Using Hashing to Improve Volatile Memory Forensic Analysis

Similar documents
Intro to Memory Forensics with Volatility

OS Security IV: Virtualization and Trusted Computing

Memory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos

Notes: Describe the architecture of your product. Please provide also which Database technology is used for case management and evidence management.

S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group

Digital Forensics Lecture 01- Disk Forensics

escan for Windows: escan System Requirements

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Windows Forensics Advanced

Digital Forensics Lecture 02- Disk Forensics

Building Resilience in a Digital Enterprise

Operating System Security

Introduction to Computer Forensics

Key Threats Melissa (1999), Love Letter (2000) Mainly leveraging social engineering. Key Threats Internet was just growing Mail was on the verge

Cisco Networking Academy CCNA Cybersecurity Operations 1.1 Curriculum Overview Updated July 2018

Kevin Butler Stephen McLaughlin Thomas Moyer Patric McDaniel. Presented by Xiao, Yuan November 10, 2010

Monitoring Hypervisor Integrity at Runtime. Student: Cuong Pham PIs: Prof. Zbigniew Kalbarczyk, Prof. Ravi K. Iyer ACC Meeting, Oct 2015

Procedures for a Harmonised Digital Forensic Process in Live Forensics

FIRST RESPONDER FORENSICS

COMPUTER FORENSICS (CFRS)

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Information Security Policy

Reconstructing the Scene of the Crime

Advanced Systems Security: New Threats

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Towards High Assurance Networks of Virtual Machines

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

CDSA Program Update SECURITY. Graham Bird. opengroup.org (650)

Firewall Antivirus For Windows Xp Avast 2012 With Key

Reduce the Breach Detection Gap to Minutes. What is Forensic State Analysis (FSA)?

Hypervisor Support for Identifying Covertly Executing Binaries

SentinelOne Technical Brief

Space Traveling across VM

Windows Memory Analysis. Jesse Kornblum

Source:

ARM Security Solutions and Numonyx Authenticated Flash

SentinelOne Technical Brief

NIST Standards. October 14, 2016 Steve Konecny

APPLICATION WHITELISTING: APPROACHES AND CHALLENGES

Tupelo Whole Disk Acquisition, Storage and Search

NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition

Malware Behavior. Chapter 11

SaaS Flyer for Trend Micro

RightNow May 08 Workstation Specifications

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

White Paper Digital Evidence Preservation and Distribution: Updating the Analog System for the Digital World July 2011

Tanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018

One Ring to Rule them All

Ceedo Client Family Products Security

RightNow August 08 Workstation Specifications

COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9

Creating a Virtual Machine

Training for the cyber professionals of tomorrow

An Introduction to Incident Detection and Response Memory Forensic Analysis

A Road Map for Digital Forensic Research

Live Attack Visualization and Analysis. What does a Malware attack look like?

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Android Bootloader and Verified Boot

TPM v.s. Embedded Board. James Y

TZWorks Trace Event Log Analysis (tela) Users Guide

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Next Generation Endpoint Security Confused?

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

CSE543 - Computer and Network Security Module: Virtualization

Azure Total Cost of Ownership (TCO) summary. Sample Report for Rehost Migration Scenario using Open Source Technologies (Linux & MySQL)

RSA NetWitness Suite Respond in Minutes, Not Months

CSE543 - Computer and Network Security Module: Virtualization

Scientific Working Groups on Digital Evidence and Imaging Technology

CaseWare Working Papers Getting Started Guide. For Working Papers

CSE543 - Computer and Network Security Module: Virtualization

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

This version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

TZWorks Portable Executable Scanner (pescan) Users Guide

Recommended Hardware & Software Requirements for Installing Invu Document Management

Azure Total Cost of Ownership (TCO) summary. Sample Report for Data Center Migration (Windows and Linux servers)

TERRA. Boneh. A virtual machine-based platform for trusted computing. Presented by: David Rager November 10, 2004

