1. Why are there so many tools left at the end of the money?
Richard Austin MS, CISSP
Southern Polytechnic State University
ADVANCED DIGITAL FORENSICS
WITH OPEN SOURCE TOOLS
2. IT Elder Flatulence
Bio
My First Computer
Richard is a 30+ year veteran of the IT industry in positions ranging from
software developer to security architect. Before beginning a career as an
independent cybersecurity consultant and educator, he was focused on
technology and processes for successfully protecting the 14PB storage area
network infrastructure within the global IT organization of a Fortune 25
company.
MS degree with a concentration in information security from Kennesaw State
University, a DHS/NSA recognized National Center of Academic Excellence in
Information Assurance Education.
Active member of SNIA's Security Technical Working Group.
Active member of the Cloud Security Alliance’s Trusted Cloud Initiative.
Senior Member of both the IEEE and ACM and also a member of the IEEE
Computer Society, CTIN, ISC(2) and the Atlanta Chapter of Infragard .
Book review columnist for IEEE Cipher, the newsletter of the IEEE Computer
Society Technical Committee on Security and Privacy
A published author frequently writing and presenting on storage networking
security, ethics and digital forensics.
Advanced Digital Forensics with Open Source Tools
3. Forensics is Changing
Digital forensics was once solely concerned with
just collecting and analyzing disk images from a
cold, dead system but much useful information
leaves few durable traces on disk
Advanced Digital Forensics with Open Source Tools
4. Two New Areas
Live memory collection and analysis
Registry analysis
Though commercial tools are available, Open
Source tools provide much of the same
functionality
Advanced Digital Forensics with Open Source Tools
6. Why Live Memory?
The bad people are very interested in forensic
technology and follow quite closely what we do
Contrary to popular opinion, this stuff ain’t secret
They know that we image disks so they do things that
don’t leave disk traces
Memory-only malware
A lot of information may not leave clearly
discernable disk traces
Open network connections
Active encryption – data may only be in plaintext while
the system is running
Advanced Digital Forensics with Open Source Tools
7. How do you do it?
Just like any other forensic task
You collect the data
You extract information from it
So what’s all the hub bub, bub?
IAxx architectures don’t have a “DUMP” button
Rely on software to dump main memory (the
infamous BSOD and crashdump)
Reading memory dumps is the province of O/S
level debuggers
Great tools but you have to be a Windows/*UX
internals guru to understand and use them
Advanced Digital Forensics with Open Source Tools
8. Remember!
When working with a compromised system,
remember you’re working with Satan’s
computer
You have no clue what the attacker may have
done to it
Advanced Digital Forensics with Open Source Tools
9. Issues
User mode access to the .PhysicalMemory
object was removed in Vista/2003 and later
This was a serious security issue – it’s gone; not
coming back; get over it!
Many older live memory acquisition tools no
longer work
For Vista/2003 and later, a utility must load a
kernel mode driver to get access to physical
memory
Some vendors call this an “agent”
Advanced Digital Forensics with Open Source Tools
10. Issues
Running a program to collect memory
contents does change the state of memory
(and maybe disk)
Can’t be helped
If physical memory is full, something may be
swapped out when you run the program
Documented, repeatable process is key
You are only collecting physical memory
Swapped out pages will not be in the image
Advanced Digital Forensics with Open Source Tools
11. Data Triage
•Consider the order of volatility
•Relevance of the type of information to the case under investigation
Advanced Digital Forensics with Open Source Tools
12. Lots of Options
Memoryze from Mandiant
http://www.mandiant.com/software/memory
ze.htm
The usual forensic vendors have their tools
I’ll be demoing winxxdd (community edition)
from http://www.moonsols.com/products/
This free version does have limitations such as not
running from a removable device or via a script.
Advanced Digital Forensics with Open Source Tools
13. Win32dd
Advanced Digital Forensics with Open Source Tools
14. Hash the Image
Advanced Digital Forensics with Open Source Tools
15. Points to Remember
You must be able to run a program as
ADMINISTRATOR on the system
For remote access:
psexec
Remote Desktop
Etc
This does change the state of the system
Students are surprised to see win32dd in the list of
running processes
Advanced Digital Forensics with Open Source Tools
16. Analyzing the Memory Image
OK, I got it but what do I do with it?
