1 / 43

COE-589

COE-589. A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by: Mohammad Faizuddin g201106390. Outline . Introduction Motivation Technical background Acquisition of volatile memory

tana
Download Presentation

COE-589

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by: Mohammad Faizuddin g201106390

  2. Outline • Introduction • Motivation • Technical background • Acquisition of volatile memory • Analysis of acquired memory image • Volatility: a memory analysis framework • Conclusion • Future work

  3. Introduction • Many cases of online fraud, identity theft, and economic espionage registered. • Companies loosing several hundred thousand dollars.

  4. Introduction • Forensic Investigation of affected machines helps in finding evidence. • Traditional computer forensics involve • powering off the suspect machine . • Creating bit-by-bit image of the hard disks. • Performing examination.

  5. Introduction • Minimize the interferences by avoiding frequent shut down of servers. • Make less persistent changes to hard disk. • Forensic analysts should search for evidences in volatile system storages. • Encrypted drives and files make traditional investigations infeasible.

  6. Motivation • Forensic methods developed • Applied solely for specific versions of operating systems. • Work under certain conditions. • Security professionals lack • Thorough understanding of forensic solutions. • Comprehensive and structural overview of • Existing tools and Methodologies • Outline of • Strengths and weaknesses of tools.

  7. Technical background • Modern operating systems operate on virtual memory. • Several advantages • Each process with own protected view on system memory • Monitoring and Restricting read and write with the help of privilege rules. • Difference in layout of physical and virtual memory.

  8. Technical background - Memory address space layout • In Microsoft Windows operating system, each process has its own private virtual address space. • 32 bit x86 user is equipped with 2 GB of virtual memory. • Kernel space is shared among all system components.

  9. Technical background - Virtual address translation • Programs operate on virtual memory regions. • Volatile storage is organized into units called pages. • Size of pages is 4 kB on x86 platforms. • Two level approach to reference a page.

  10. Technical background - Paging • In some cases total virtual memory consumed is larger than physical storage. • In this scenario temporarily swap out memory to hard disk. • Valid flag indicates whether virtual address paged to disk. • 16 different page files with a max size of 4095 MB is supported on x86 platform. • Name and location of files are specified in the registry.

  11. Acquisition of volatile memory • Techniques for capturing volatile data are divided based on • Hardware • Software • Several concepts proposed recently rely on a combination of both. • Viable Suggestion • Assessing the different technologies with respect to the requirements. • Schatz identified three major criteria • Fidelity • Reliability • Availability • Inspired by Schatz the authors adapt two factors • Atomicity • Availability

  12. Acquisition of volatile memory • Decision matrix helps investigators in choosing a specific memory acquisition technique. • An Ideal acquisition method is characterized by both a high atomicity and availability. • Right half of the matrix is favored upon left side.

  13. Memory acquisition using a dedicated hardware card • Use of special hardware card • to obtain forensic image of a computer’s RAM. • Carrier and Grand presented a solution “Tribble” • It uses Direct Memory Access (DMA). • Hardware Card is installed as a dedicated PCI device and is capable of saving volatile information. • Petroni et al. proposed “FRED” (Forensic RAM Extraction Device).

  14. Memory acquisition using a dedicated hardware card • Described Solutions • Do not rely on functions provided by operating system. • Generally suitable for acquiring accurate image of volatile memory. • Rutkowska (2007) proved that it is possible to present a different view of physical memory by reprogramming the chipset. • Several authors conclude that hardware cards can no longer be fully trusted.

  15. Memory acquisition using a dedicated hardware card • Limitation • Prior installation of PCI card before its use. • Authors suggest that • Card is beneficial when installed on critical servers. • It should be as part of forensic readiness plan.

  16. Memory acquisition via a special hardware bus • An alternative to PCI cards, several authors suggest reading volatile memory via the IEEE 1394 bus. • According to Ruff any hardware bus can potentially be used for physical memory access. • This technique addressed some of the issues outlined using hardware card. • Vidstrom pointed out that the use of this technique causes • Random system crashes. • Reliability problems. • Authors indicated Inconsistencies after comparing created images with raw memory dumps.

