Top Banner
COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by: Mohammad Faizuddin g201106390 1
43

COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Jan 04, 2016

Download

Documents

Deirdre Eaton
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

COE-589

A Survey of main memory acquisition and analysis techniques for the windows operating

system

Author: Stefan Vomel, Felix C. FrelingPresented by: Mohammad Faizuddin

g201106390

1

Page 2: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Outline

• Introduction• Motivation• Technical background• Acquisition of volatile memory• Analysis of acquired memory image• Volatility: a memory analysis framework• Conclusion• Future work

2

Page 3: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Introduction

• Many cases of online fraud, identity theft, and economic espionage registered.

• Companies loosing several hundred thousand dollars.

3

Page 4: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Introduction

• Forensic Investigation of affected machines helps in finding evidence.

• Traditional computer forensics involve – powering off the suspect

machine .– Creating bit-by-bit image

of the hard disks.– Performing examination.

4

Page 5: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Introduction

• Minimize the interferences by avoiding frequent shut down of servers.

• Make less persistent changes to hard disk.

• Forensic analysts should search for evidences in volatile system storages.

• Encrypted drives and files make traditional investigations infeasible.

5

Page 6: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Motivation

• Forensic methods developed– Applied solely for specific versions of operating systems.– Work under certain conditions.

• Security professionals lack– Thorough understanding of forensic solutions.

• Comprehensive and structural overview of – Existing tools and Methodologies

• Outline of– Strengths and weaknesses of tools.

6

Page 7: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Technical background

• Modern operating systems operate on virtual memory.

• Several advantages– Each process with own

protected view on system memory

– Monitoring and Restricting read and write with the help of privilege rules.

• Difference in layout of physical and virtual memory.

7

Page 8: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Technical background - Memory address space layout

• In Microsoft Windows operating system, each process has its own private virtual address space.

• 32 bit x86 user is equipped with 2 GB of virtual memory.

• Kernel space is shared among all system components.

8

Page 9: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Technical background - Virtual address translation

• Programs operate on virtual memory regions.

• Volatile storage is organized into units called pages.

• Size of pages is 4 kB on x86 platforms.

• Two level approach to reference a page.

9

Page 10: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Technical background - Paging• In some cases total virtual

memory consumed is larger than physical storage.

• In this scenario temporarily swap out memory to hard disk.

• Valid flag indicates whether virtual address paged to disk.

• 16 different page files with a max size of 4095 MB is supported on x86 platform.

• Name and location of files are specified in the registry.

10

Page 11: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Acquisition of volatile memory• Techniques for capturing

volatile data are divided based on– Hardware– Software

• Several concepts proposed recently rely on a combination of both.

• Viable Suggestion– Assessing the different

technologies with respect to the requirements.

• Schatz identified three major criteria– Fidelity– Reliability– Availability

• Inspired by Schatz the authors adapt two factors– Atomicity– Availability

11

Page 12: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Acquisition of volatile memory

• Decision matrix helps investigators in choosing a specific memory acquisition technique.

• An Ideal acquisition method is characterized by both a high atomicity and availability.

• Right half of the matrix is favored upon left side.

12

Page 13: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition using a dedicated hardware card

• Use of special hardware card – to obtain forensic image

of a computer’s RAM.

• Carrier and Grand presented a solution “Tribble” – It uses Direct Memory

Access (DMA).

• Hardware Card is installed as a dedicated PCI device and is capable of saving volatile information.

• Petroni et al. proposed “FRED” (Forensic RAM Extraction Device). 13

Page 14: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition using a dedicated hardware card

• Described Solutions– Do not rely on functions provided by operating system.– Generally suitable for acquiring accurate image of volatile

memory.

• Rutkowska (2007) proved that it is possible to present a different view of physical memory by reprogramming the chipset.

• Several authors conclude that hardware cards can no longer be fully trusted.

14

Page 15: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition using a dedicated hardware card

• Limitation– Prior installation of PCI card before its use.

• Authors suggest that– Card is beneficial when installed on critical servers.– It should be as part of forensic readiness plan.

15

Page 16: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition via a special hardware bus

• An alternative to PCI cards, several authors suggest reading volatile memory via the IEEE 1394 bus.

• According to Ruff any hardware bus can potentially be used for physical memory access.

