Advanced Topic: Memory Imaging Xinwen Fu 91.580.203 Computer & Network Forensics Brian D. Carrier and Joe Grand, A Hardware-Based Memory Acquisition Procedure.

Advanced Topic: Memory Imaging

Xinwen Fu

91.580.203 Computer & Network

Forensics

Brian D. Carrier and Joe Grand, A Hardware-Based Memory Acquisition Procedure for Digital Investigations, Journal of Digital Investigations - March 2004 edition, 2004

2CS@UML

Outline Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions

3CS@UML

Why are the memory contents useful? Code-Red worm & SQL Slammer worm Exploit buffer-overflow vulnerability of MS

IIS web-server & SQL server 2000 Code-Red defaces web pages Generate a random list of IP addresses to

probe and infect Produce a large amount of traffic “Memory resident” (disappear after

reboot)

4CS@UML

Phases of a digital investigation

5CS@UML

Phases of a digital investigation (Cont.)1. Notification: an incident is detected and the response

team is informed2. Preservation: make an exact copy of the digital crime

scene (we are here)3. Survey: exam the crime scene for obvious pieces of

digital evidence (knowledge of incident, experience and training)

4. Search: a more thorough search for additional evidence to support or refute hypotheses

5. Reconstruction: test the existing evidence and hypotheses to form a final theory

6. Presentation: the final theory is presented to the parties requesting the investigation

6CS@UML

Memory imaging requirements1. Read from the source and write to a non-volatile

destination, called image2. Not overwrite the source (violated if using software-

based solutions)3. Follow a documented procedure4. In I/O reading errors, write a specified value to image 5. Identify the start and end of the source data if the

destination is larger than the source6. Notify the user if the destination is smaller than the

source7. Provide the correct documentation8. Halt the target system to make sure the memory

unchanged9. Calculate the hash value of data

7CS@UML

Outline Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions

8CS@UML

Previous work: software based approach Memory device

Unix/Linux: /dev/mem device ( the physical memory) and /dev/kmem device ( the virtual memory of kernel)

\\.\PhysicalMemory - device object in Microsoft Windows 2000/2003/XP

WinHex Tools -> Open Ram… -> Physical Memory

DD Windows: dd.exe if=\\.\PhysicalMemory of=c:\

dump.dd conv=noerror > c:\dump.err Linux: shipped default

9CS@UML

Disadvantages of WinHex and dd The software-based solution relies on untrusted

resources, i.e. the OS kernel Rely on the local OS that can be compromised

It always requires process and kernel memory in order to execute, therefore, will overwrite possible evidence Running a process (WinHex/dd) overwrites unallocated

memory and may cause allocated memory written to swap space or page files

An image of physical memory is hard to analyze /dev/mem may be restricted in some systems

10CS@UML

Live Demo: WinHex Search memory for passwords

11CS@UML

2 new tools for Analyzing Memory Dump Memparser reconstructs a process list and

extracts information from a process memory (Chris Betz)

Kntlist interprets structures of memory (George M. Garner Jr. and Robert Jan Mora)

12CS@UML

Previous work: Process pseudo-file system Tools

In Unix/Linux, a process pseudo-file system is mounted at /proc containing the information about the kernel and running processes

Typically a file corresponds to all physical memory and a file to each of the process’s memory

WinHex for Windows has a similar function Easy to analyze

13CS@UML

Disadvantages of Process pseudo-file system Need to identify the suspect processes Force non-resident pages to be read from swap and may

cause resident memory pages to be written to swap space Only collect the allocated memory Running a command to copy will overwrite the unallocated

memory containing the useful information

14CS@UML

Previous work: Virtual machines A virtual machine is an application that emulates a

computer environment so that an OS and other applications can execute inside it

It can be suspended and saved at any time No special processes are run and it is trusted

Disadvantages: Impact on system performance

15CS@UML

Previous work: Sparc OpenBoot1. The OpenBoot firmware in a Sun Sparc architecture

2. Use the L1-A (or STOP-A) keys to suspend the system

3. “sync” command dumps the memory and registers to swap space

4. After reboot, “savecore” command copies the memory to files

Disadvantages:

1. Overwrite the swap space

2. Require to reboot the system

3. Only available on Sparc systems

16CS@UML

Previous work: Hibernation Power management can disable the processor,

hard drive, etc. and may save the memory to disk

It is not clear that the exact contents or all memory are saved

17CS@UML

Outline Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions

18CS@UML

PCI System The host/PCI bridge,

called North Bridge The PCI-to-ISA bridge,

called South Bridge. It incorporates Interrupt Controller, IDE Controller, USB Host Controller and DMA Controller.

DMA: Direct access to the system memory without the supervision of CPU

http://www.techtutorials.info/isapci.html

Motherboard

http://www.gen-x-pc.com/mobo2.htm

19CS@UML

PCI bus acquisition card

1. PCI bus control through PCI bus arbiter

2. DMA transfer

20CS@UML

Imaging procedure The acquisition card is powered on and completes its

hardware initialization routines: Conducts the Power-On Self Test (POST) Doesn't enable its PCI controller Remains idle

When the external switch is activated, the acquisition process begins: Activates the external storage device to store memory

image Halts the target processor if possible Saves the volatile memory using DMA Calculates the hash value of the data and creates a log Disable the PCI controller and deactivate the external

storage device Returns to idle state

21CS@UML

Tribble: the proof-of-concept device

Software:

• i960 CTOOLS/MON960 package (C++ compiler, gdb960 debugger)

Tribble:

• IQ80303 processor (PCI-PCI bridge, DMA Controller)

• 2 MB Flash ROM and 512 MB SDRAM

• RS232 UART

• No external storage and switch so far

22CS@UML

Test procedures1. Compare the same page of memory using dd and Tribble2. Read a memory location twice to make sure no memory

changed3. Acquire all memory using dd and Tribble

• Most are the same• dd changes memory• Tribble ran slowly to show memory in ASCII and Hex on

a serial terminal

23CS@UML

Outline for Today’s Talk Introduction Related work (previous work) Tribble: hardware based memory imaging Conclusions

24CS@UML

Conclusions1. The proof-of-concept device works

2. Tribble needs to install card before incident

3. Tribble needs a dummy device driver since the card can be detected by PNP

4. It is still hard to analyze a dump of physical memory

25CS@UML

Reference Brian D. Carrier and Joe Grand, A Hardware-Based Memory

Acquisition Procedure for Digital Investigations, Journal of Digital Investigations - March 2004 edition, 2004, http://www.digital-evidence.org/papers/tribble-preprint.pdf

(Optional) Joseph Grand, "pdd: Memory Imaging and Forensic Analysis of Palm OS Devices," http://www.atstake.com/research/reports/, 2002

George M. Garner Jr., Forensic Acquisition Utilities, http://users.erols.com/gmgarner/forensics/ (http://users.erols.com/gmgarner/forensics/forensic%20acquisition%20utilities-bin-1.0.0.1034%20(beta1).zip), 2004

Brian Carrier, Acquisition Tools, http://www.opensourceforensics.org/tools/windows.html, 2005

X-Ways, WinHex: Computer Forensics & Data Recovery Software, Hex Editor & Disk Editor, http://www.x-ways.net/winhex/index-m.html, 2006