%title: Memory Forensics 101%date: 2018-06-16# Agenda1. *Who*2. *Why

1. %title: Memory Forensics 101
2. %date: 2018-06-16
3.  
4. # Agenda
5.  
6. 1. *Who*
7. 2. *Why*
8. 3. *How*
9. 4. *Tools*
10. 5. *Demo*
11.  
12. ----
13.  
14. # Who (Targeted audience)
15.  
16. - Incident responders
17. - Malware researchers
18. - and YOU
19.  
20. ----
21.  
22. # Why?
23.  
24. Everything happens in memory
25.  
26. +------------+
27. | +--------+ |
28. | | CPU | | +--------------+
29. | +--------+ | +------------+ |+------+ |
30. | +--------+ |<-->| Memory |<-->||V. Mem| Disk |
31. | | Cache | | +------------+ |+------+ |
32. | +--------+ | +--------------+
33. +------------+
34.  
35. - Processes, Threads, Program Cache,
36. - Keys, Passwords, Clipboard content,
37. - User input, Screen output,
38. - Network stack, System config, ... (and more)
39.  
40. ----
41.  
42. # Why?
43.  
44. - Malware has no exception
45. - Malware evading traditional analysis tools
46. - Advanced malware: No files in disk
47. - Full memory operation (non-persistence)
48. - Script base
49. - Very light footprint loader/dropper
50.  
51. ----
52.  
53. # Need for tools
54.  
55. - To analyse what's going on
56. - User behaviour
57. - Malware behaviour
58.  
59. - To grab out information from memory dump
60. - Threat actor attribution
61.  
62. ----
63.  
64. # How?
65.  
66. - Acquisition
67. - Dumping memory
68.  
69. - Analyse
70. - Using tools
71.  
72. ----
73.  
74. # Obtaining memory dump
75.  
76. Windows: *Control + Scroll Lock + Scroll Lock*
77.  
78. \[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\
79. Control\\CrashControl\]
80. *DWORD: CrashDumpEnabled=1*
81.  
82. USB keyboard:
83. \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
84. Services\\kbdhid\\Parameters\]
85. *DWORD: CrashOnCtrlScroll=1*
86.  
87. PS2 keyboard:
88. \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
89. Services\\i8042prt\\Parameters\]
90. *DWORD: CrashOnCtrlScroll=1*
91.  
92. ----
93.  
94. # Obtaining memory dump
95.  
96. Windows: *FireEye Redline*
97.  
98. [Redline](https://www.fireeye.com/services/freeware/redline.html) from FireEye (freeware)
99.  
100. 1. Collect Data
101. 2. Create a Standard Collector
102. 3. check _Acquire Memory Image_
103. (and *Edit your script* to select other dumps)
104.  
105. ----
106.  
107. # Obtaining memory dump
108.  
109. Linux: *LiME*
110.  
111. [LiME](https://github.com/504ensicslabs/lime) (open source)
112.  
113. insmod ./lime.ko "path=<outfile | tcp:<port>>
114. format=<raw|padded|lime> [digest=<digest>] [dio=<0|1>]"
115.  
116. ----
117.  
118. # Obtaining memory dump
119.  
120. Mac+Linux: *Rekall*
121.  
122. [The Rekall Framework](https://github.com/google/rekall) (open source)
123.  
124. pmem_imager -i /boot/* -o <outfile>
125.  
126. ----
127.  
128. # Obtaining memory dump
129.  
130. VM:
131.  
132. -> Just do a snapshot from your hypervisor <-
133.  
134. ----
135.  
136. # Memory forensics tools
137.  
138. - 0th gen: *core dump*, *strings*, *grep*
139. - 1st gen: *memget*, *mempeek*, *LiveKd*
140. - 2nd gen: *Memoryze*, *MoonSols Windows Memory Toolkit*,
141. *Volatility*, *Rekall*
142. - 3rd gen: *MoonSols LiveCloudKd*, *FireEye Redline*
143.  
144. ----
145.  
146. # Volatility
147.  
148. - _Defecto_ Memory Forensics Tool
149. - Open source
150. - Written in Python
151. - Extendable plugins
152.  
153. ----
154.  
155. # Volatility
156.  
157. Simply google for *"volatility framework"*
158. and you will find what you needed.
159. - Get it on [github](https://github.com/volatilityfoundation/volatility)
160. - Check also [profiles](https://github.com/volatilityfoundation/profiles) (explain in demo)
161. - Building for [Linux](https://0x90r00t.com/2018/04/08/inshack-2018-forensics-400-taking-a-look-inside-write-up/)
162.  
163. ----
164.  
165. # Volatility
166.  
167. Tips (Hardware requirment):
168. - Fast storage
169. - SSD
170. - Optane
171. - RAM disk