Certified Digital Forensics Examiner

Hunting Adversaries with "rastrea2r" and Machine Learning

Memory Grabber Computer Forensic Volatile Memory Acquisition and Analysis System

Guide Series. How to upgrade to Microsoft Windows 10? Guide Series

Pimp My PE: Parsing Malicious and Malformed Executables. Virus Bulletin 2007

MEMORY ANALYSIS: UNDERSTANDING MALWARES AND INCIDENTS THROUGH THE MEMORY

Hackveda Training - Ethical Hacking, Networking & Security

Yuki Ashino, Keisuke Fujita, Maiko Furusawa, Tetsutaro Uehara and Ryoichi Sasaki

Best practices with Snare Enterprise Agents

Flash Drive Won T Mount Windows 7 Won't Recognize

MIGRATING FROM WINDOWS XP

Securing the Frisbee Multicast Disk Loader

Credant CmgCryptoLib Version 1.7 Credant Cryptographic Kernel Version 1.5 FIPS Non-Proprietary Security Policy, Version 1.7 Level 1 Validation

Operating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher

Symantec Endpoint Protection

Hughes Network Systems, LLC Hughes Crypto Kernel Firmware Version: FIPS Non-Proprietary Security Policy

Matthieu Suiche Founder, MoonSols SARL

IBM Proventia Management SiteProtector Installation Guide

Transcription:

Using Hashing to Improve Volatile Memory Forensic Analysis American Academy of Forensic Sciences Annual Meeting February 21, 2008 AAron Walters awalters@volatilesystems.com Blake Matheny, LLC Center for Education and Research in Information Assurance and Security Doug White National Institute of Standards and Technology (NIST)

Disclaimer Trade names and company products are mentioned in the text or identified. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the products are necessarily the best available for the purpose. Statement of Disclosure This research is funded in part by the National Institute of Standards and Technology.

Digital Crime Scene Information systems Commission of crimes Contain evidence related to crimes Subject of crimes Complex crime scene (Carrier,2003) Not just a piece of evidence or substance Composed many types of evidence Thorough analysis Reconstruct crime scene 3

Consistent Picture 4

Runtime State Order of Volatility (RFC 3227) Data life expectancy Volatile state/active objects Ceases to exist when power is removed Valuable data (context) Volatile media trusted (pswds, keys, malware) Goals (Carrier, 2003): Minimize obtrusiveness Minimize trust Understand effects 5

Volatile Memory Analysis Entire contents of physical memory (RAM) Direct analysis of raw bit image Artifact persistance (Chow,2005) Advantages: Analysis does not depend on OS (trust) Reduce and simplify obtrusiveness (acquisition) Removes the active adversary (freeze state) Verifiable (3 rd Party: data and tools) Unconstrained analysis (raw data) Few trusted open resources (standard references) 6

Analysis Types Application Analysis Application Address Space Virtual Memory Analysis User Address Space Kernel Address Space Physical Memory Analysis Physical Address Space Swap 7

Current State of VMA Current analysis methods based on ad-hoc inference analyze less than 4% of volatile storage! 8

Relying on what we know Physical crime scene (Carrier,2003) Laws of Nature Familiarity and experience with physical world Digital environment Hardware and software Cryptographic hashes Mathematical transformation (data hash value) Uniquely identify known data Detect data modifications/corruptions 9

Hash Databases 10 File system analysis Databases of cryptographic file hashes Imported by forensic applications Origin and authenticity verifiable? National Software Reference Library (NIST) Archive of known and traceable software Reference Data Set (RDS) Over 13 Million signatures Can we leverage the NSRL to support VMA? Generate a standard reference data set? ~ 5 Million executables

Portable Executable (PE) Windows executable file format EXE, DLL, SYS Loaded into memory Laws of Software Defines set of allowable code Expected control flow graph (CFG) Find known aspects of executables in memory Reduce volume of data What is running (patches)? Evaluate runtime integrity (Petroni, 2004) Derive chain of trust (transitive) 11

Windows Loader Memory management Memory mapped (as needed) Section alignment/attributes Disk vs. memory Import Address Table (IAT) Library locations determined at runtime Overwrites IAT entries with actual addresses Base Relocations Addresses based on preferred load address List of locations that need to be modified Bits on disk Bits in memory 12