  17. Memory acquisition with the help of virtualization • Virtual machine monitor (VMM) is responsible for sharing, managing and restricting access to the hardware resources. • Exceptional characteristic is capability to be suspended. • All volatile data is saved in .vmem file. • With the growing importance of internet-hosted services, investigators have to examine on virtual machines.

  18. Memory acquisition using software crash dumps • Microsoft windows dump files to hard disk in case of machine failure. • Preserves the contents of processor registers. • Dump files can be opened • Debugging Tools • Manually • System services may be interrupted • Third party application • Built-in CrashOnCtrlScroll • Dumb is generated pressing Right Ctrl + Scroll Lock + Scroll Lock. • Applicability of this technique is suitable in specific situations. • This acquisition technique is more invasive.

  19. Memory acquisition with user level applications • Data-Dumper is an example of third party software solutions to acquire copy of physical memory. • PMDump dumps the memory contents of a process to a file. • Process Dumper utility obtains process’s environment and state. • PMDump and Process Dumper drawbacks • Closed source and use proprietary data format. • Require specification of process ID. • Techniques are suitable for • Incident scenarios • Capturing forensic image even in the situation with little time.

  20. Memory acquisition with user level applications • Weakness of the approaches • Work on specific operating systems. • Applications must be loaded in to memory before execution. • Depends on functions of operating system. • Rootkit • Deny direct access to physical memory object. • Modified representation of RAM. • Untrusted operating system decreases reliability of evidences.

  21. Memory acquisition with kernel level applications • Vendors provide kernel level drivers. • Freely-available for e.g., Mantech’s Memory DD, Moonsol’s Windows Memory Toolkit. • Commercially available for e.g., WinEn, KnTDD and FastdumpPro. • Libster and Kornblum proposed integration of capturing mechanism into the system core. • Characteristics of proposed module • Capability to halt active system processes. • Support for several storage dump locations.

  22. Memory acquisition via operating system injection • Schatz introduced Body-Snatcher • Which injects OS into the subverted kernel of target machine. • Concept is promising but has technical constraints • Platform specific. • Limited to single processor. • Consumes memory. • Supports serial port for I/O operations.

  23. Memory acquisition via cold booting • Volatile information can be recovered by artificially cooling down the RAM modules. • e.g. Liquid nitrogen. • Target machine restarted with a custom kernelto access the retained memory. • Usability of this approach in recent works • AfterLife. • Chan et al. special booting device.

  24. Memory acquisition using the hibernation file • Windows Hibernation file (hiberfil.sys) • Contains valuable information . • Stored in the root directory on the windows partition. • Compressed to save disk space. • Uses proprietary format. • Quantity and Quality of extracted evidence is limited. • Working prototype developed in course of SandMan project. • MoonSols superseded SandMan.

  25. Analysis of the acquired memory image • Analyzing memory for • Suspicious patterns. • Usernames. • Passwords. • Textual representations. • Using command utilities such as • Strings and Grep • Powerful applications such as WinHex. • Methods are • Easy. • Noisy. • Cause huge overhead. • Lot of false positives.

  26. Analysis of the acquired memory image • Alternative to string searching algorithms is structured methodology. • It involves examining • What type of data. • How types are defined. • Where they are located. • Relevant information include • List of running system processes. • Cryptographic keys. • System registry. • Network connections and data. • Open files. • System state and application related data

  27. Process analysis • Malware executable use so called rootkit and subvert integral system to avoid detection. • FU rootkit implements method Direct Kernel Object Manipulation to unlink itself from the ActiveProcessLinks list. • To cope with these issues, Schuster developed a signature-based scanner.

  28. Process analysis • Results can be compared with standard process list. • Value of the Size field can be set to zero to circumvent the rule of scanner and the respective process becomes invisible. • Dolan-Gavitt created robust signatures.

