Presentation is loading. Please wait.

Presentation is loading. Please wait.

Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

Published byTravon Rakestraw Modified over 9 years ago

Similar presentations

Presentation on theme: "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."— Presentation transcript:

1

2

3 Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine.....

4 Stuff to keep in mind If the machine is x64 use the right imager – If you BSOD the machine you destroyed the info

5 Get memory image F-Response – I have yet to play with this – If you have... I dislike you – Uses iSCSI protocol – blocks write operations – Allows you to use other tools to get image – What other tools? Glad you asked...

6 Win32dd/Moonsols Started life as Win32dd Hashes – MD5, SHA-1 and SHA-256 You can set up a listener on your system – Default is port 1337 Will convert memory to MS crashdump

7 Mandiant Memoryze – will acquire and analyze You can analyze a saved image Also required Audit Viewer Mandiant has a newer product...

8 Redline By Mandiant Free to use www.mandiant.com/resources/downloads Pretty slick / Sloooooooooooooooow at times

9 And a bunch more WinPmem – this is very good: Windows XP to Windows 8, both 32 and 64 bit Dumpit – eh not bad we like ^^ better

10 Volatility We like this... Written in Python – Has API so you can make stuff with it – Has plugins that are pretty cool – Works fairly fast – Not as nice as Redline but a lot of options

11 Volatility – Install Stand alone exe for Windows – You’re not left out – Easy install for Linux Download install: Distorm3 – https://code.google.com/p/distormhttps://code.google.com/p/distorm Yara - https://code.google.com/p/yara-project/https://code.google.com/p/yara-project/ PyCrypto - https://www.dlitz.net/software/pycrypto/https://www.dlitz.net/software/pycrypto/ PIL - http://www.pythonware.com/products/pil/http://www.pythonware.com/products/pil/

12 Volatility – Install sudo python setup.py install Flipping hard huh?

13 Volatility – Using When in doubt --help it out Python vol.py –h Mmmmkey so?!?

14 Volatility – Do eeeet What OS was image from: Python vol.py –f -imageinfo – It will do best guess, you should know already – Some tools only work on Vista/2003 – You can get modules from the community – Use an verbose and output file –v –output-file=$path

15 Volatility – Still waiting to do eeet To save typing assume all commands are prefaced with – python vol.py –f --profile=.............

16 Volatility – XP/2003/Vista Network connections: Connections (Standard netstat –an info) Connscan (looks for _TCPT_OBJECTS) Look to see what is running: Pslist – typical tasklist – not cool like tasklist /SVC – Name, Pid, Ppid, Threads, handles, time

17 Volatility Look for: svchost and != svchosts/svch0st/scvhost lsass != Lssas etc Csrss != cssrs etc

18 Wanna see something dirty? 0x01795c18 jqs.exe 1720 676 0x098c01a0 2010-02-03 20 0x01797020 nc.exe 1508 1124 0x098c0200 2010-02-03 20 0x01842900 nc.exe 1888 1124 0x098c03c0 2010-02-03 20 0x0185a2d0 hot_pics.exe 1124 380 0x098c03a0 2010-02-03 20

19 psscan Uses _EPROCESS structure different Can find stuff that is not double linked or unlinked

20 Dlllist If you see a process you want to know more about Take the PID: Dlllist –p 420 Will show you Base Addy, size, path: Base Size Path 0x1000000 0x6000 C:\WINDOWS\system32\svchost.exe 0x7c900000 0xb0000 C:\WINDOWS\system32\ntdll.dll 0x7c800000 0xf4000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x9b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77e70000 0x91000 C:\WINDOWS\system32\RPCRT4.dll 0x5cb70000 0x26000 C:\WINDOWS\system32\ShimEng.dll 0x6f880000 0x1ca000 C:\WINDOWS\AppPatch\AcGenral.DLL 0x77d40000 0x90000 C:\WINDOWS\system32\USER32.dll 0x77f10000 0x46000 C:\WINDOWS\system32\GDI32.dll 0x76b40000 0x2d000 C:\WINDOWS\system32\WINMM.dll 0x774e0000 0x13c000 C:\WINDOWS\system32\ole32.dll

21 Win7/2008 Ton more stuff we can do: Malfind - The second memory segment (starting at 0x015D0000) was detected because it contained an executable that isn't listed in the PEB's module lists. If you want to save extracted copies of the memory segments identified by malfind, just supply an output directory with -D or --dump-dir=DIR. In this case, an unpacked copy of the Zeus binary that was injected into explorer.exe would be written to disk. ---- From WIKI ------ While there read – Yarascan, Svcscan, Ldrmodules, Apihooks, psxview

22 Way more stuff https://code.google.com/p/volatility/ http://www.mandiant.com/resources/downlo ads/ http://www.mandiant.com/resources/downlo ads/

23 L2Read Malware Analyst's Cookbook: Tools and Techniques for Fighting Malicious Code Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7, Third Edition

24 Well screw it... L2listen Forensics - SANS – sans.org d’uh you know they got some good stuff Security in general: Exotic Liability – can be spotty F’ing good in general Pauldotcom – not so much forensics but in general

25

Download ppt "Memory Forensics Key component in DFIR Consider a second hobby (knitting) Get a rocking chair You still want to do this? Fine....."

Similar presentations

COMPUTERS: TOOLS FOR AN INFORMATION AGE Chapter 3 Operating Systems.

COMPUTERS: TOOLS FOR AN INFORMATION AGE Chapter 3 Operating Systems.
Malware Artifacts.

Malware Artifacts.
Computers Are Your Future Twelfth Edition Chapter 4: System Software Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1.

Computers Are Your Future Twelfth Edition Chapter 4: System Software Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 1.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad

USB Reloaded USB Reloaded: The Teensy Attack Eric Conrad
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Installing SAS 9.3 Raymond R. Balise Health Research and Policy.

Installing SAS 9.3 Raymond R. Balise Health Research and Policy.
MIR on Windows XP (sorta). Options available PartitionMagic w/ BootMagic –Have used this with a few MIR cooperators with good success Microsoft Virtual.

MIR on Windows XP (sorta). Options available PartitionMagic w/ BootMagic –Have used this with a few MIR cooperators with good success Microsoft Virtual.
Operating Systems.

Operating Systems.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Passwords, Encryption Forensic Tools

Passwords, Encryption Forensic Tools
WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from https://training.zdresearch.com https://training.zdresearch.com.

WARNING! Sample chapter -Materials in this sample chapter is selected advanced penetration from
One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.

One to One instructions Installing and configuring samba on Ubuntu Linux to enable Linux to share files and documents with Windows XP.
Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

Chapter 3.1:Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.
Windows Memory Forensics and Direct Kernel Object Manipulation Jesse Kornblum.

Windows Memory Forensics and Direct Kernel Object Manipulation Jesse Kornblum.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.

Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Group 6 Comp 129 Chapter 4.  An operating system s a set of programs made to manage the resources of a computer.  The OS performs five basic functions:

Group 6 Comp 129 Chapter 4.  An operating system s a set of programs made to manage the resources of a computer.  The OS performs five basic functions:
Operating Systems Review. 5 Purposes of an Operating System Provide User Interface Communicate with Hardware Create and Manage a File System Network Support.

Operating Systems Review. 5 Purposes of an Operating System Provide User Interface Communicate with Hardware Create and Manage a File System Network Support.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google