Disk vs. Memory reloc edata idata text Header Header Header Disk Memory Extract 13

Generating Hash Data Set Immutable sections of known executables Account for merged sections Imports, etc. Memory align sections Pages of memory Per page relocation templates Normalize relocations Hash on page boundaries! 14

Example Hash Information ( 0x1000* 0x1000*.text* 96f3b3ae3d51f09b08c1e4858314692843da371b* 023424fc26c8923162523471a28aa6ad6e4ae1b4* [(21, 4), (55, 4), (76, 4), (95, 4), (147, 4), (189, 4), (240, 4), (340, 4), (462, 4), (532, 4), (546, 4), (573, 4), (581, 4), (626, 4), (644, 4), (678, 4), (696, 4), (767, 4), (815, 4), (824, 4), (893, 4), (916, 4), (973, 4), (1028, 4), (1110, 4), (1135, 4), (1147, 4), (1198, 4), (1236, 4), (1248, 4), (1289, 4), (1507, 4), (1547, 4), (1682, 4), (1692, 4), (1700, 4), (1706, 4), (1759, 4), (1784, 4), (1796, 4), (1801, 4), (1895, 4), (1940, 4), (2029, 4), (2081, 4), (2094, 4), (2100, 4), (2112, 4), (2125, 4), (2131, 4), (2209, 4), (2254, 4), (2295, 4), (2362, 4), (2379, 4), (2408, 4), (2444, 4), (2477, 4), (2555, 4), (2652, 4), (2693, 4), (2707, 4), (2735, 4), (2792, 4), (2825, 4), (2976, 4), (3027, 4), (3045, 4), (3081, 4), (3105, 4), (3194, 4), (3315, 4), (3353, 4), (3380, 4), (3398, 4), (3404, 4), (3450, 4), (3512, 4), (3556, 4), (3563, 4), (3577, 4), (3598, 4), (3610, 4), (3661, 4), (3672, 4), (3764, 4), (3856, 4), (3893, 4), (3908, 4), (3923, 4), (3940, 4), (3956, 4), (4003, 4), (4041, 4), (4068, 4), (4078, 4)] ) 15

Finding Known Memory Hash Templates O(M*N) M X? Physical Address Space N 16

Experimental Results Lab: Virtual machine introspection (Garfinkel,2003) Windows XP Professional with Service Pack 2 MSDN: 2004-08-11 20:42:00 (UTC) 256 MB RAM 4,303 PE (99.1% RDS 2.19) Real: Sampled workstation Windows XP Professional with Service Pack 2 2 GB RAM 25,450 PE (52.3% RDS 2.19) Uptime: 7 days 1 hr 27 min (used: 1Y7M) 17

Virtual Machine Hash results 256 MB image 25% Known Zero Other

Real Machine Hash results 2 GB image >5% Known Zero Other

Malware A/V is becoming less effective (Bailey, 2007) ~6 months 66% detected Memory resident malware/modifications Unexpected control flow changes (rootkits) Anti-forensics/DLL Injection Verify in-memory code sections (Petroni,SVV,GMER) History vs. file system vs. trusted hash database Anchors of trust Deriving trust in other data structures (transitive) Stack/Heap/etc (Walters,2006;Petroni,2007) 20

eeye BootRootKit Undetected by majority of rootkit detectors 18 of 19 failed to detect! (Released: July 2005) Hooks ethfilterdprindicatereceivepacket Overwrites instructions with relative JMP Remote kernel backdoor! Trusted database of known hashes ndis.sys: PAGENDSE:0x500 55 8b ec 83 ec e9 18 d5 fd ff 0xf9896b23 (05) e9 18d5fdff JMP 0xf9874040 21

Deriving Trust Win2000 XP Vista Linux 22

Conclusion Volatile state is a critical component of the digital crime scene Build standard reference set (mimic loader) New public resource for VM analysts! Find known memory Detect malicious modifications Derive trust from a potentially compromised system Towards complete analysis... 23

THANK YOU! awalters@volatilesystems.com & nsrl@nist.gov 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback