SHARE
TWEET

Untitled

a guest Jun 16th, 2018 224 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. %title: Memory Forensics 101
  2. %date: 2018-06-16
  3.  
  4. # Agenda
  5.  
  6. 1. *Who*
  7. 2. *Why*
  8. 3. *How*
  9. 4. *Tools*
  10. 5. *Demo*
  11.  
  12. ----
  13.  
  14. # Who (Targeted audience)
  15.  
  16. - Incident responders
  17. - Malware researchers
  18. - and YOU
  19.  
  20. ----
  21.  
  22. # Why?
  23.  
  24. Everything happens in memory
  25.  
  26. +------------+
  27. | +--------+ |
  28. | | CPU    | |                      +--------------+
  29. | +--------+ |    +------------+    |+------+      |
  30. | +--------+ |<-->|   Memory   |<-->||V. Mem| Disk |
  31. | | Cache  | |    +------------+    |+------+      |
  32. | +--------+ |                      +--------------+
  33. +------------+
  34.  
  35. - Processes, Threads, Program Cache,
  36. - Keys, Passwords, Clipboard content,
  37. - User input, Screen output,
  38. - Network stack, System config, ... (and more)
  39.  
  40. ----
  41.  
  42. # Why?
  43.  
  44. - Malware has no exception
  45. - Malware evading traditional analysis tools
  46. - Advanced malware: No files in disk
  47.   - Full memory operation (non-persistence)
  48.   - Script base
  49.   - Very light footprint loader/dropper
  50.  
  51. ----
  52.  
  53. # Need for tools
  54.  
  55. - To analyse what's going on
  56.   - User behaviour
  57.   - Malware behaviour
  58.  
  59. - To grab out information from memory dump
  60.   - Threat actor attribution
  61.  
  62. ----
  63.  
  64. # How?
  65.  
  66. - Acquisition
  67.   - Dumping memory
  68.  
  69. - Analyse
  70.   - Using tools
  71.  
  72. ----
  73.  
  74. # Obtaining memory dump
  75.  
  76. Windows: *Control + Scroll Lock + Scroll Lock*
  77.  
  78.   \[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\
  79.    Control\\CrashControl\]
  80.     *DWORD: CrashDumpEnabled=1*
  81.  
  82.   USB keyboard:
  83.   \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
  84.    Services\\kbdhid\\Parameters\]
  85.     *DWORD: CrashOnCtrlScroll=1*
  86.  
  87.   PS2 keyboard:
  88.   \[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\
  89.    Services\\i8042prt\\Parameters\]
  90.     *DWORD: CrashOnCtrlScroll=1*
  91.  
  92. ----
  93.  
  94. # Obtaining memory dump
  95.  
  96. Windows: *FireEye Redline*
  97.  
  98. [Redline](https://www.fireeye.com/services/freeware/redline.html) from FireEye (freeware)
  99.  
  100. 1. Collect Data
  101. 2. Create a Standard Collector
  102. 3. check _Acquire Memory Image_
  103.    (and *Edit your script* to select other dumps)
  104.  
  105. ----
  106.  
  107. # Obtaining memory dump
  108.  
  109. Linux: *LiME*
  110.  
  111. [LiME](https://github.com/504ensicslabs/lime) (open source)
  112.  
  113.   insmod ./lime.ko "path=<outfile | tcp:<port>>
  114.   format=<raw|padded|lime> [digest=<digest>] [dio=<0|1>]"
  115.  
  116. ----
  117.  
  118. # Obtaining memory dump
  119.  
  120. Mac+Linux: *Rekall*
  121.  
  122. [The Rekall Framework](https://github.com/google/rekall) (open source)
  123.  
  124.   pmem_imager -i /boot/* -o <outfile>
  125.  
  126. ----
  127.  
  128. # Obtaining memory dump
  129.  
  130. VM:
  131.  
  132. -> Just do a snapshot from your hypervisor <-
  133.  
  134. ----
  135.  
  136. # Memory forensics tools
  137.  
  138. - 0th gen: *core dump*, *strings*, *grep*
  139. - 1st gen: *memget*, *mempeek*, *LiveKd*
  140. - 2nd gen: *Memoryze*, *MoonSols Windows Memory Toolkit*,
  141.            *Volatility*, *Rekall*
  142. - 3rd gen: *MoonSols LiveCloudKd*, *FireEye Redline*
  143.  
  144. ----
  145.  
  146. # Volatility
  147.  
  148. - _Defecto_ Memory Forensics Tool
  149. - Open source
  150. - Written in Python
  151. - Extendable plugins
  152.  
  153. ----
  154.  
  155. # Volatility
  156.  
  157. Simply google for *"volatility framework"*
  158.   and you will find what you needed.
  159. - Get it on [github](https://github.com/volatilityfoundation/volatility)
  160. - Check also [profiles](https://github.com/volatilityfoundation/profiles) (explain in demo)
  161. - Building for [Linux](https://0x90r00t.com/2018/04/08/inshack-2018-forensics-400-taking-a-look-inside-write-up/)
  162.  
  163. ----
  164.  
  165. # Volatility
  166.  
  167. Tips (Hardware requirment):
  168. - Fast storage
  169.   - SSD
  170.   - Optane
  171.   - RAM disk
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top