upping the ‘anti’: using memory analysis to fight...
TRANSCRIPT
EMPOWERING INVESTIGATORS
VOLATILE SYSTEMS
Upping the ‘Anti’:
Using Memory Analysis to Fight Malware
SANS Incident Response and Forensics Summit
October 13, 2008
AAron Walters
2 VVVV LATILESYSTEMS
About Volatile Systems
• We provide the solutions and knowledge to address volatile memory analysis needs:• Software customizations, integrity assessments, incident response, malware analysis, training
• Proven technology• 5 yrs of published university research • Technology licensed (commercial, government, etc)• Volatility (contributors: experts/organizations) • LEO/investigators worldwide
• Field experienced analysts• Focused on volatile memory analysis (5 yrs)• Universities, government, military, LE, commercial• Thousands of memory images/malware
VVVV LATILESYSTEMS
State of Malware
• Volume of new malware increasing (2007)– Symantec: 2/3 of malware (711,912)– F-Secure: 1/2 of malware (20 yrs)
• A/V detection ineffective (Bailey, 2007)
– 6 weeks worth of malware/ 5 A/V vendors
– 1 month later → 56% detected
– ~6 months later → 66% detected
Malware Detected by Year(Source: Security Fix)
010000002000000
3000000
40000005000000
6000000
1985
1987
1989
1991
1993
1995
1997
1999
2001
2003
2005
2007
VVVV LATILESYSTEMS
Malware Trends
• Targeted Attacks• Financially/politically motivated• Zero-day vulnerabilities (documents)
• Proliferation of stealth technology (memory)• Kernel rootkits (Storm)• Code injection (DLLs, etc)
• Commercialization of malware• Quality assurance• Performance guarantees
• Evolving malware• Refining methods → successes/failures• Tactics escalation
• Upping the “Anti”• Anti-detection, Anti-debugging, Anti-forensics
5 VVVV LATILESYSTEMS
Incidents: Defense Industry
• Attacks• Government contractors• Upper management• Sophisticated spear phishing
• Agent• Undetected (AV/anti-rootkit)• Quickly evolving variants (weeks)• Small system footprint
• Command and Control• Messages: steganography/encoded• Channel: protocols/ports/servers
• Lay dormant ......
VVVV LATILESYSTEMS
Incidents: Financial Industry
• Attacks• Targeting online money
• Bank accounts, online payment, CCNs
• Multi-platform (Windows, Linux)
• Clients• Undetected (AV/anti-rootkits)
• Stealth technology (i.e. rootkits, packers)
• Exfiltrating data• Usernames, passwords, etc (browser)• Process memory (i.e. Canvas)
• Servers• Hijacking servers
• User-mode rootkits (i.e. code injection)
• Hiding artifacts in memory
VVVV LATILESYSTEMS
Now what?
• Detection is just the beginning!
• Actionable data
• Identify other systems involved (triage)• Determine how they gained entry• Elucidate intent• Evaluate capabilities• Assess damage• Quantify current state/measure improvement
• Across the enterprise!
VVVV LATILESYSTEMS
Opaque Enterprise
• Opaque components of information infrastructure• What is running? (patches,malware,etc)
9 VVVV LATILESYSTEMS
Consistent Picture
VVVV LATILESYSTEMS
Digital Crime Scene
11 VVVV LATILESYSTEMS
Runtime State
• Order of Volatility (RFC 3227)• Data life expectancy
• Volatile state/active objects
• Ceases to exist when power is removed
• Valuable data (context)
• Volatile media “trusted” (pswds, keys, malware)
• Goals (Carrier, 2003):
• Minimize obtrusiveness
• Minimize trust
• Understand effects
12 VVVV LATILESYSTEMS
Live Response
• Quickly collect information from live machine
• Response tookits & agents
• Antivirus/rootkit detectors
• SysAdmin tools (WFT,COFEE) /APIs (Guidance)
• Limitations
• Depend on OS (trust, information)
• Obtrusive (substantial and complex: >30% (Walters,2007))
• Unverifiable (3rd Party)
• Unable to clarify or expand (pigeon holed)
• Best evidence? (relative)
13 VVVV LATILESYSTEMS
Volatile Memory Analysis
• Entire contents of physical memory (RAM)
• Direct analysis of raw bit “image”
• Artifact persistence/unallocated memory (Chow,2005)
• Advantages:
• Analysis does not depend on OS (trust)
• Reduce and simplify obtrusiveness (acquisition)
• Removes the active adversary (freeze state)
• Verifiable (3rd Party: data and tools)
• Unconstrained analysis (raw data)
• Challenges
• Acquisition/Temporal proximity
VVVV LATILESYSTEMS
In the beginning…..
