memory forensics - · pdf filememory forensics . dmitry vostokov ... inter-regional...
TRANSCRIPT
![Page 1: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/1.jpg)
Memory Forensics
Dmitry Vostokov Software Diagnostics Institute Facebook LinkedIn Twitter
Presented at VolgaCTF, Russia Inter-Regional Inter-University Open Computer Security Contest
www.volgactf.ru
![Page 2: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/2.jpg)
Forensics
A discipline studying past structure and behavior.
© 2014 Software Diagnostics Institute
![Page 3: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/3.jpg)
Memory Forensics
A discipline studying past structure and behavior in acquired computer memory.
© 2014 Software Diagnostics Institute
![Page 4: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/4.jpg)
We Have A Problem Proliferation of computer
architectures, operating systems, and tools
Different memory analysis narratives
Need to measure analysis quality
© 2014 Software Diagnostics Institute
![Page 5: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/5.jpg)
Solution
Empirical patterns
A pattern language
Pattern orientation
© 2014 Software Diagnostics Institute
![Page 6: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/6.jpg)
Forensic Pattern
A common recurrent identifiable set of indicators (signs) together with a set of recommendations to apply in a specific context.
© 2014 Software Diagnostics Institute
![Page 7: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/7.jpg)
Memory Forensics revised
A discipline studying past structure and behavior of software in acquired memory using pattern-oriented analysis methodology.
© 2014 Software Diagnostics Institute
![Page 8: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/8.jpg)
Software Forensics
Software execution artefacts
Memory forensics
© 2014 Software Diagnostics Institute
![Page 9: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/9.jpg)
Software Forensics
A discipline studying past structure and behavior of software in execution artifacts using systemic and pattern-oriented analysis methodologies.
© 2014 Software Diagnostics Institute
![Page 10: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/10.jpg)
Structure and Behavior
Memory snapshots (dumps)
Traces and logs
Source code
Digital data (media)
© 2014 Software Diagnostics Institute
![Page 11: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/11.jpg)
Diagnostics and Forensics
Diagnostics (present and past)
Forensics (past)
Prognostics (future)
© 2014 Software Diagnostics Institute
![Page 12: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/12.jpg)
Software Diagnostics A discipline studying signs of software structure and behavior in software execution artifacts (such as memory dumps, software and network traces and logs) using systemic and pattern-oriented analysis methodologies.
© 2014 Software Diagnostics Institute
![Page 13: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/13.jpg)
Forensic Analysis Patterns
Software Diagnostics Patterns
Software Forensic Analysis Patterns
© 2014 Software Diagnostics Institute
Memory Forensic Analysis Patterns
![Page 14: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/14.jpg)
A Pattern Language
The same detection and analysis language for different computer architectures, operating systems, and tools
The same memory analysis narratives
Measured analysis quality
Predicting unknown © 2014 Software Diagnostics Institute
![Page 15: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/15.jpg)
Pattern Orientation 1. Pattern-driven Finding patterns in memory
Using checklists and pattern catalogs
2. Pattern-based Pattern catalogue evolution
Catalog packaging and delivery
© 2014 Software Diagnostics Institute
![Page 16: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/16.jpg)
Structural Memory Patterns
… Memory Region Region Boundary Anchor Region Linked List Value References Regular Data String Value Small Value Data Structure …
Main Pattern Catalogues
Memory Analysis Patterns … Wait Chain Execution Residue Spiking Thread Local Buffer Overflow Shared Buffer Overwrite Dynamic Memory Corruption …
© 2014 Software Diagnostics Institute
Malware Analysis Patterns
… Raw Pointer String Hint Out-of-Module Pointer Hooksware Hidden Process Deviant Module Namespace …
Disassembly, Deconstruction, Reversing Patterns
Memory Acquisition Patterns
![Page 17: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/17.jpg)
Pattern Classification
… Dynamic Memory Corruption Patterns Stack Overflow Patterns Stack Trace Patterns Symbol Patterns Exception Patterns Meta-Memory Dump Patterns Module Patterns Optimization Patterns Thread Patterns Process Patterns …
© 2014 Software Diagnostics Institute
![Page 18: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/18.jpg)
Memory Acquisition Patterns http://www.dumpanalysis.org/memory-acquisition-patterns
Structural space patterns
