Memory Forensics

Kevin Larson

What is Computer Forensics?

Mobile Device ForensicsNetwork ForensicsMemory & Data Forensics● Offline

○ Hard drives○ Memory Snapshot analysis

● Online○ Live memory techniques

Why do We Care about Forensics?

Administrative & Engineering● Just to know an attack or compromise

occurred● Understand how it happened● Know what needs to be fixed or cleaned● Understand how to prevent it in the futureLegal● Proof and accountability

Recent Attacks on SCADA and the Power Grid

"The discovery is a rootkit called Rootkit.TmpHider that came with a trojan that infects systems via USB drives. ... the driver files that make up the rootkit have a legitimate digital signature from ... an embeded device maker Realtek. Worse, it appears to (be) targeted at SCADA control systems." -Greg Feezel

"A German power utility specialising in renewable energy was hit by a serious cyber-attack two weeks ago that lasted five days, knocking its internet communications systems offline, in the first confirmed digital assault against a European grid operator." -EurActive.com

"Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings - OASyS SCADA - a product that helps energy firms mesh older IT assets with more advanced "smart grid" technologies."- krebsonsecurity.com

Forensics in SCADA

Continuous operation hinders most traditional techniquesEmbedded systems and remote locations often limit physical access to machines"It is still unclear how to acquire live data on a SCADA system in a way that minimizes risk to the system’s services." -Ahmed et al

Forensics in the cloud

Vast quantities of machines makes manual inspection infeasibleRedundancy allows for flexibility in the inspection process

Memory & Data Forensics

Offline Forensics● Hard drives● Memory snapshot analysis

Shortcomings● Slow● Misses volatile data● Incompatible with critical systems

Memory & Data Forensics

Online● Extract data from a running computer

○ Faster○ Some data only available online

● Shortcomings○ Still imposes overhead○ Quality concerns - blurriness○ Many techniques subject to attack

Data Storage

In order of increasing speed● Magnetic tape and peripherals

○ Floppies, CDs, Magnetic tape, etc● Hard drives

○ Magnetic disks ○ Solid State

● Memory○ Faster○ Volatile - loses contents if powered off

■ However, this doesn't happen immediately!

Memory

Information available only in memory (DRAM in this case)

● Encryption keys

○ Data on encrypted hard drives useless

● Passwords

● Malicious programs

Memory Remanence

RAM still contains data after powered off. Capacitors take long enough to discharge that data can often be recovered.● Limited lifespan● Many factors

○ Temperature○ Type of RAM ○ Manufacturer (design/construction)

● Limitations○ Potentially short lifespans○ Certain hardware overwrites some/all memory

Memory Remanence

There are many ways to manipulate remanence ● Cooling memory

○ Cheap and easy - canned air ○ Can extend lifespan by a significant factor

● Circumvent incompatible hardware○ Move RAM chips to other systems

Remanence Attacks

Pioneered by Halderman et al [5]● Thoroughly investigated remanence

○ Tested many systems/DRAM for compatibility○ Measured lifespan in various environments

● Found Vulnerabilities○ Extracted various keys ○ Modeled decay and reconstructed partial keys

Remanence Attacks

● Privilege escalation through remanence○ Restart machine○ Find critical system elements○ Jump start and enjoy full priviledges

Forenscope

● Built off Bootjacker - Take control of machine● Forensics platform

○ Use priviledge to investigate○ Doesn't rely on existing system○ Multiple forensic payloads○ Can be interactive

Forenscope

Leverages memory remanence to build a forensics platform● Freshly rebooted machine

○ No persistent infections● Full copy of memory

○ High quality○ Extremely low taint○ Minimal blurriness

Forenscope

Extremely Low Taint● Conventional tools have memory footprints

○ Reside in extended memory■ Where most important data resides

○ Are large■ Clobber potentially valuable information■ Leave a trace of their own

● Forenscope○ Resides in conventional memory (lowest 640kb)

■ Virtually unused in modern systems■ Still only taints a small percent

Image Quality Comparison

● Difference from actual memory contents

Tool Conventional Memory Extended Memory

Forenscope 0.125% 0%

dd 0% 21.665

dd to FS mounted with sync flag

0% 21.44%

dd with O_DIRECT 0% 1.46%

System Restoration

● Hardware systems○ Have initialization functions○ Re-initialize hardware

● We have memory!○ Restore registers from stack○ Kernel structures accessible

■ Page tables■ Stack

Forenscope

Conventional tools often rely on potentially compromised components● FU rootkit

○ Manipulates kernel structures and corrupts process lists

● Virtualization rootkits○ Operate outside the scope of the running system

Forenscope

Critical Systems● Can not afford downtime● Forenscope

○ Extremely fast■ Can operate as quickly as system restarts■ ~15 seconds on many systems

○ Customizable - invoke many different payloads■ Copy memory■ Rootkits■ Interactive platform

Forenscope & SCADA

SCADA poses unique challenges for which Forenscope excels● Take control of systems in unknown state● Minimally intrusive system● Customizable payloads unique to tasks● Interactive modes can allow for interactive

remote forensics

Forenscope & The Cloud

The cloud poses unique challenges for Forenscope● Customizable payloads unique to tasks● Interactive modes can allow for interactive

remote forensics

Shortcomings

Forenscope provides high quality images or a platform to do forensics● Much effort is still manual● Interfaces, protocols, and abstractions have

to be extracted

Other ways to capture memory

● Firewire○ Inception○ Libforensic 1394○ Forenscope-like agent

● Virtualized Environment○ LibVMI and other introspection○ Direct Capture

Valgrind

● x86 memory debugging tool● Virtual cpu

○ Memory instrumentation● Variety of different tools

○ Cache/Callgrind - simulate cache and call graph○ Hellgrind/DRD - race detection for multithreaded○ Massif - heap profiler

Cafegrind

● Extension of Massif tool in Valgrind● Collects statistics of memory usage in the heap

○ Longevity of every allocated object○ Number of reads and writes

● Freed memory is not necessarily lost○ Tracks period between free and clobber

Cafegrind

Type Inferencestruct <data structure> *mydata;mydata = (struct datastructure *) malloc(sizeof(struct ds));mydata.f1d1 = 100;

Maintains this information for all dynamically allocated objects

Requirements

● Requires programs and libraries to be c/c++ and compiled with -g and -O0

● Lots of RAM and/or swap space○ Used 40GB ssd for swap

● Hard disk space○ Generates data on the order of GB per minute of

execution

Coverage

Percent of load/stores inferred

Application Store Coverage Load Coverage Overall

Firefox 70.48% 88.11% 83.51%

KWrite 85.8% 94.27% 92.66%

Links 99.09% 99.99% 99.6%

Tor 85.95% 96.43% 95.02%

Example

Cafegrind and Konqueror web browser

Volatility

● The Volatility Framework is an open collection of tools

● Used for the extraction of digital artifacts from volatile memory samples

● Support for samples from Windows, Linux, and Mac OSX systems

● Profiles for a wide variety of versions● Functionality to create profiles for any

Linux system

Volatility Capabilities

● General info (date, time, CPU count)● Running processes

○ IDs○ Memory mappings

● Network sockets and connections● File Handles● Kernel Modules and objects (keys, mutexes,etc)● Virtual and physical mappings

Beyond Volatility

Volatility can provide basic process info● Process IDs● Memory offsets to the stack and heap● Misc other metadata

Cafegrind proved there was a wealth of information in the heap!

Exploring the Heap

● Leveraged virtual machine environment to provide memory images

● We no longer have debug symbols● What is left?

Pointers

● Typically pretty easy to identify● Point to all sorts of things

○ Data○ Functions○ Other pointers○ Structs (a combination of the above)

A Quick Look at Initd

Initd application● First process started by kernel● Everything else is a child of initd● Handles orphaned processes

Some of the numbers

● Used Volatility to extract all pages identified for the heap of initd○ 85 pages (348kb)○ 21643 pointers (173kb, or 49.7%)○ 17852 pointers have cycles○ 1622 point to invalid pages or not alligned○ 3549 are involved in longer chains of pointers

Initd Visualization

Rsyslogd Visualization

Questions