• Old school memory analysis• dd, crash dumps, kcores, swap• Printable character sequences• strings, less, grep, hexedit, text editor
• Investigative leads• Passwords, email addresses, IP addresses, commands, domain names, file names, URLs
• Large quantity of data• 2GB Memory → 818MB
• Context free data• Spatial proximity (paging, unallocated, etc)• 259621376:Netcat network data redirector.• 259621376 [2936:412200 ] Netcat network data redirector.
15 VVVV LATILESYSTEMS
Memory Analysis Types
Physical Memory Analysis
Virtual Memory Analysis
Application Analysis
Physical Address Space
Kernel Address Space
Application Address Space
User Address Space
Swap
Context
16 VVVV LATILESYSTEMS
VOLATILITY
VVVV LATILESYSTEMS
Volatility
• Volatile memory forensics framework• Completely open source (Python)• Cross platform analysis: Windows, Linux
• No MS DLLs! (Windows, Linux, OS X, etc)• 32-bit XP SP2/SP3* (PAE/NOPAE)
• Extendable to other hardware/operating systems
• Command-line tools• Places you can find Volatility
• PyFlag, DFlabs PTK, VolShell, PlainSight, SIFT, Helix
• Powerful modular architecture!• Practitioners, trainers, researchers
18 VVVV LATILESYSTEMS
Community: Order of Volatility
• Code Contributers:• Michael Cohen• David Collett
• Brendan Dolan-Gavitt
• Blake Matheny
• Andreas Schuster
• Research Collaborators:
• Jide Abu
• Jose Nazario
• Doug White
• Matthieu Suiche
• Testing/Bugs:
• Joseph Ayo Akinyele
• Testing/Bugs (Cont)
• Tommaso Assandri
• Harlan Carvey
• Eoghan Casey
• Jim Clausing
• Jon Evans
• Robert Guess
• Jesse Kornblum
• Jamie Levy
• Eugene Libster
• Erik Ligda
• Tony Martin
• Golden G. Richard III
• Sam F. Stover
Credits
VVVV LATILESYSTEMS
Volatility
• Types of information (live response)• Running processes• Strings to process mappings• Open network connections• Process to files (DLLs)• Process to port mappings• System time
• Techniques• Data structure traversal (list walking, table crawling, tree climbing)
• Fixed offsets (symbols)• Linear scanning
• Object oriented scanning framework (Schuster, Cohen)
VVVV LATILESYSTEMS
Volatility 1.3: Highlights
• Data view modules ( > 13 new modules!)• raw2dmp• rejobjkeys• procdump
• Dynamic plugin support• VolShell (Dolan-Gavitt)• ssdt (Dolan-Gavitt), getsids (Dolan-Gavitt)• 11 Linux modules
• Address Spaces• PrivacyPreservingAddressSpace (experimental)
• Only stores necessary data
• WindowsCrashDumpSpace32 (Schuster)
• Microsoft’s crash dump format (full dumps)
• HiberfilSpace32 (Suiche, Dolan-Gavitt)
VVVV LATILESYSTEMS
Volatility 1.3: Hibernation File
• Microsoft’s hibernation file format (hiberfil.sys)• SandMan project (Matthieu Suiche)
• http://sandman.msuiche.net
• Microsoft Interoperability Initiative• [MS-DRSR] DecompressWin2k3()
• Compressed chunks of physical memory (Xpress)• xpress.py (Dolan-Gavitt)
• Maps physical address to decompressed offset
• Limitations
PrivacyAddrSpaceStore
HiberfilSpace32
IA32PagedMemoryPae
FileAddressSpace
VVVV LATILESYSTEMS
Integrating Memory
• DFRWS 2008 Forensics Challenge• Evidence fusion: memory, hard disk, network• PyFlag/Volatility (Cohen, Collet, Walters)
• Role of memory forensics• Carving memory image
• Exfiltration script• Encryption keys
• SSL decryption• Volatile targeting
• Network traffic/open files• Attribution
• User activity (strings)• Temporal information
• Time zone/timestamps
23 VVVV LATILESYSTEMS
Temporal Reconstruction
• It’s about time…… (timeline)
• "the most potentially valuable forensic tool in your digital detective toolkit" (Farmer,2000)
• Temporal relationships between artifacts
• Volatile Time: absolute vs. relative
• Temporally link disparate events
• Visualization• Presentation
• Instantaneous events, duration events• Knowledge discovery
24 VVVV LATILESYSTEMS
Temporal Reconstruction
VVVV LATILESYSTEMS
Component Age Diagrams
• Visualize anomalies in component timestamps (Vostokov, 2008)
12/6/1999
4/19/2001
9/1/2002
1/14/2004
5/28/2005
10/10/2006
2/22/2008
Modules
Date
26 VVVV LATILESYSTEMS
Integrity Matters
• Evaluate the runtime state of machine (audit)• Trusted, suspicious, compromised
• Deriving trust (Petroni, 2008)• Immutability (roots of trust)
• Kernel/user text (executable instructions)• Control flow integrity
• Static function tables (IDT,SSDT,IAT, etc.)• Dynamic data structures (heap, stack, etc.)