Advanced Digital Forensics with Open Source Tools
17. Volatility
https://www.volatilesystems.com/default/volatili
ty
Open Source, written in Python
Python is a well-known scripting language
Download Python from www.activestate.com
The 1.3 version only supports XP SP2 and SP3
Version 1.4 in in RC and supports Vista and Windows 7
as well as incorporating many improvements
http://code.google.com/p/volatility/
Already installed on REMnux
Advanced Digital Forensics with Open Source Tools
18. Update
Volatility 2.0 is now released!!!
Includes a standalone Windows installer
Advanced Digital Forensics with Open Source Tools
19. Using Volatility
Very simple command-line interface:
python volatility command –f image_file
1.4 adds --profile=profile to identify the O/S
Notable commands:
ident – descriptive information about the dump file
datetime – date/time information for the dump file
(included in ident)
pslist – list of processes
files – list of files open for each process
connections – open network connections
sockets – open sockets
Advanced Digital Forensics with Open Source Tools
20. ident
In 1.4, this command becomes imageinfo
Advanced Digital Forensics with Open Source Tools
21. pslist
Advanced Digital Forensics with Open Source Tools
22. Scan vs List
Some commands have two versions – list and
scan
The difference is that list follows the normal way
of doing things
e.g., listing processes by following the EPROCESS list
scan scans through memory looking for data
structures (e.g., _EPROCESS)
Psscan will find terminated and de-linked processes
(one stealth technique used by rootkits)
The scan version is much slower because it is scanning
memory contents rather than walking a linked list
Advanced Digital Forensics with Open Source Tools
23. psscan
Terminated
FTP
processes
Advanced Digital Forensics with Open Source Tools
24. files
Advanced Digital Forensics with Open Source Tools
25. connections
FTP
Advanced Digital Forensics with Open Source Tools
27. sockets
Advanced Digital Forensics with Open Source Tools
28. netscan
For Vista and later, these are consolidated into
netscan
Sample output taken from the Volatility 1.4 wiki
http://code.google.com/p/volatility/wiki/CommandReference#netscan
Advanced Digital Forensics with Open Source Tools
29. Protocol Numbers
Advanced Digital Forensics with Open Source Tools
30. And the Registry
Locating the Registry -- hivelist
Advanced Digital Forensics with Open Source Tools
31. Listing Keys
Advanced Digital Forensics with Open Source Tools
32. Examining Values
Advanced Digital Forensics with Open Source Tools
33. Services – Where malware
hides
Advanced Digital Forensics with Open Source Tools
34. What does it all mean?
Working with memory
contents does require a
bit of knowledge about
what it all means
These are two good
reference books on
how Windows really
works and what you’re
looking at in a memory
dump
Advanced Digital Forensics with Open Source Tools
35. BUT What About Vista, …?
Volatility is nice but it only works on XP. So if you
need to look at memory on Vista, Server 2003,
etc, you’re back to using strings ….
Of course not:
1.4 is in RC and is installed in the REMnux CD (and virtual
appliance)
And other tools are a little more arcane but they work
The Windows Debugging Tools can be used to analyze a
Windd dump IFF it’s made in crashdump format (-d option)
http://www.msuiche.net/con/BlackHat_Webcast_New_Fron
tiers_in_Forensics.pdf
Advanced Digital Forensics with Open Source Tools
36. Active Processes
Advanced Digital Forensics with Open Source Tools
37. Don’t get too comfortable …
Particularly Part
III on Anti-
Forensics
“In war the will is directed at an animate object that reacts.”
Carl Von Clausewitz, On War
Advanced Digital Forensics with Open Source Tools
39. Windows Registry
The Windows registry has been found to
contain a treasure trove of information useful
to the forensic analyst
The good news is that disk imaging includes the
registry
New tools are simplifying the process of
extracting this information in a useful format
Advanced Digital Forensics with Open Source Tools
40. Nomenclature
Value Data
Type
Key
Subkey
Advanced Digital Forensics with Open Source Tools
41. Registry File Locations
System %WINDIR%system32configSystem
SAM %WINDIR%system32configSam
Security %WINDIR%system32configSecurity
Software %WINDIR%system32configSoftware
NTUSER.DAT Documents and SettingsUser
Simply extract these files from the image
Security on NTUSER.DAT may prevent copying so use the type command to
make a copy:
type NTUSER.DAT>somewhere else
Advanced Digital Forensics with Open Source Tools
42. Note
I’m going to be showing some representative
samples of the information available and the
things they imply about events in the real
world.
