Windows Memory Analysis SciTech Connect

Windows Memory Analysis Scitech Connect-Free PDF

  • Date:26 Nov 2019
  • Views:167
  • Downloads:0
  • Pages:38
  • Size:253.71 KB

Share Pdf : Windows Memory Analysis Scitech Connect

Download and Preview : Windows Memory Analysis Scitech Connect

Report CopyRight/DMCA Form For : Windows Memory Analysis Scitech Connect


423 Win Foren 03 qxd 3 26 07 11 41 AM Page 88,88 Chapter 3 Windows Memory Analysis. Introduction, In Chapter 1 Live Response Collecting Volatile Data we discussed collecting. volatile data from a live running Windows system From the Order of Volatility. listed in RFC 3227 we saw that the first item of volatile data that should be col. lected during live response activities is the contents of physical memory commonly. referred to as RAM Although the specifics of collecting particular parts of volatile. memory such as network connections or running processes has been known for. some time and discussed pretty extensively the issue of collecting parsing and ana. lyzing the entire contents of physical memory is a relatively new endeavor This field. of research has really opened up in the past year or two beginning in the summer of. 2005 at least from a public perspective, The most important question that needs to be answered at this point is Why. Why would you want to collect the contents of RAM How is doing this useful. how is it important and what would you miss if you didn t Until now some inves. tigators have collected the contents of RAM in hope of finding something that they. wouldn t find on the hard drive during a post mortem analysis specifically pass. words Programs will prompt the user for a password and if the dialog box has disap. peared from view the most likely place to find that password is in memory Malware. analysts will look to memory in dealing with encrypted or obfuscated malware. because when the malware is launched it will be decrypted in memory More and. more malware is obfuscated in such a way that static offline analysis is extremely. difficult at best However if the malware were allowed to execute it would exist in. memory in a decrypted state making it easier to analyze what the malware does. Finally rootkits will hide processes files Registry keys and even network connec. tions from view by the tools we usually use to enumerate these items but by ana. lyzing the contents of RAM we can find what s been hidden We can also find. information about processes that have since exited. As this area of analysis grows and more investigators pursue RAM as a viable. source of valuable information and evidence it will become easier to extract infor. mation from RAM and correlate that to what is found during the post mortem. forensic analysis,A Brief History, In the past the analysis of physical memory dumps has consisted of running strings. or grep against the image file looking for passwords IP addresses e mail addresses. or other strings that could give the analyst an investigative lead The drawback. method of analysis is that it is difficult to tie the information you find to a distinct. www syngress com,423 Win Foren 03 qxd 3 26 07 11 41 AM Page 89.
Windows Memory Analysis Chapter 3 89, process Was the IP address that was discovered part of the case or was it actually. used by some other process How about that word that looks like a password Is it. the password that an attacker uses to access a Trojan on the system or is it part of an. instant messaging IM conversation, Being able to perform some kind of analysis of a dump of physical memory has. been high on the wish lists of many within the forensic community for some time. Others such as myself have recognized the need for easily accessible tools and. frameworks for retrieving physical memory dumps and analyzing their contents. In the summer of 2005 the Digital Forensic Research Workshop DFRWS 1. issued a memory analysis challenge to motivate discourse research and tool. development in this area Anyone was invited to download the two files containing. dumps of physical memory the dumps were obtained using a modified copy of. dd exe available on the Helix2 1 6 distribution and answer questions based on the. scenario provided at the Web site Chris Betz and the duo of George M Garner Jr. and Robert Jan Mora were selected as the joint winners of the challenge providing. excellent write ups illustrating their methodologies and displaying the results of the. tools they developed Unfortunately these tools were not made publicly available. In the year following the challenge others continued this research or conducted. their own following their own avenues Andreas Schuster3 began releasing portions. of his research on the English version of his blog together with the format of the. EPROCESS and ETHREAD structures from various versions of Windows. including Windows 2000 and XP Joe Stewart posted a Perl script called. pmodump pl as part of the TRUMAN Project 4 which allows you to extract the. memory used by a process from a dump of memory important for malware anal. ysis Mariusz Burdach has released information regarding memory analysis initially. for Linux systems but then later specifically for Windows systems to include a pre. sentation at the BlackHat Federal 2006 conference 5 Jesse Kornblum has offered sev. eral insights in the area of memory analysis to include determining the original. operating system from the contents of the memory dump During the summer of. 2006 Tim Vidas 6 a Senior Research Fellow at Nebraska University released pro. cloc pl a Perl script to locate processes in RAM dumps as well as crash dumps. Dumping Physical Memory, So how do you go about collecting the contents of physical memory Several ways. have been identified each with its own strengths and weaknesses The goal of this. chapter is to provide an understanding of the various options available as well as the. technical aspects associated with each option This way as a first responder or investi. gator you ll make educated choices regarding which option is most suitable taking. www syngress com,423 Win Foren 03 qxd 3 26 07 11 41 AM Page 90. 90 Chapter 3 Windows Memory Analysis, the business needs of the client or victim into account along with infrastructure.
