) Video thumbnail (Frame 4977) Video thumbnail (Frame 7653) Video thumbnail (Frame 8544) Video thumbnail (Frame 9757) Video thumbnail (Frame 11658) Video thumbnail (Frame 12661) Video thumbnail (Frame 13143) Video thumbnail (Frame 13764) Video thumbnail (Frame 15492) Video thumbnail (Frame 16292) Video thumbnail (Frame 17210) Video thumbnail (Frame 19197) Video thumbnail (Frame 26683) Video thumbnail (Frame 27335)
Video in TIB AV-Portal: DATA DUPLICATION VILLAGE - The Memory Remains: Cold Disk forensics 101

Formal Metadata

Title
DATA DUPLICATION VILLAGE - The Memory Remains: Cold Disk forensics 101
Alternative Title
Cold Drive Memory Forensics
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Full disk images introduce large amounts of data into a forensic investigation. Still, certain evidence exists only in memory, especially when dealing with malware or fileless attacks designed to stay completely in memory and avoid hitting the disk, exactly for the purposes of avoiding detection and analysis by forensic examiners. Memory forensics is a rapidly growing field, offering many free tools for RAM analysis to uncover important evidence and further the case quickly. As it turns out, these tools can also be applied to a cold drive. Due to OS features such as hibernation, paging and swap space, data from memory ends up being written to disk and survives even when the machine is powered down. In this session, the presenter will introduce the challenges faced when investigations rely solely on disk images, in cases where live memory had not been captured. The audience will then learn how investigators can still benefit from memory forensics in such cases. The presenter will give a full walkthrough of applying techniques, discuss their benefits and limitations, and show examples of results.
Read-only memory Group action Open source Bit Thomas Kuhn Number Read-only memory Different (Kate Ryan album) Personal digital assistant Operator (mathematics) Endliche Modelltheorie Computer forensics Reverse engineering Vulnerability (computing)
Read-only memory Server (computing) Computer file State of matter Ferry Corsten Multiplication sign Computer-generated imagery Virtual machine Mathematical analysis Twitter Software bug Mathematics Different (Kate Ryan album) Cuboid Data structure Physical system Parsing Mathematical analysis Bit Limit (category theory) Band matrix Process (computing) Hexagon Integrated development environment Personal digital assistant Right angle Text editor Object (grammar) Computer forensics Read-only memory
Point (geometry) Read-only memory Context awareness Socket-Schnittstelle Multiplication sign Motion capture Port scanner Medical imaging Voting Mechanism design Malware Residual (numerical analysis) Read-only memory Object (grammar) Network socket Authorization Process (computing) Data structure Error message Plug-in (computing) Code Computer network Pivot element Timestamp Process (computing) MiniDisc Object (grammar) Read-only memory
Scripting language Read-only memory State of matter Multiplication sign Electronic mailing list Virtual machine Instance (computer science) Function (mathematics) Connected space Malware Process (computing) Software Infinite conjugacy class property Normal (geometry) Right angle Process (computing) Object (grammar) Window Plug-in (computing)
Rotation Point (geometry) Thread (computing) Pay television Computer file Expert system Computer network Price index IP address Connected space Product (business) Process (computing) Software Personal digital assistant Radio-frequency identification Right angle Software development kit Address space
Read-only memory Electronic mailing list Virtual machine Funktionalanalysis Instance (computer science) IP address Connected space Wechselseitiger Ausschluss Malware Process (computing) Software Personal digital assistant Authorization Flag Right angle Process (computing) Window Plug-in (computing) Physical system
Point (geometry) Read-only memory Socket-Schnittstelle Personal digital assistant Hard disk drive Motion capture Right angle Port scanner Pivot element Timestamp
Covering space Read-only memory Computer file Multiplication sign Data recovery Workstation <Musikinstrument> Virtual machine Medical imaging Personal digital assistant MiniDisc Right angle Quicksort Booting Computer forensics
Context awareness Multiplication sign Port scanner IP address Formal language Medical imaging Malware Mechanism design Different (Kate Ryan album) Core dump Email File format Electronic mailing list Price index Flow separation Entire function Type theory Data mining Data management Process (computing) Crash (computing) Order (biology) MiniDisc Right angle Spacetime Asynchronous Transfer Mode Web page Windows Registry Laptop Read-only memory Mobile app Computer file Link (knot theory) Web browser Number Power (physics) Goodness of fit Latent heat String (computer science) Domain name File Carving Information Core dump Volume (thermodynamics) Database Cache (computing) Uniform resource locator Software Personal digital assistant String (computer science) Password Table (information) Window
Web page Read-only memory Server (computing) Socket-Schnittstelle Context awareness Computer file State of matter Multiplication sign System administrator Workstation <Musikinstrument> Virtual machine Raw image format Mereology Power (physics) Number Revision control Medical imaging Mathematics Malware Crash (computing) Profil (magazine) Different (Kate Ryan album) String (computer science) Core dump Cuboid Acoustic shadow Data compression Plug-in (computing) Physical system Default (computer science) Arm Information File format Mathematical analysis Volume (thermodynamics) Multilateration Funktionalanalysis Connected space Process (computing) Software Personal digital assistant Hybrid computer Website Right angle Window Computer forensics
hey everyone hopefully everybody's having fun at all the parties and Def Con in general so I'm going to give a talk today about doing memory forensics on cold drives has anyone here ever done that before okay I see a couple of you so don't give it away okay awesome so let's get started so a little bit about myself my name is Lee or I do blue team research for the misto playbooks you know operation all of that stuff before that that used to do some reverse engineering vulnerability research model research and recently moved from Tel Aviv to the SF Bay Area so you know still very cool guys that's a technical like-minded people coolant different DC group number yeah so I'm going to speak a little bit about memory forensics in general and hopefully convince you guys that although you have all these different tools that are either commercial open source to do forensics on the drives you get during cases it's still worthwhile to pull out the memory forensics tools and run those on your drives so what is