• This technique addressed some of the issues outlined using hardware card.

• Vidstrom pointed out that the use of this technique causes– Random system crashes.– Reliability problems.• Authors indicated Inconsistencies after comparing

created images with raw memory dumps.16

Page 17: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition with the help of virtualization

• Virtual machine monitor (VMM) is responsible for sharing, managing and restricting access to the hardware resources.

• Exceptional characteristic is capability to be suspended.

• All volatile data is saved in .vmem file.

• With the growing importance of internet-hosted services, investigators have to examine on virtual machines. 17

Page 18: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition using software crash dumps

• Microsoft windows dump files to hard disk in case of machine failure.

• Preserves the contents of processor registers.

• Dump files can be opened– Debugging Tools– Manually

• System services may be interrupted– Third party application– Built-in CrashOnCtrlScroll

• Dumb is generated pressing Right Ctrl + Scroll Lock + Scroll Lock.

• Applicability of this technique is suitable in specific situations.

• This acquisition technique is more invasive.

18

Page 19: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition with user level applications

• Data-Dumper is an example of third party software solutions to acquire copy of physical memory.

• PMDump dumps the memory contents of a process to a file.

• Process Dumper utility obtains process’s environment and state.

• PMDump and Process Dumper drawbacks– Closed source and use

proprietary data format.– Require specification of

process ID.• Techniques are suitable

for– Incident scenarios– Capturing forensic image

even in the situation with little time.

19

Page 20: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition with user level applications

• Weakness of the approaches– Work on specific operating systems.– Applications must be loaded in to memory before

execution.– Depends on functions of operating system.

• Rootkit – Deny direct access to physical memory object.– Modified representation of RAM.

• Untrusted operating system decreases reliability of evidences.

20

Page 21: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition with kernel level applications

• Vendors provide kernel level drivers.– Freely-available for e.g., Mantech’s Memory DD, Moonsol’s

Windows Memory Toolkit.– Commercially available for e.g., WinEn, KnTDD and

FastdumpPro.

• Libster and Kornblum proposed integration of capturing mechanism into the system core.

• Characteristics of proposed module– Capability to halt active system processes.– Support for several storage dump locations.

21

Page 22: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition via operating system injection

• Schatz introduced Body-Snatcher– Which injects OS into the subverted kernel of target

machine.

• Concept is promising but has technical constraints– Platform specific.– Limited to single processor.– Consumes memory.– Supports serial port for I/O operations.

22

Page 23: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition via cold booting

• Volatile information can be recovered by artificially cooling down the RAM modules.– e.g. Liquid nitrogen.

• Target machine restarted with a custom kernel to access the retained memory.

• Usability of this approach in recent works– AfterLife.– Chan et al. special booting device.

23

Page 24: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Memory acquisition using the hibernation file

• Windows Hibernation file (hiberfil.sys)– Contains valuable information .– Stored in the root directory on the windows partition. – Compressed to save disk space.– Uses proprietary format.

• Quantity and Quality of extracted evidence is limited.• Working prototype developed in course of SandMan

project.• MoonSols superseded SandMan.

24

Page 25: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Analysis of the acquired memory image• Analyzing memory for– Suspicious patterns.– Usernames.– Passwords.– Textual representations.

• Using command utilities such as – Strings and Grep• Powerful applications such as WinHex.

• Methods are– Easy.– Noisy.– Cause huge overhead.– Lot of false positives.

25

Page 26: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Analysis of the acquired memory image

• Alternative to string searching algorithms is structured methodology.

• It involves examining– What type of data.– How types are defined.– Where they are located.

• Relevant information include1. List of running system processes.2. Cryptographic keys.3. System registry.4. Network connections and data.5. Open files.6. System state and application related data

26

Page 27: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Process analysis• Malware executable use

so called rootkit and subvert integral system to avoid detection.

• FU rootkit implements method Direct Kernel Object Manipulation to unlink itself from the ActiveProcessLinks list.

• To cope with these issues, Schuster developed a signature-based scanner.

27

Page 28: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Process analysis

• Results can be compared with standard process list.

• Value of the Size field can be set to zero to circumvent the rule of scanner and the respective process becomes invisible.

• Dolan-Gavitt created robust signatures.

