Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- %title: Memory Forensics 101
- %date: 2018-06-16
- # Agenda
- 1. *Who*
- 2. *Why*
- 3. *How*
- 4. *Tools*
- 5. *Demo*
- ----
- # Who (Targeted audience)
- - Incident responders
- - Malware researchers
- - and YOU
- ----
- # Why?
- Everything happens in memory
- +------------+
- | +--------+ |
- | | CPU | | +--------------+
- | +--------+ | +------------+ |+------+ |
- | +--------+ |<-->| Memory |<-->||V. Mem| Disk |
- | | Cache | | +------------+ |+------+ |
- | +--------+ | +--------------+
- +------------+
- - Processes, Threads, Program Cache,
- - Keys, Passwords, Clipboard content,
- - User input, Screen output,
- - Network stack, System config, ... (and more)
- ----
- # Why?
- - Malware has no exception
- - Malware evading traditional analysis tools
- - Advanced malware: No files in disk
- - Full memory operation (non-persistence)
- - Script base
- - Very light footprint loader/dropper
- ----
- # Need for tools
- - To analyse what's going on
- - User behaviour
- - Malware behaviour
- - To grab out information from memory dump
- - Threat actor attribution
- ----
- # How?
- - Acquisition
- - Dumping memory
- - Analyse
- - Using tools
- ----
- # Obtaining memory dump
- Windows: *Control + Scroll Lock + Scroll Lock*
- \[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\
- Control\\CrashControl\]
- *DWORD: CrashDumpEnabled=1*
- USB keyboard:
- \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
- Services\\kbdhid\\Parameters\]
- *DWORD: CrashOnCtrlScroll=1*
- PS2 keyboard:
- \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
- Services\\i8042prt\\Parameters\]
- *DWORD: CrashOnCtrlScroll=1*
- ----
- # Obtaining memory dump
- Windows: *FireEye Redline*
- [Redline](https://www.fireeye.com/services/freeware/redline.html) from FireEye (freeware)
- 1. Collect Data
- 2. Create a Standard Collector
- 3. check _Acquire Memory Image_
- (and *Edit your script* to select other dumps)
- ----
- # Obtaining memory dump
- Linux: *LiME*
- [LiME](https://github.com/504ensicslabs/lime) (open source)
- insmod ./lime.ko "path=<outfile | tcp:<port>>
- format=<raw|padded|lime> [digest=<digest>] [dio=<0|1>]"
- ----
- # Obtaining memory dump
- Mac+Linux: *Rekall*
- [The Rekall Framework](https://github.com/google/rekall) (open source)
- pmem_imager -i /boot/* -o <outfile>
- ----
- # Obtaining memory dump
- VM:
- -> Just do a snapshot from your hypervisor <-
- ----
- # Memory forensics tools
- - 0th gen: *core dump*, *strings*, *grep*
- - 1st gen: *memget*, *mempeek*, *LiveKd*
- - 2nd gen: *Memoryze*, *MoonSols Windows Memory Toolkit*,
- *Volatility*, *Rekall*
- - 3rd gen: *MoonSols LiveCloudKd*, *FireEye Redline*
- ----
- # Volatility
- - _Defecto_ Memory Forensics Tool
- - Open source
- - Written in Python
- - Extendable plugins
- ----
- # Volatility
- Simply google for *"volatility framework"*
- and you will find what you needed.
- - Get it on [github](https://github.com/volatilityfoundation/volatility)
- - Check also [profiles](https://github.com/volatilityfoundation/profiles) (explain in demo)
- - Building for [Linux](https://0x90r00t.com/2018/04/08/inshack-2018-forensics-400-taking-a-look-inside-write-up/)
- ----
- # Volatility
- Tips (Hardware requirment):
- - Fast storage
- - SSD
- - Optane
- - RAM disk
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement