430 likes | 561 Views
COE-589. A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by: Mohammad Faizuddin g201106390. Outline . Introduction Motivation Technical background Acquisition of volatile memory
E N D
COE-589 A Survey of main memory acquisition and analysis techniques for the windows operating system Author: Stefan Vomel, Felix C. Freling Presented by: Mohammad Faizuddin g201106390
Outline • Introduction • Motivation • Technical background • Acquisition of volatile memory • Analysis of acquired memory image • Volatility: a memory analysis framework • Conclusion • Future work
Introduction • Many cases of online fraud, identity theft, and economic espionage registered. • Companies loosing several hundred thousand dollars.
Introduction • Forensic Investigation of affected machines helps in finding evidence. • Traditional computer forensics involve • powering off the suspect machine . • Creating bit-by-bit image of the hard disks. • Performing examination.
Introduction • Minimize the interferences by avoiding frequent shut down of servers. • Make less persistent changes to hard disk. • Forensic analysts should search for evidences in volatile system storages. • Encrypted drives and files make traditional investigations infeasible.
Motivation • Forensic methods developed • Applied solely for specific versions of operating systems. • Work under certain conditions. • Security professionals lack • Thorough understanding of forensic solutions. • Comprehensive and structural overview of • Existing tools and Methodologies • Outline of • Strengths and weaknesses of tools.
Technical background • Modern operating systems operate on virtual memory. • Several advantages • Each process with own protected view on system memory • Monitoring and Restricting read and write with the help of privilege rules. • Difference in layout of physical and virtual memory.
Technical background - Memory address space layout • In Microsoft Windows operating system, each process has its own private virtual address space. • 32 bit x86 user is equipped with 2 GB of virtual memory. • Kernel space is shared among all system components.
Technical background - Virtual address translation • Programs operate on virtual memory regions. • Volatile storage is organized into units called pages. • Size of pages is 4 kB on x86 platforms. • Two level approach to reference a page.
Technical background - Paging • In some cases total virtual memory consumed is larger than physical storage. • In this scenario temporarily swap out memory to hard disk. • Valid flag indicates whether virtual address paged to disk. • 16 different page files with a max size of 4095 MB is supported on x86 platform. • Name and location of files are specified in the registry.
Acquisition of volatile memory • Techniques for capturing volatile data are divided based on • Hardware • Software • Several concepts proposed recently rely on a combination of both. • Viable Suggestion • Assessing the different technologies with respect to the requirements. • Schatz identified three major criteria • Fidelity • Reliability • Availability • Inspired by Schatz the authors adapt two factors • Atomicity • Availability
Acquisition of volatile memory • Decision matrix helps investigators in choosing a specific memory acquisition technique. • An Ideal acquisition method is characterized by both a high atomicity and availability. • Right half of the matrix is favored upon left side.
Memory acquisition using a dedicated hardware card • Use of special hardware card • to obtain forensic image of a computer’s RAM. • Carrier and Grand presented a solution “Tribble” • It uses Direct Memory Access (DMA). • Hardware Card is installed as a dedicated PCI device and is capable of saving volatile information. • Petroni et al. proposed “FRED” (Forensic RAM Extraction Device).
Memory acquisition using a dedicated hardware card • Described Solutions • Do not rely on functions provided by operating system. • Generally suitable for acquiring accurate image of volatile memory. • Rutkowska (2007) proved that it is possible to present a different view of physical memory by reprogramming the chipset. • Several authors conclude that hardware cards can no longer be fully trusted.
Memory acquisition using a dedicated hardware card • Limitation • Prior installation of PCI card before its use. • Authors suggest that • Card is beneficial when installed on critical servers. • It should be as part of forensic readiness plan.