28

Page 29: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Process analysis

• Zhang et al. used combination of scanning and list traversing techniques that rely on Kernel Processor Control Region (KPCR).

• KPCR contains separate block KPRCB.• In Microsoft Windows XP, both KPCR and KPRCB are

located at fixed addresses.

29

Page 30: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Cryptographic key recovery• Hargreaves and Chivers

describe a linear memory scanning technique.

• Klein defined a simple search pattern.

• Kaplan implemented pattern-like approach.

• Walters and Petroni outlined a concept that relies on analysis of publicly available source code.

• Halderman et al. suggested parsing a computer’s memory for key schedules.

30

Page 31: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Cryptographic key recovery

• Tsow presented an algorithm capable of recovering cryptographic info from decayed memory images.

• Maartmann-Moe et al. extended the research on additional ciphers and illustrated vulnerability.

31

Page 32: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

System registry analysis

• Windows registry internally structured into a set called hives.

• Most registry hives are stored in system32\config folder.

• A few volatile hives are maintained in RAM.• Registry hive consist of– Base block. – A number of hive bins.

• Internally, a hive is represented by _CMHIVE structure and it embeds a sub-structure _HHIVE.

32

Page 33: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

System registry analysis

• Retrieval of pre-defined keys or values from a memory image is slightly more complex.

• Dolan-Gavitt published proof-of-concept utility capable of – Extracting the list of open

keys.– Display corresponding

registry data.

33

Page 34: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Network analysis• Malicious applications typically bind to pre-defined

ports.• Examples of attacks – Distributed Denial of Service.– Performance degradation.

• Schuster algorithm based on– Unique pool tag.– Pre-defined pool size.

• Both are recovered after disassembling tcpip.sys driver.

34

Page 35: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Network analysis• Ligh et al. and Okalica

and Peterson suggested different methodology.

• A list crawling-based approach can be seen as reliable to date.

• Provided view of network is– Legit.– Unaltered.

35

Page 36: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

File analysis• Examination of – Open files.– Dynamically loaded libraries (DLLs).

• Security professionals recommend analyzing the Process Environment Block (PEB).

• PEB contains– Ldr member.– Three doubly linked lists.

• Dolan-Gavitt proposed methodology based on Virtual Address Descriptors (VADs).

36

Page 37: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

File analysis

• VAD is a kernel data structure maintained by memory manager.

• Recovered copy of memory can be reverse engineered and inspected.

• Operations supplement traditional file carving techniques (e.g. Foremost and Scalpel).

37

Page 38: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

System state- and application-specific analysis• Memory Image contains a lot of information about the

system state.• _EPROCESS block is a source of valuable data– StartTime and ExitTime.– Periods an application spent in system.

• Token number helps to reconstruct the security context of an application.

• Stevens and Casey analyzed DOSKEY utility.• Issues faced in the analysis of physical memory.– Recovery and Use of application-level data.

• Published solutions mainly comprise– Instant messaging.– Voice over IP (VoIP).

38

Page 39: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Volatility: a memory analysis framework• Most memory analysis utilities– Have their own user interface.– Must be invoked with different commands.– Neglect interprocess communication.– OS-dependent.

• _EPROCESS block differs across – Operating system versions.– Service pack levels.

• Walters and Petroni suggest Integrating memory forensic techniques with digital investigation process model.

• Walters and Petroni work lead to the foundation of forensice framework volatility.

39

Page 40: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Volatility: a memory analysis framework• Volatility modules written in Python• Functionality extended by adding

plugins.• Early version of framework

supported windows xp.• Recent version support current

operating systems.• Framework implements great parts

of concepts and methods outlined.• Framework– Suitable for high degree forensic

tasks.– Require high level expertise.– Aims at academic researchers and

security professionals.40

Page 41: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Conclusion• Volatile storage contains excess of valuable

information.

• Data found in RAM or system page file – Incident reconstruction.– supplement hard disk and persistent media-oriented

approaches in computer forensics.

• In forensic process volatile memory is equally important compared to traditional sources of evidence.

41

Page 42: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Future work

• Extending the functionality of the volatility framework.

• Developing a suitable visualization technique.

• Cryptographic approaches– User-friendly.– Applicable by technically less-sophisticated personnel.

• Virtual machine introspection should be explored.

42

Page 43: COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by:

Thank you

43