  29. Process analysis • Zhang et al. used combination of scanning and list traversing techniques that rely on Kernel Processor Control Region (KPCR). • KPCR contains separate block KPRCB. • In Microsoft Windows XP, both KPCR and KPRCB are located at fixed addresses.

  30. Cryptographic key recovery • Hargreaves and Chivers describe a linear memory scanning technique. • Klein defined a simple search pattern. • Kaplan implemented pattern-like approach. • Walters and Petroni outlined a concept that relies on analysis of publicly available source code. • Haldermanet al. suggested parsing a computer’s memory for key schedules.

  31. Cryptographic key recovery • Tsow presented an algorithm capable of recovering cryptographic info from decayed memory images. • Maartmann-Moe et al. extended the research on additional ciphers and illustrated vulnerability.

  32. System registry analysis • Windows registry internally structured into a set called hives. • Most registry hives are stored in system32\config folder. • A few volatile hives are maintained in RAM. • Registry hive consist of • Base block. • A number of hive bins. • Internally, a hive is represented by _CMHIVE structure and it embeds a sub-structure _HHIVE.

  33. System registry analysis • Retrieval of pre-defined keys or values from a memory image is slightly more complex. • Dolan-Gavitt published proof-of-concept utility capable of • Extracting the list of open keys. • Display corresponding registry data.

  34. Network analysis • Malicious applications typically bind to pre-defined ports. • Examples of attacks • Distributed Denial of Service. • Performance degradation. • Schuster algorithm based on • Unique pool tag. • Pre-defined pool size. • Both are recovered after disassembling tcpip.sys driver.

  35. Network analysis • Ligh et al. and Okalica and Peterson suggested different methodology. • A list crawling-based approach can be seen as reliable to date. • Provided view of network is • Legit. • Unaltered.

  36. File analysis • Examination of • Open files. • Dynamically loaded libraries (DLLs). • Security professionals recommend analyzing the Process Environment Block (PEB). • PEB contains • Ldr member. • Three doubly linked lists. • Dolan-Gavitt proposed methodology based on Virtual Address Descriptors (VADs).

  37. File analysis • VAD is a kernel data structure maintained by memory manager. • Recovered copy of memory can be reverse engineered and inspected. • Operations supplement traditional file carving techniques (e.g. Foremost and Scalpel).

  38. System state- and application-specific analysis • Memory Image contains a lot of information about the system state. • _EPROCESS block is a source of valuable data • StartTime and ExitTime. • Periods an application spent in system. • Token number helps to reconstruct the security context of an application. • Stevens and Casey analyzed DOSKEY utility. • Issues faced in the analysis of physical memory. • Recovery and Use of application-level data. • Published solutions mainly comprise • Instant messaging. • Voice over IP (VoIP).

  39. Volatility: a memory analysis framework • Most memory analysis utilities • Have their own user interface. • Must be invoked with different commands. • Neglect interprocess communication. • OS-dependent. • _EPROCESS block differs across • Operating system versions. • Service pack levels. • Walters and Petroni suggest Integrating memory forensic techniques with digital investigation process model. • Walters and Petroni work lead to the foundation of forensice framework volatility.

  40. Volatility: a memory analysis framework • Volatility modules written in Python • Functionality extended by adding plugins. • Early version of framework supported windows xp. • Recent version support current operating systems. • Framework implements great parts of concepts and methods outlined. • Framework • Suitable for high degree forensic tasks. • Require high level expertise. • Aims at academic researchers and security professionals.

  41. Conclusion • Volatile storage contains excess of valuable information. • Data found in RAM or system page file • Incident reconstruction. • supplement hard disk and persistent media-oriented approaches in computer forensics. • In forensic process volatile memory is equally important compared to traditional sources of evidence.

  42. Future work • Extending the functionality of the volatility framework. • Developing a suitable visualization technique. • Cryptographic approaches • User-friendly. • Applicable by technically less-sophisticated personnel. • Virtual machine introspection should be explored.

  43. Thank you

More Related