Memory acquisition via a special hardware bus • An alternative to PCI cards, several authors suggest reading volatile memory via the IEEE 1394 bus. • According to Ruff any hardware bus can potentially be used for physical memory access. • This technique addressed some of the issues outlined using hardware card. • Vidstrom pointed out that the use of this technique causes • Random system crashes. • Reliability problems. • Authors indicated Inconsistencies after comparing created images with raw memory dumps.
Memory acquisition with the help of virtualization • Virtual machine monitor (VMM) is responsible for sharing, managing and restricting access to the hardware resources. • Exceptional characteristic is capability to be suspended. • All volatile data is saved in .vmem file. • With the growing importance of internet-hosted services, investigators have to examine on virtual machines.
Memory acquisition using software crash dumps • Microsoft windows dump files to hard disk in case of machine failure. • Preserves the contents of processor registers. • Dump files can be opened • Debugging Tools • Manually • System services may be interrupted • Third party application • Built-in CrashOnCtrlScroll • Dumb is generated pressing Right Ctrl + Scroll Lock + Scroll Lock. • Applicability of this technique is suitable in specific situations. • This acquisition technique is more invasive.
Memory acquisition with user level applications • Data-Dumper is an example of third party software solutions to acquire copy of physical memory. • PMDump dumps the memory contents of a process to a file. • Process Dumper utility obtains process’s environment and state. • PMDump and Process Dumper drawbacks • Closed source and use proprietary data format. • Require specification of process ID. • Techniques are suitable for • Incident scenarios • Capturing forensic image even in the situation with little time.
Memory acquisition with user level applications • Weakness of the approaches • Work on specific operating systems. • Applications must be loaded in to memory before execution. • Depends on functions of operating system. • Rootkit • Deny direct access to physical memory object. • Modified representation of RAM. • Untrusted operating system decreases reliability of evidences.
Memory acquisition with kernel level applications • Vendors provide kernel level drivers. • Freely-available for e.g., Mantech’s Memory DD, Moonsol’s Windows Memory Toolkit. • Commercially available for e.g., WinEn, KnTDD and FastdumpPro. • Libster and Kornblum proposed integration of capturing mechanism into the system core. • Characteristics of proposed module • Capability to halt active system processes. • Support for several storage dump locations.
Memory acquisition via operating system injection • Schatz introduced Body-Snatcher • Which injects OS into the subverted kernel of target machine. • Concept is promising but has technical constraints • Platform specific. • Limited to single processor. • Consumes memory. • Supports serial port for I/O operations.
Memory acquisition via cold booting • Volatile information can be recovered by artificially cooling down the RAM modules. • e.g. Liquid nitrogen. • Target machine restarted with a custom kernelto access the retained memory. • Usability of this approach in recent works • AfterLife. • Chan et al. special booting device.
Memory acquisition using the hibernation file • Windows Hibernation file (hiberfil.sys) • Contains valuable information . • Stored in the root directory on the windows partition. • Compressed to save disk space. • Uses proprietary format. • Quantity and Quality of extracted evidence is limited. • Working prototype developed in course of SandMan project. • MoonSols superseded SandMan.
Analysis of the acquired memory image • Analyzing memory for • Suspicious patterns. • Usernames. • Passwords. • Textual representations. • Using command utilities such as • Strings and Grep • Powerful applications such as WinHex. • Methods are • Easy. • Noisy. • Cause huge overhead. • Lot of false positives.
Analysis of the acquired memory image • Alternative to string searching algorithms is structured methodology. • It involves examining • What type of data. • How types are defined. • Where they are located. • Relevant information include • List of running system processes. • Cryptographic keys. • System registry. • Network connections and data. • Open files. • System state and application related data
Process analysis • Malware executable use so called rootkit and subvert integral system to avoid detection. • FU rootkit implements method Direct Kernel Object Manipulation to unlink itself from the ActiveProcessLinks list. • To cope with these issues, Schuster developed a signature-based scanner.
Process analysis • Results can be compared with standard process list. • Value of the Size field can be set to zero to circumvent the rule of scanner and the respective process becomes invisible. • Dolan-Gavitt created robust signatures.