your typical you know memory forensics process first of all you need to get the bit copy of memory from whatever system that can end up being a lot of data especially in servers or you got that 64 gig ram or above so I even did it once I'm like a 256 gig server and that was quite an experience and then you need to somehow collect the file over to your analysis environment and that's a very you know bandwidth consuming that's why there's recently a trend of doing live forensics remotely directly on the endpoint and running your analysis tools on the endpoint you're investigating and that has its own limitations but in certain cases where you need to do a quick quick triage it might be you know cost prohibitive to copy the whole thing over in our case we already have all the data on the drive and it's dead box essentially so there's no issues around that right and then we need to somehow interpret those bits so you know maybe you're some kind of a super human who can parse you know memory merges in your head or with a hex editor or with like just a circuit analyzer or something but most of us need some kind of tool to parse those structures out and figure out the state of the machine and then we need to interpret the results and for that you need to understand the OS you're investigating all the different objects and there's lots of funny edge cases with like exited processes or processes that didn't exit cleanly things like that so you know there's an experience that builds up over time so why even do
memory forensics like what's the actual motivation behind taking apart memory obviously there's a lot of undocumented structures there's a lot of changes that get made to the OS so it's very time and effort consuming to to maintain all those tools and do that so what are the motivations behind it and in general
it's about creating first of all attacker costs and it's also about attacker awareness so most attackers know that they can be detected on disk if they leave some kind of evidence that can make it to an investigation fewer attackers know that they can be detected in memory purely in memory even if they don't he hid the disk at all and also it's harder to evade in memory you need to take a lot more mechanisms into account so by doing that you're actually forcing the attackers to create more evasions to spend more time building their tools which is always good to do there's also certain evasion methods such as you know unlinking processes that's been around forever if you do a scan of memory and you look for unlinked processes you can find that same for network sockets you can also find objects that are no longer really there at the time of the capture so for example a socket that was created way back even though it's not active the object will still be in memory so you can get that out and that can give you for example the start time for a certain malware if the first thing it does is call back home you can pull out that timestamp and then you get a pivot point for your investigation also some hour will be packed on disk but it's much easier to dump it from memory so certain mitigations that malware authors do to kind of evade scans will not be effective in memory and obviously certain hooks in API calls etc if you dump the entire structures from the OS you can detect those right so the
leading tool for parsing memory images is volatility there's also recall which is an early fork of volatility and that's managed by the Gould Google team and there's advantages to both it's always better to use more than one tool it's like in a general as a general forensic practice it's better to validate your findings volatility is a lot of very useful plugins that you can use to detect certain kinds of error activity and I'm going to go over a couple of them for now so sometimes it's really as simple
as using what you already know there is no need to go you know hours deep into an investigation just to later find out that it's actually something that's already well-known so you can see a process list here and can anyone spot what's wrong in here by the way right Dusk's K process there that's an own wanna cry process name and that's really all it takes you say oh okay this might be wanna cry better pull it out pull the process out analyze it make sure whether it's really wanna cry or not but you already found your first hit right there so do the simple stuff first before you go into the deeper stuff right
another example is doing using the PS can plug in that will get you all the processed objects from memory this is another state this is actually a memory snapshot of Stuxnet and can anyone spot what's wrong here about any of you analyze Stuxnet before kind of seen it so there's more than one else ass process and in a normal Windows machine that's not supposed to happen so just by doing these simple checks you can already detect certain malware that's just trying to essentially hide in plain sight fooling you know analysts or just reading through these lists and some of these checks have already been automated and there's volatility plugins to look for these things so when it comes to looking for just repetitions you know counting instances use automation you know don't waste your time there's also when you do this all day you can miss stuff so whatever you know just automate it volatility it has python has json outputs so you can actually use or you can include it in your Python scripts and you can just automate all these checks so network connections right in
this case actually hit the the name of the premium file so you're looking at network connections for the pit 1484 so that's a process that's associated with those connections and we get the ports and the IP addresses right so that obvious there's indicators online and documented malicious IP addresses that certain exploit kids have you know thread actors are using and these rotates fairly often so these indicators don't last long but my point here is use what's known so that one on the top rights is actually a known IP address