Hardware Devices, In February 2004 the Digital Investigation Journal published a paper by Brian Carrier. and Joe Grand of Grand Idea Studio Inc 7 titled A Hardware Based Memory. Acquisition Procedure for Digital Investigations In the paper Brian and Joe pre. sented the concept for a hardware expansion card dubbed Tribble possibly a refer. ence to that memorable Star Trek episode that could be used to retrieve the contents. of physical memory to an external storage device This would allow an investigator. to retrieve the volatile memory from the system without introducing any new code. nor relying on potentially untrusted code to perform the extraction In the paper. the authors stated that they had built a proof of concept Tribble device designed as. a PCI expansion card that could be plugged into a PC bus Other hardware devices. are available that allow you to capture the contents of physical memory and are. largely intended for debugging hardware systems These devices may also be used for. As illustrated in the DFRWS 2005 Memory Challenge one of the limitations of. a software based approach to retrieving volatile memory is that the program the. investigator is using has to be loaded into memory Subsequently particularly on. Windows systems the program may depending on its design rely on untrusted. code or libraries DLLs that have been subverted by the attacker Let s examine the. pros and cons of such a device, Pros Hardware devices such as the Tribble are unobtrusive and easily. accessible Dumping the contents of physical memory in this manner intro. duces no new or additional software to the system minimizing the chances. of data being obscured in some manner, Cons The primary limitation of using the hardware based approach is that. the hardware needs to be installed prior to the incident At this point the. Tribble devices are not widely available Other hardware devices are avail. able and intended for hardware debugging but they must still be installed. prior to an incident to be of use, Due to technical specifics of FireWire devices and protocols there is a possibility. that with the right software an investigator can collect the contents of physical. www syngress com,423 Win Foren 03 qxd 3 26 07 11 41 AM Page 91.
Windows Memory Analysis Chapter 3 91, memory from a system FireWire devices use direct memory access DMA meaning. that they can access system memory without having to go through the CPU These. devices can read from and or write to memory at much faster rates than systems. that do not use DMA The investigator would need a controller device that contains. the appropriate software and is capable of writing a command into a specific area of. the FireWire device s memory space Memory mapping is performed in hardware. without going through the host operating system allowing for high speed low. latency data transfers, Adam Boileau8 came up with a way to extract physical memory from a system. using Linux and Python 9 The software used for this collection method runs on. Linux and relies on support for the dev raw1394 device as well as Adam s. pythonraw1394 library the libraw1394 library and Swig software that makes. C C header files accessible to other languages by generating wrapper code In. his demonstrations Adam even included the use of a tool that will collect the con. tents of RAM from a Windows system with the screen locked then parse out the. password after which Adam logs into the system, Jon Evans an officer with the Gwent police department in the United. Kingdom has installed Adam s tools and successfully collected the contents of phys. ical memory from Windows systems as well as from various versions of Linux As. part of his master s thesis Jon wrote an overview on how to install set up and use. Adam s tools on several different Linux platforms including Knoppix v 5 01 Gentoo. Linux 2 6 17 and BackTrack from remote exploit org Once all the necessary pack. ages including Adam s tools have been downloaded and installed Jon then walks. through the process of identifying FireWire ports and then tricking the target. Windows system into thinking that the Linux system is an iPod by using the. Linux romtool command to load a data file containing the Control Status Register. CSR for an iPod the CSR file is provided with Adam s tools Here are the pros. and cons of this approach, Pros Many systems available today have FireWire IEEE 1394 interfaces. built right into the motherboards Also code has been released for directly. accessing physical memory on Linux and Mac OS systems. Cons Arne Vidstrom has pointed out some technical issues10 regarding the. way dumping the contents of physical memory over FireWire can result in. a hang or in parts of memory being missed George M Garner Jr noted in. an e mail exchange on a mailing list in October 2006 that in limited. testing there were notable differences in important offsets between a RAM. dump collected using the FireWire technique and one collected using. George s own software This difference could only be explained as an error. www syngress com,423 Win Foren 03 qxd 3 26 07 11 41 AM Page 92.
92 Chapter 3 Windows Memory Analysis, in the collection method Furthermore this method has caused Blue. Screens of Death BSoDs discussed further in a moment on some target. Windows systems possibly due to the nature of the FireWire hardware on. the system,Crash Dumps, At one point we ve all seen crash dumps in most cases they manifest themselves as. an infamous Blue Screen of Death11 BSoD In most cases they re an annoyance if. not indicative of a much larger issue However if you want to obtain a pristine. untainted copy of the content of RAM from a Windows system perhaps the only. way to do that is to generate a full crash dump The reason for this is that when a. crash dump occurs the system state is frozen and the contents of RAM along with. about 4Kb of header information are written to the disk This preserves the state of. the system and ensures that no alterations are made to the system beginning at the. time the crash dump was initiated, This information can be extremely valuable to an investigator First of all the. contents of the crash dump are a snapshot of the system frozen in time I have been. involved in several investigations during which crash dumps have been found and. used to determine root causes such as avenues of infection or compromise Second. Microsoft provides tools for analyzing crash dumps not only in the debugging. tools12 but also the Kernel Memory Space Analyzer13 tools which are based on the. debugging tools, Sounds like a good deal doesn t it After all other than having a 1GB file. written to the hard drive possibly overwriting evidence and not really minimizing. the impact of our investigation on the system it is a good deal right Under some. circumstances it could be or you might be willing to accept that condition. depending on the circumstances However there are still a couple of stumbling. blocks First not all systems generate full crash dumps by default Second by default. Windows systems do not generate crash dumps on command. The first issue is relatively simple to deal with according to MS KnowledgeBase. KB article Q254649 14 This KB article lists the three types of crash dump small. 64KB kernel and complete crash dumps What we re looking for is the complete. crash dump because it contains the complete contents of RAM The KB article also. states that Windows 2000 Pro and Windows XP both Pro and Home wil. including Windows 2000 and XP Joe Stewart posted a Perl script called pmodump pl as part of the TRUMAN Project 4 which allows you to extract the memory used by a process from a dump of memory important for malware anal ysis Mariusz Burdach has released information regarding memory analysis initially

Related Books