Introduction to Memory Analysis
Post on 20-May-2015
188 Views
Preview:
DESCRIPTION
Transcript
Emil Tan
Team Lead, Co-Founder
http://edgis-security.org
@EdgisSecurity
Introduction to Memory Analysis
Agenda
What can you find in the memory?
Why perform memory analysis?
Tools to perform memory acquisition
Tools to perform memory analysis
Memory analysis demonstration using Mandiant Redline™
Memory analysis for forensics investigation
What can you find in the memory?
The state of the machine
Processes and threads (including hidden processes)
Network connections (sockets, IP addresses, domain names, ports)
Hardware and software configuration
Event logs
Windows registry keys
And many more
Encryption keys, passwords, caches, clipboards, etc.
It’s a rich data source!
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 6
Why perform memory analysis?
It’s a rich data source
Understand the state of the machine
Behavioural analysis of users, attackers, processes
Best place to look for traces of malicious activity
Find malware (including rootkit!)
Difficult to clean trace on memory
Malware needs to be unpacked to be executed
Data not found in hard disk (e.g. memory-only malware,
network activities)
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 7
Tools to perform memory acquisition
MoonSols DumpIt (Windows x86 and x64)
MoonSols Windows Memory Toolkit
Mandiant Redline™
Virtual Machines (Snapshots / Save states)
VMware (.vmem)
Microsoft Hyper-V (.bin)
Parallels (.mem)
VirtualBox (.sav)... Not quite.
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 14, 17
Tools to perform malware analysis
String searching (e.g. grep) But you can’t inspect memory based on memory structure
Mandiant Redline™
Mandiant Memoryze™
Volatility
Internet Evidence Finder (IEF)
F-Response
HBGary Responder
Volafox
Second Look®
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 22 – 25
Processes Unidentifiable Processes and Threads
File path
Parent process
Parameters / arguments
SID
Start time
Malware Rating Index
Looking into: Process Objects
DLLs
Handles
Threads
Memory Sections
Sockets
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 49, 51
Network Connections
Sockets
IP addresses
Ports
Processes
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 72
Code injection
Code injection is evil!
DLL Injection
Process hollowing
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 74
Further analysis
Process and Drivers acquisition
Scanning engines
Analysis sandboxes
Static and dynamic malware analysis
Referenced:
SANS FOR 508: Advanced Computer Forensics Analysis & Incident Response
Content FOR 508.2: Incident Response & Memory Analysis – Slide 102
Indicators of Compromise
Experience
OpenIOC
Create signatures
Memory analysis for forensics investigation
Memory acquisition may change the state of evidence, but...
Memory is a rich data source!
Hash acquired memory file during initial acquisition
Acquire all kind of evidence even if you do not have
the capabilities now.
References
Don’t Pull the Plug: Windows Memory Analysis & Forensics by Rob Lee
FOR 508 – Advanced Computer Forensics Analysis & Incident Response
508.2 Memory Analysis for Incident Response
by Rob Lee & Chad Tilbury
3 Phases of Malware Analysis by Lenny Zeltser
SANS Digital Forensics & Incident Response Curriculum
More Resources
SANS Computer Forensics http://computer-forensics.sans.org/
SANS Memory Forensics Cheat Sheet v1.0 (Pocket Reference Guide)
top related