for cried X so it was actually a black hole exploit kit that was serving products so again you don't need to be a top expert to do these simple steps use what's known and then go into the most more complicated steps right and when we
look up the process that's actually responsible for the connection so let's say you don't get any hits on the IP addresses try to figure out does it make sense for this process to be communicating over these ports or to be communicating at all maybe it's not maybe it's not supposed to create network connections in this case it's explored at eggsy so it's definitely worth looking into okay
another thing you can do in memory is look for mutexes so those are just used by malware to essentially flag the system the fact that certain piece of our has already infected the system what the malware authors do not want is to hit the same machine again and have two instances of the same our competing against each other breaking each other right so what they will do is they plant these mutexes which are legitimate Windows Frank functionality but once we know the name that the mutex uses and they have to stick to certain names certain strains of the same our different strains might have different mutexes but if you just have a list of those and there's plenty of people curating those online if you see that then very clearly it's a piece of malware right so the Avera mutex there it's known for certain zoo strains so you do the mutants can you run that plugin you run it past your list of known bad mutex is done right super simple no reason not to use it right
sock scan we mentioned you know unlinked sockets before it can show you sockets are no longer there it can show you sockets that are hidden or I'm linked and the time stamps are super useful if you're working if you're doing forensics investigations on timelines and you need a pivot point to try and figure out okay where did this actually start how long is it has this been there this is a very useful artifact to have so ok at this
point you might say great but I do not have the memory capture so how do I do all this cool stuff that you just mentioned if all I got in my case is a hard drive right all I got is a cold
drive how do I get this out I was actually considering putting I look for cold discs online and I got the cover for the CD of the frozen soundtrack I was like my lawsuit not so much okay don't forget it I'll just use the icy out to dry I like it anyway so if you've
looked on your C Drive you're probably you've seen these guys so you can actually use these to do all this cool stuff I just showed even though you do not have the memory image so even though your evidence recovery team or whoever you know gave you the machine unplugged it and kind of destroyed all that evidence you still have some memory forensics artifacts that you can explore and why not use that right so obviously the hibernation file will be appropriate to the last time the machine hibernated that might be a while ago but still in many cases especially when the mauler has been there for like eight months that's still useful okay so the first thing to look at is actually the right and modified times for these files that can give you sort of a clue you cannot access these while the machine is alive because it's locked by the OS obviously so you will have to either mount mount it's from a second OS like you know boot from Kali or sifts workstation whatever it is or if you're getting the drive cold and obvious right you just mount it
so the first thing you want to do again start with the simple stuff strengths okay any kind of ICS or strings that you know you're looking for you can scan for those right any kind of indicators URLs IP addresses domains start with those if you're looking for a specific type of activity like mining or you know like black market activity or some related to certain companies other companies competitors in cases of like industrial espionage you might want to scan for those that'll give you a good clue right and you haven't yet parsed anything you do not need any expertise so and obviously you cannot have a wipe list to filter out strings that just come up all the time right and there are a couple caveats to that the hibernation file is compressed on disk so you will need to convert it first and you do need some context for all this data in the case of like the page file is essentially a bunch of this of pages that were moved to disk right there's there's no real context there you're missing some tables from memory if you have the hibernation file and a matching page file you may be able to reconcile those but the page file essentially you just need to iterate over all these pages and there are some tools to do that I'm gonna show you right now so the next thing you can do is file carving right so other than just simple strings and you should use you know both ascii unicode if you're dealing with non-english text you might want to make sure to test your tools make sure that you're actually getting those other languages as well so you don't miss important evidence and then for file carving we're essentially just looking for the headers for known file types and we can find images documents you know encrypted header encrypted volume sometimes so there's a lot to be found and there's known tools to to do that they have the databases of magic numbers you just look for the different file types and you'd be amazed what you can get from these tools when you just scan and get out all kinds of documents and stuff people thought they delete it but not so much so the page file where is it usually it's at the c drive page file that says just like i showed earlier but really windows can have up to 16 different page files and they can be anywhere so do not assume that it's on the c drive go hit the registry look for this key then you can get exactly where the page files are where how many there are too so what's in a page file I actually already said that it's a bunch of memory pages that were swapped to disk so there's no particular order there's no real context tying those together but there's a tool called page brute and I have like the github link on here essentially that can run the yarra scan on each page on each page separately so we can use your entire yarra arsenal to scan against that entire page file look for hits you can find fragments of malware you can find IFC etc this swap file that's actually a less common one it's newer it's on Windows 8 and 10 and it's actually used by the newer apps that are on the windows UI that are Metro style apps it's a separate swap space for those so if you're looking into any kind of activity used by those apps you kind of have it separately in a dedicated file so that really helps you weed out all the other stuff you don't need in those cases it's really worth looking at in general if you're not sure what you're looking for and it's not very focused I would probably have a look at that see maybe there's some useful data in there so crash dumps you know when you run some kind of software and it crashes and it creates those nice dump files that's actually data from memory from that process so it really depends which process crashed so if it's a browser you might have some data from the cache you might have some information on pages that were open at the time so it can be very useful especially if it's a minor that crashes the browser you might have that minor stolen memory right and if it's a password manager I actually haven't done this research yet but that could be a next step for any of you guys if you want to try running a password manager crashing it looking at the memory dump see if there is anything useful in there because if that's the case then it's definitely worrisome definitely want to make sure those are not in there right so now we're going to
move to talk about hibernation so the hibernation mechanism in Windows everybody knows when you close kind of your laptop you can either suspend it kind of keep it in low memory lower power mode or you can entirely take the the memory move it to this save it as a hibernation file and then it does not consume any power right that's essentially turned off so Windows will
actually mark the page file if it becomes corrupt it will change the magic number at the beginning yeah so when you get a page a hibernation file you can take a look at that magic number and see the current state of that high profile if when you get the hibernation file you want to convert it to a format that's usable by volatility and then you can actually use all those cool plugins that I showed you earlier on that on that resulting raw image file right so the image copy plug-in for volatility you run that once you get a raw memory image out of that and then you can use that from now on you can also operate directly on the hibernation file but it will need to do decompression every time that's kind of waste so just do that once work on the raw memory file from there arm there's also a tool from Conway from Matt swish hybrid to Ben so he's one of the first people to do research on this hole I burn a ssin file forensics and analysis and he wrote some very useful tools around that so you might want to check out his website as well if you're interested so some caveats in certain cases the I burn a ssin file will be zeroed by Windows specially in later versions volatility has some brute forcing kind of handlers to work around that if you want to know more about that part I recommend the art of memory forensics a very cool book very comprehensive if you want to more into that and also getting the profile so volatility does need to know the OS it's analyzing so it needs to know the profile of the OS so if you have an offline Drive and you do not have enough information around the case you might need to go into the registry and pull that out so you know which profile to use and then you can go from there another caveat about the hibernation file is that before the Windows System hibernates it will actually close all the network connections so you can still scan for residence sockets in memory of connections that were closed but you won't see any connections still open so just keep that in mind when you're analyzing hibernation files and that's why it's also important to know when you get a raw image of memory you should ask where did this come from is it from like a hibernation file is it directly from a box you might be able to figure that out yourself but it can just save you time so it depends on the context and obviously if malware is hooking that functionality it can actually realize that oh no the system's going into hibernation I might want to shut down and clean everything up before that happens right so in those cases you might not see malware inside of the hibernation file so that's not easy to do but it's technically possible ok because the malware controls the OS it can see that as well so that's important to keep in mind so the last thing I want to mention is the volume shadow copies so have any of you ever analyzed the piece of malware and seen VSS admin in there like as a string so in recent years that's becoming increasingly popular because of ransomware trying to clear those volumes shadow copies so that you can recover your files but in this case I'm actually mentioning another useful part of volume shadow copies that's useful for defenders the volume shadow copies will include previous versions of those files so even if some crash dumps were deleted if it's a server volume shadow copies will be turned on by default so you will have multiple versions of the hibernation file to work with you can actually dip those and you can find changes you can find processes that I've been open the whole time right you can do a timeline of that right so you can take all of those different hibernation files do it if on your findings throw those into plazo log to Timeline you can have a huge amount of data to work with so just keep in mind those volume of shadow copies you can find very useful stuff on there always remember to look for those and when you do that offline sift workstation has a very useful tool to do that you can just mount any of those following shadow copies get the data outs and you're pretty much done ok so I actually ran that a lot faster through that a lot faster than I thought are there any questions any like follow-ups that you want to share have you done any of this before yourself I see a question back there sorry yes it does yes awesome yeah absolutely yeah you can definitely do that you can turn on your power c if g /h you know to turn it on and then you do a shutdown and yeah absolutely so that's a very good idea if you have access to the machine to run commands on it you can do that job the hibernation file and get it later just grab this can go right yeah thanks for that okay great so thanks everyone for coming and have a great race over [Applause]
Feedback