If you get lost in the key-value wilderness,
don’t despair – it’s all in the book.
What book? Be patient.
Advanced Digital Forensics with Open Source Tools
43. Mounting images
You need to extract the registry files out of
the disk image
P2Explorer is a very useful tool provided free by
Paraben
http://www.paraben.com/p2-explorer.html
It allows you to mount disk images on a Windows
system (free edition only works on 32-bit versions)
OSFMount from PassMark software is another
option
Works on both 32 and 64 bit Windows
Advanced Digital Forensics with Open Source Tools
47. Advantages of Mounted Image
Mounting the image basically gives you read-
only access to the contents of the image as a
drive letter
Windows Explorer, anti-malware, etc, can be used
No need to export everything in advance
Advanced Digital Forensics with Open Source Tools
48. Other Options
FTKImager is a free download from
AccessData (developers of The Forensic
Toolkit)
It can be used to open a disk image and
export the registry files
Advanced Digital Forensics with Open Source Tools
49. Exporting Registry Files
Imager can open most of the
common image formats (dd,
EnCase, etc)
Advanced Digital Forensics with Open Source Tools
50. Exporting Registry Files
Once the image is
opened, students see a
familiar directory tree
and just have to
navigate to the registry
file locations
Files are exported by
right clicking the file
and selecting “Export”
from the menu
Advanced Digital Forensics with Open Source Tools
52. Resource
This is an excellent book that covers
many of the registry analysis tasks in
detail
RegRipper is the tool used for analyzing
the registry after it is collected
http://www.regripper.net/RegRipper/ and
also available on the tools CD that
accompanies the book
You can read my book review at
http://www.ieee-
security.org/Cipher/BookReviews
(shameless self-promotion)
Advanced Digital Forensics with Open Source Tools
53. The Case: Price Software
Tom Warner is suspected of industrial espionage
He was upset about being passed over for a VP
position
He is alleged to have set up a quid pro quo deal with a
competitor
He may have colluded with Leslie Stowle in other
actions
The forensic analyst has been given an image of
Tom’s Windows workstation
Let’s see what kinds of information can be found
Advanced Digital Forensics with Open Source Tools
54. Plugins
RegRipper comes with a wide variety of
plugins for examining registry information
Plugins are basically Perl scripts
Advanced Digital Forensics with Open Source Tools
55. Running Plugins: winver
You have the option to run the Perl scripts
directly if you have Perl (and the right
libraries) installed or you can use rip.exe
rip –r registry file –p plugin
Advanced Digital Forensics with Open Source Tools
59. The GUI
A GUI (rr.exe) is
available
It provides access to
plugin files that collect
commonly used
plugins into a single file
and run them as a
group
Advanced Digital Forensics with Open Source Tools
60. Plugin Files
Some sets of plugins are so commonly used
together they are listed in a plugin file
rip –r registryfile -f plugingfile
The plugin file is just a list of plugings to be run
Advanced Digital Forensics with Open Source Tools
61. Network Config
Excerpt from the SYSTEM plugin report
Pretend you didn’t notice “Guidance Software”
Advanced Digital Forensics with Open Source Tools
62. The Software Hive
The disk image had large blocks of binary 0’s –
wonder how that happened?
Advanced Digital Forensics with Open Source Tools
64. Scenarios
Simson Garfinkel of the NPS is working under
a NSF grant to produce scenarios and
associated forensic images for use in teaching
digital forensics
Two scenarios are currently available at
http://domex.nps.edu/corp/scenarios
Advanced Digital Forensics with Open Source Tools
65. M57
2009-M57 "Patents" scenario
This scenario involves a small company called M57
which was engaged in prior art searches for
patents. The fictional company is contacted by
the local police in November 2009 after a person
purchases a computer from Craigslist and
discovers "kitty porn" on the computer. The
police trace the computer back to the M57
company.
Includes an instructor’s packet!!!
Advanced Digital Forensics with Open Source Tools
66. Nitroba
Nitroba University Harassment Scenario
This scenario involves a harassment case at
the fictional Nitroba University.
Advanced Digital Forensics with Open Source Tools
67. Summary
Digital forensic practice must evolve to keep
pace
Live memory analysis for volatile information lost
when a system is shutdown or restarted
The Windows registry is a rich mine of
information
Advanced Digital Forensics with Open Source Tools