… Process Memory Dump Kernel memory Dump Physical Memory Dump Fiber Bundle Dump …
© 2014 Software Diagnostics Institute
Acquisition strategy patterns
… External Dump Self Dump Conditional Dump Dump Sequence …
![Page 19: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/19.jpg)
ADDR Patterns http://www.dumpanalysis.org/addr-patterns
… Potential Functionality Function Skeleton Function Call Call Path Local Variable Static Variable Pointer Dereference Function Prologue Function Epilogue Variable Initialization
© 2014 Software Diagnostics Institute
Memory Copy Call Prologue Call Parameter Call Epilogue Call Result Control Path Function Parameter Structure Field Last Call …
![Page 20: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/20.jpg)
Pattern Implementation By OS vendor (Windows, Mac OS X, Linux, …)
By tool (WinDbg, Volatility, IDA, GDB, LLDB, …)
By CPU architecture (x86, x64, ARM, …)
By digital media (memory, volume, file, blob, …)
© 2014 Software Diagnostics Institute
![Page 21: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/21.jpg)
Pattern-Driven Analysis
Memory Checklists Patterns Action
© 2014 Software Diagnostics Institute
Pattern Pattern Pattern Pattern Pattern
1. Tool-specific checklist: http://www.dumpanalysis.org/windows-memory-analysis-checklist
2. Pattern catalogue checklists: http://dumpanalysis.org
![Page 22: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/22.jpg)
Pattern-Based Analysis
Memory
New Pattern
Discovery
Pattern Catalog
+
Usage
© 2014 Software Diagnostics Institute
![Page 23: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/23.jpg)
Systems Approach
Narratology Trace
Analysis Patterns
Memory Analysis
© 2014 Software Diagnostics Institute
![Page 24: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/24.jpg)
Native Memory Forensics
Using native OS debuggers such as WinDbg from Debugging Tools for Windows or GDB (Linux) or GDB/LLDB (Mac OS X).
© 2014 Software Diagnostics Institute
![Page 25: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/25.jpg)
Practical Examples
WinDbg session…
© 2014 Software Diagnostics Institute
![Page 26: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/26.jpg)
Patterns for Example A Tampered Dump Exception Stack Trace Stored Exception Lateral Damage Execution Residue Hidden Exception NULL Data Pointer
© 2014 Software Diagnostics Institute
![Page 27: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/27.jpg)
Patterns for Example B Heap Corruption Stack Trace Collection RIP Stack Trace Hooksware Patched Code Hidden Module Deviant Module String Hint Fake Module No Component Symbols Namespace
© 2014 Software Diagnostics Institute
![Page 28: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/28.jpg)
Example C
Pattern correspondence Process Dump Physical (Complete) Dump Kernel Dump
© 2014 Software Diagnostics Institute
![Page 29: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/29.jpg)
Further Reading (Patterns)
The Timeless Way of Building (by Christopher Alexander)
A Pattern Language: Towns, Buildings, Construction (by Christopher Alexander, et al.)
© 2014 Software Diagnostics Institute
![Page 30: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/30.jpg)
Further Reading (MDA)
Cloud Memory Dump Analysis
Fundamentals of Physical Memory Analysis
Victimware
Pattern-Oriented Software Forensics
Debugging TV
© 2014 Software Diagnostics Institute
![Page 31: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/31.jpg)
Further Reading (SD)
Software Diagnostics Institute
Pattern-Driven Software Diagnostics
Systemic Software Diagnostics
Pattern-Based Software Diagnostics
Philosophy of Software Diagnostics
© 2014 Software Diagnostics Institute
![Page 32: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/32.jpg)
Current Reference
© 2014 Software Diagnostics Institute
Memory Dump Analysis Anthology: 7 volumes + 3 colour volumes Volume 8 is planned for 2015/2016
![Page 33: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/33.jpg)
Forthcoming Transcript
© 2014 Software Diagnostics Institute
Pattern-Oriented Memory Forensics: A Pattern Language Approach (ISBN: 9781908043764)
![Page 34: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/34.jpg)
Forthcoming Reference
© 2014 Software Diagnostics Institute
A Pattern Language for Software Diagnostics, Forensics, and Prognostics: Memory, Traces, Deconstruction (10 volumes)
![Page 35: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/35.jpg)
Q&A
Please send your feedback using the contact form on DumpAnalysis.org
© 2014 Software Diagnostics Institute
![Page 36: Memory Forensics - · PDF fileMemory Forensics . Dmitry Vostokov ... Inter-Regional Inter-University Open Computer Security Contest . Forensics . ... Pattern Classification](https://reader033.vdocuments.mx/reader033/viewer/2022051203/5ab784aa7f8b9aa6018b88ea/html5/thumbnails/36.jpg)
Thank you for attendance!
Facebook LinkedIn Twitter © 2014 Software Diagnostics Institute