Process analysis • Zhang et al. used combination of scanning and list traversing techniques that rely on Kernel Processor Control Region (KPCR). • KPCR contains separate block KPRCB. • In Microsoft Windows XP, both KPCR and KPRCB are located at fixed addresses.
Cryptographic key recovery • Hargreaves and Chivers describe a linear memory scanning technique. • Klein defined a simple search pattern. • Kaplan implemented pattern-like approach. • Walters and Petroni outlined a concept that relies on analysis of publicly available source code. • Haldermanet al. suggested parsing a computer’s memory for key schedules.
Cryptographic key recovery • Tsow presented an algorithm capable of recovering cryptographic info from decayed memory images. • Maartmann-Moe et al. extended the research on additional ciphers and illustrated vulnerability.
System registry analysis • Windows registry internally structured into a set called hives. • Most registry hives are stored in system32\config folder. • A few volatile hives are maintained in RAM. • Registry hive consist of • Base block. • A number of hive bins. • Internally, a hive is represented by _CMHIVE structure and it embeds a sub-structure _HHIVE.
System registry analysis • Retrieval of pre-defined keys or values from a memory image is slightly more complex. • Dolan-Gavitt published proof-of-concept utility capable of • Extracting the list of open keys. • Display corresponding registry data.
Network analysis • Malicious applications typically bind to pre-defined ports. • Examples of attacks • Distributed Denial of Service. • Performance degradation. • Schuster algorithm based on • Unique pool tag. • Pre-defined pool size. • Both are recovered after disassembling tcpip.sys driver.
Network analysis • Ligh et al. and Okalica and Peterson suggested different methodology. • A list crawling-based approach can be seen as reliable to date. • Provided view of network is • Legit. • Unaltered.
File analysis • Examination of • Open files. • Dynamically loaded libraries (DLLs). • Security professionals recommend analyzing the Process Environment Block (PEB). • PEB contains • Ldr member. • Three doubly linked lists. • Dolan-Gavitt proposed methodology based on Virtual Address Descriptors (VADs).
File analysis • VAD is a kernel data structure maintained by memory manager. • Recovered copy of memory can be reverse engineered and inspected. • Operations supplement traditional file carving techniques (e.g. Foremost and Scalpel).
System state- and application-specific analysis • Memory Image contains a lot of information about the system state. • _EPROCESS block is a source of valuable data • StartTime and ExitTime. • Periods an application spent in system. • Token number helps to reconstruct the security context of an application. • Stevens and Casey analyzed DOSKEY utility. • Issues faced in the analysis of physical memory. • Recovery and Use of application-level data. • Published solutions mainly comprise • Instant messaging. • Voice over IP (VoIP).
Volatility: a memory analysis framework • Most memory analysis utilities • Have their own user interface. • Must be invoked with different commands. • Neglect interprocess communication. • OS-dependent. • _EPROCESS block differs across • Operating system versions. • Service pack levels. • Walters and Petroni suggest Integrating memory forensic techniques with digital investigation process model. • Walters and Petroni work lead to the foundation of forensice framework volatility.
Volatility: a memory analysis framework • Volatility modules written in Python • Functionality extended by adding plugins. • Early version of framework supported windows xp. • Recent version support current operating systems. • Framework implements great parts of concepts and methods outlined. • Framework • Suitable for high degree forensic tasks. • Require high level expertise. • Aims at academic researchers and security professionals.
Conclusion • Volatile storage contains excess of valuable information. • Data found in RAM or system page file • Incident reconstruction. • supplement hard disk and persistent media-oriented approaches in computer forensics. • In forensic process volatile memory is equally important compared to traditional sources of evidence.
Future work • Extending the functionality of the volatility framework. • Developing a suitable visualization technique. • Cryptographic approaches • User-friendly. • Applicable by technically less-sophisticated personnel. • Virtual machine introspection should be explored.