Memory Forensics During Incident Response
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Memory Forensics During Incident Response PowerPoint PPT Presentation


  • 54 Views
  • Uploaded on
  • Presentation posted in: General

Memory Forensics During Incident Response. Jack Crook. Incident Handler. Works for GE. Founded RaDFIRe. Handlerdiaries.com. IR in a nutshell. Consider the following scenario.

Download Presentation

Memory Forensics During Incident Response

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Memory forensics during incident response

Memory Forensics During Incident Response


Memory forensics during incident response

Jack Crook

Incident Handler

Works for GE

Founded RaDFIRe

Handlerdiaries.com


Ir in a nutshell

IR in a nutshell


Memory forensics during incident response

Consider the following scenario


Memory forensics during incident response

It’s been a long night and you finally get to bed only to be woken up 30 minutes later to the sound of your phone alerting you that there’s an alert that fired and needs to be triaged immediately.  Crawling out of bed you’re thinking this has to be a false positive because you’ve gone through this same routine each of the past 5 nights you were on call.  Not bothering to turn the lights on for something that’s sure to be random noise,  you peer into the ids console and see an alert that you have never seen before.  You automatically think to yourself, being the tired analyst that you are, “who was the a$$hole that added this new rule”, and you’re sure it was added intentionally just to keep you awake, but you know you can’t get back to bed until the alert is validated.  So you begin sifting through the data and it quickly becomes apparent that this isn’t a false positive, but rather it’s the real deal and alerted to the fact that there’s an intruder in your network attempting to move laterally.  You double check your initial analysis and you come to the realization that you’re not going to feel the comfort of your bed for a long long time to come.  As the adrenaline begins to rush, your mind starts racing, thinking about everything that needs to happen and you know you need to act immediately.


Questions that need answered

Questions that need answered


Useful data types

Useful Data Types

  • Knowing which data will give you the most information when analyzing intrusions and being able to quickly collect that data is critical.

    • Network (PCAP / Netflow)

    • OS logs

    • AV, HIPS/HIDS Logs

    • MFT

    • Memory

    • Pagefile

    • Prefetch

    • Registry Hives


Memory forensics during incident response

Host based analysis


Questions that need answered1

Questions that need answered


Memory forensics during incident response

Memory is one if the richest pieces of data to collect when analyzing host data


Why collect m emory

Why collect memory?

Acquisition times

Complete system state

Recover artifacts of compromise

Identify command execution


Tools for acquiring memory

Tools for acquiring memory

  • There are several tools that you can use to acquire memory during forensic investigations.

    • DumpIt (Moonsols)

    • Fastdump Pro (HBGary)

    • Memoryze (Mandiant)

    • FTK Imager (FTK)


Analysis tools

Analysis Tools

  • There are several freely available tools that you can use to aid in your forensic investigations.

    • Volatility

    • Rekall

    • Redline

    • Responder

    • Strings

    • Grep

    • dd


Questions we can often answer

Questions we can often answer?

How was the host compromised?

Is the host compromised?

Were malicious files dropped?

Who talked to the host?

Who did the host talk to?

Were any user accts compromised?

Was any lateral movement identified?

How was lateral movement performed?

Was any data taken from the host?

Do additional hosts need investigation?


What can we glean

What can we glean?


Memory terms

Memory Terms

  • Some key terms that will be explained in the following slides :

    • Virtual Memory

    • Stack Memory

    • Heap Memory

    • Paging

    • Memory management

    • VAD’s

    • Shared Memory


Memory terms1

Memory Terms

Virtual Memory:

  • A mechanism used so that each process can have it’s own memory space without bleeding into other process space.

    Stack Memory:

  • This is basically the runtime state of process. This area of memory includes data such as local variables and functions. All processes.

    Heap Memory:

  • This area of memory is used for the dynamic allocation. File contents and user input are some of the data types in heap memory. All processes.


Memory terms2

Memory Terms

Paging:

  • Also know as swapping. Used when physical memory for that process is exhausted. Pages from memory are written to disk to free physical memory space. When a swapped page is needed it is retrieved from disk and rewritten to memory.

    Memory Management:

  • The operating system’s process of allocating and tracking allocated memory.


Memory terms3

Memory Terms

VAD:

  • Also known as Virtual Address Descriptors. It’s the method used to record the usage of virtual addresses. It’s possible to rebuild an entire process (minus paged data) by walking this tree like structure and extracting each page.

    Shared Memory:

  • Used for processes to share different pieces of memory. Think of dll’s.


Memory forensics during incident response

Demo

  • 2012 GrrCON forensic challenge

  • https://docs.google.com/file/d/0B_xsNYzneAhEQXNZSzh6YTVZQ3M/edit


  • Login