memory forensics - bucks.edu1).pdf · memory forensics cindy casey [email protected] random...
TRANSCRIPT
![Page 2: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/2.jpg)
Random Access Memory ◦ Hardware (integrated circuit) that allows data to be
stored and retrieved on a computer.
◦ Data accessed randomly instead of sequentially like it is on a CD or hard drive.
◦ Computer can access data in RAM much faster than ROM.
RAM is volatile ◦ Volatile memory requires power to keep the data
accessible
![Page 3: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/3.jpg)
ROM
Registers
ALU CU
Input Output
![Page 4: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/4.jpg)
While both the HD and RAM are memory, RAM is
referred to as primary memory (or just memory) and
the hard drive as storage or secondary storage.
![Page 5: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/5.jpg)
![Page 6: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/6.jpg)
Traditional computer forensics focuses on Dead-Box
analysis. Accessing and analyzing Non-volatile information.
Non-volatile data is maintained when the device is powered off.
Also known as persistent storage.
Emerging need to focus on Live-Box analysis Accessing and analyzing Volatile information.
Volatile data is only maintained while the device is powered on.
Once the device is powered down the data flushes away…
or does it?
![Page 7: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/7.jpg)
Currently only two states a system can be in during an
incident response or when seizing evidence:
1. Dead System – Turned off
2. Live System – Running
Arrive on Scene
Is System on?
Seize System
Copy Drive
?
Yes
No
![Page 8: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/8.jpg)
Past and current network connections Running processes at the time of RAM capture User names and passwords
Loaded Dynamically Linked Libraries (DLL) Contents of an open window System information (i.e.: time since last reboot) Recreate the Task Manger Data never written to the hard disk drive Rootkits Registry Information Memory resident malware (fileless malware) Encryption keys
that Might be
![Page 9: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/9.jpg)
Before they can be run by the processor, programs (including
data and instructions) must be loaded into physical or main
memory.
This includes any software that encrypts (key must be loaded
into memory).
The key resides in the RAM until the machine is powdered
off.
Dumping the contents of the RAM while the machine is
running increases the likelihood of retrieving the key.
RAM CPU Encrypted
Disk
![Page 10: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/10.jpg)
Malware which may never even touch the hard drive.
Can exist completely in RAM.
Becoming more resistant.
Leaves no footprint on hard drive.
Can’t be detected using traditional forensic
methodologies.
Not detected by anti-virus software or auditing
techniques.
Part of many sophisticated attacks today.
![Page 11: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/11.jpg)
![Page 12: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/12.jpg)
Multiple layers of obfuscation.
Payload never touches the victims' hard drive.
Custom encryption algorithm.
Capable of watching victims without ever being
noticed.
Can corrupt a HD – rendering PC useless.
Ransomlock similarities (i.e.: can lock the desktop).
Stealthy - only keeps malicious code in memory for
time it is needed.
![Page 13: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/13.jpg)
![Page 14: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/14.jpg)
![Page 15: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/15.jpg)
![Page 16: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/16.jpg)
Point of Sale (POS) RAM Scraper Malware Attacks
are on the rise
◦ Steals payment data from RAM of POS systems.
◦ Payment Card Industry Data Security Standard (PCI-DSS)
requires end-to-end encryption.
◦ Payment data is decrypted in POS’s RAM for processing.
◦ This is where RAM Scraper comes in.
◦ Searches to harvest clear-text payment data.
◦ Data then sent to rogue call-home server.
Even smart cards are not safe from these types of
attack!
![Page 17: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/17.jpg)
Client-side attacks are also probable.
Browsers are famous for leaving artifacts in memory
during web sessions.
RAM scraping malware can target encryption keys in
memory to decrypt anything from session data to
encrypted files.
![Page 18: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/18.jpg)
It is crucial to acquire volatile evidence before any other
type of acquisition.
Live forensic tools make substantial changes to volatile
memory.
We will look at several tools
◦ Hex Editor
◦ DumpIt RAM Capture Utility
◦ Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
◦ FTK
![Page 19: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/19.jpg)
Address Area
Hexadecimal Area
Character Area
JPEG File Interchange Format (JFIF)
![Page 20: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/20.jpg)
Open Source Tool.
Raw memory dump generated and saved to same directory as
DumpIt.exe (.mem file).
1. Open tool
2. Select yes (y)
3. When completed you will see
the word success
![Page 21: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/21.jpg)
![Page 22: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/22.jpg)
Next open the .mem file created in a Hex Editor to view the
memory dump and analyze the captured RAM contents.
![Page 23: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/23.jpg)
PayPal Email address
PayPal Account Password
These credentials were changed after this dump!
![Page 24: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/24.jpg)
RAM Images Show How Data Fades Away
Examining images retrieved from
the memory dump demonstrates
how RAM fades gradually over
time.
Some studies have shown that RAM
can be frozen for up to 10 minutes
using a can of compressed air.
![Page 25: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/25.jpg)
1. Open Belkasoft Live RAM Capturer and select “Capture!”.
2. When the process is complete, close the application.
3. Open the .mem file you just created with Hex Editor.
![Page 26: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/26.jpg)
![Page 27: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/27.jpg)
![Page 28: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/28.jpg)
![Page 29: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/29.jpg)
![Page 30: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/30.jpg)
• Barnes and Noble • Xfinity Email • Spice Works • Reddit • Malware News • Tech Republic • W3Schools • Amazon • Hacker Noon • Forbes • Owl Purdue • Bucks County Courier Times • Excel Office Apps
Web Browsing History
![Page 31: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/31.jpg)
Login Credentials
![Page 32: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/32.jpg)
![Page 33: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/33.jpg)
не забудем америка
не забудем америка
блять не развал усср
тимофей токарев
рулез4евр веббер
we will not forget
America we will not
forget America
f@#!ing do not
collapse ussr timofey
tokarev rulez4evr
![Page 34: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/34.jpg)
![Page 35: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/35.jpg)
Volatile memory (RAM) is in constant flux.
◦ Time sliding window
Creating a RAM dump changes the evidence.
◦ No write-block.
Image cannot be validated.
◦ Pre and post MD5, SHA- 1, SHA-256 hashes
useless.
Can be difficult to explain in laymen terms.
![Page 36: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/36.jpg)
Data stored in RAM changes constantly
Images cannot be validated like non-volatile images
◦ We only get a time-sliding view
Pre and post MD5’s are meaningless
The act of creating the copy (.mem) changes the state
of the machine
No write-blocking
![Page 37: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/37.jpg)
The types of cases I am going to do don’t involve this
stuff – How will you know?
RAM imaging is going to be industry standard - it’s
just a matter of time.
Machine may have a Rootkit - Ever hear of Sony?
I will just use FTK – Not enough
![Page 38: Memory Forensics - bucks.edu1).pdf · Memory Forensics Cindy Casey casey.cindy@gmercyu.edu Random Access Memory Hardware (integrated circuit) that allows data to be stored and retrieved](https://reader034.vdocuments.mx/reader034/viewer/2022052005/601899eef492e570b72a3077/html5/thumbnails/38.jpg)