Guest User

Untitled

a guest
Jun 16th, 2018
351
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. %title: Memory Forensics 101
  2. %date: 2018-06-16
  3.  
  4. # Agenda
  5.  
  6. 1. *Who*
  7. 2. *Why*
  8. 3. *How*
  9. 4. *Tools*
  10. 5. *Demo*
  11.  
  12. ----
  13.  
  14. # Who (Targeted audience)
  15.  
  16. - Incident responders
  17. - Malware researchers
  18. - and YOU
  19.  
  20. ----
  21.  
  22. # Why?
  23.  
  24. Everything happens in memory
  25.  
  26. +------------+
  27. | +--------+ |
  28. | | CPU | | +--------------+
  29. | +--------+ | +------------+ |+------+ |
  30. | +--------+ |<-->| Memory |<-->||V. Mem| Disk |
  31. | | Cache | | +------------+ |+------+ |
  32. | +--------+ | +--------------+
  33. +------------+
  34.  
  35. - Processes, Threads, Program Cache,
  36. - Keys, Passwords, Clipboard content,
  37. - User input, Screen output,
  38. - Network stack, System config, ... (and more)
  39.  
  40. ----
  41.  
  42. # Why?
  43.  
  44. - Malware has no exception
  45. - Malware evading traditional analysis tools
  46. - Advanced malware: No files in disk
  47. - Full memory operation (non-persistence)
  48. - Script base
  49. - Very light footprint loader/dropper
  50.  
  51. ----
  52.  
  53. # Need for tools
  54.  
  55. - To analyse what's going on
  56. - User behaviour
  57. - Malware behaviour
  58.  
  59. - To grab out information from memory dump
  60. - Threat actor attribution
  61.  
  62. ----
  63.  
  64. # How?
  65.  
  66. - Acquisition
  67. - Dumping memory
  68.  
  69. - Analyse
  70. - Using tools
  71.  
  72. ----
  73.  
  74. # Obtaining memory dump
  75.  
  76. Windows: *Control + Scroll Lock + Scroll Lock*
  77.  
  78. \[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\
  79. Control\\CrashControl\]
  80. *DWORD: CrashDumpEnabled=1*
  81.  
  82. USB keyboard:
  83. \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
  84. Services\\kbdhid\\Parameters\]
  85. *DWORD: CrashOnCtrlScroll=1*
  86.  
  87. PS2 keyboard:
  88. \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
  89. Services\\i8042prt\\Parameters\]
  90. *DWORD: CrashOnCtrlScroll=1*
  91.  
  92. ----
  93.  
  94. # Obtaining memory dump
  95.  
  96. Windows: *FireEye Redline*
  97.  
  98. [Redline](https://www.fireeye.com/services/freeware/redline.html) from FireEye (freeware)
  99.  
  100. 1. Collect Data
  101. 2. Create a Standard Collector
  102. 3. check _Acquire Memory Image_
  103. (and *Edit your script* to select other dumps)
  104.  
  105. ----
  106.  
  107. # Obtaining memory dump
  108.  
  109. Linux: *LiME*
  110.  
  111. [LiME](https://github.com/504ensicslabs/lime) (open source)
  112.  
  113. insmod ./lime.ko "path=<outfile | tcp:<port>>
  114. format=<raw|padded|lime> [digest=<digest>] [dio=<0|1>]"
  115.  
  116. ----
  117.  
  118. # Obtaining memory dump
  119.  
  120. Mac+Linux: *Rekall*
  121.  
  122. [The Rekall Framework](https://github.com/google/rekall) (open source)
  123.  
  124. pmem_imager -i /boot/* -o <outfile>
  125.  
  126. ----
  127.  
  128. # Obtaining memory dump
  129.  
  130. VM:
  131.  
  132. -> Just do a snapshot from your hypervisor <-
  133.  
  134. ----
  135.  
  136. # Memory forensics tools
  137.  
  138. - 0th gen: *core dump*, *strings*, *grep*
  139. - 1st gen: *memget*, *mempeek*, *LiveKd*
  140. - 2nd gen: *Memoryze*, *MoonSols Windows Memory Toolkit*,
  141. *Volatility*, *Rekall*
  142. - 3rd gen: *MoonSols LiveCloudKd*, *FireEye Redline*
  143.  
  144. ----
  145.  
  146. # Volatility
  147.  
  148. - _Defecto_ Memory Forensics Tool
  149. - Open source
  150. - Written in Python
  151. - Extendable plugins
  152.  
  153. ----
  154.  
  155. # Volatility
  156.  
  157. Simply google for *"volatility framework"*
  158. and you will find what you needed.
  159. - Get it on [github](https://github.com/volatilityfoundation/volatility)
  160. - Check also [profiles](https://github.com/volatilityfoundation/profiles) (explain in demo)
  161. - Building for [Linux](https://0x90r00t.com/2018/04/08/inshack-2018-forensics-400-taking-a-look-inside-write-up/)
  162.  
  163. ----
  164.  
  165. # Volatility
  166.  
  167. Tips (Hardware requirment):
  168. - Fast storage
  169. - SSD
  170. - Optane
  171. - RAM disk
RAW Paste Data