• Semantic integrity • Semantic relationships in dynamic data• Policy enforcement (ports, registry, exe versions, etc)
• Statistics/clustering• Measured integrity• Cluster machines
27 VVVV LATILESYSTEMS
Deriving Trust: Stack
0x22c000
sp
0xb0618a
0xb000000x22c844
0x230000
0x22c6e4 0xb00000
0x22c83c
0x22ca1c
0x10000000
0x10000000
ext783937.dll
metsrv.dll
24
22metsrv.dll
ext783937.dll
0xb00000
28 VVVV LATILESYSTEMS
Delta Detective™
• Automated malware analysis (real systems)• State changes in memory (semantic model)
• Objects (committed/free)• Data structures (i.e., VAD Tree, Loaded DLLs)• Control flow changes (hooking, text changes)
• Semantic Diff™• Persistant changes to volatile storage• Automatically generate a malware profile
• Malware library (global collection)• Volatile Intelligence Network• Crawling, spam traps, honeypots (updated daily)• Threat reports/profiles
29 VVVV LATILESYSTEMS
Automated Malware Analysis
Malware Database
Report Database
Malware Cluster
Delta Detective
Malware Installed
Acquire RAM + Swap
Acquire RAM + Swap
30 VVVV LATILESYSTEMS
Objects: Set Difference
After \ Before = { x : x∈∈∈∈After and x∉∉∉∉Before}
31 VVVV LATILESYSTEMS
Data Structures (VAD)
32 VVVV LATILESYSTEMS
Control Flow Changes
33 VVVV LATILESYSTEMS
Extracting Malware
Header
reloc
text
idata
Header Header
edata
▲▲
▲ ▲▲
▲
Disk Memory Extract
VVVV LATILESYSTEMS
2.03Extend Your Arsenal
VVVV LATILESYSTEMS
What is F-Response?
• F-Response is a small, largely self contained application that provides read-only,authenticated network access to a remote computer’s Physical Disk and Physical Memory.
• Minimal system impact (obtrusiveness)
• F-Response 1.18 (Physical Disk Only)
• Windows (2000, XP, 2003, Vista, 2008)
• Linux, OS X Intel (10.4. 10.5)
• F-Response 2.03 (Physical Disk + Physical Memory) - Beta
• Windows (2000, XP, 2003, Vista, 2008)
VVVV LATILESYSTEMS
How does F-Response work?
• F-Response is based on the well documented
iSCSI standard to create a secure, read-only
connection between the examiner’s computer
and the computer under inspection.
• F-Response makes the storage devices and
physical memory on the computer under
examination completely accessible to the
examiner’s computer where they appear as
local, raw, physical storage devices.
VVVV LATILESYSTEMS
F-Response in Deployment
VVVV LATILESYSTEMS
F-Response & Volatility
• Joint project between F-Response and
Volatility to extend the framework with
real-time remote access capability.
• Months of development and testing.
• Both products will continue to work
separately, however the two combined
give you....
VOLTAGE
VVVV LATILESYSTEMS
Voltage
• Real-time read-only access to runtime state• Physical memory• pagefile.sys
• Combine detection with response • Temporal proximity• Acquisition capabilities
• Continuous independent monitoring• Visibility into the enterprise• Verify the state of systems
40 VVVV LATILESYSTEMS
Voltage Demo
41 VVVV LATILESYSTEMS
Conclusions
• Volatile state is a critical component of the digital crime scene
• Memory analysis “Ups the Anti”
• Columbia Pictures et al. v. Justin Bunneli
• RAM is Electronically Stored Information
according to the Federal Rules of Evidence
Download Volatility 1.3http://www.volatilesystems.com/
Join the community!
VVVV LATILESYSTEMS
For more information
• Web: http://www.f-response.com
• Email: [email protected]
• Phone: 1-800-317-5497
43 VVVV LATILESYSTEMS
Questions?
Feedback, questions, comments...awalters [at] volatilesystems [dot] com
44 VVVV LATILESYSTEMS
Resources
• Acquisition• Open source:
• mdd: https://sourceforge.net/projects/mdd/• win32dd: http://win32dd.msuiche.net/
• Commercial• F-Response 2.0: http://www.f-response.com/• Kntdd: http://gmgsystemsinc.com/knttools/
• Conferences• Open Memory Forensics Workshop (OMFW)• Digital Forensics Research Workshop (DFRWS)
• Mailing Lists• www.volatilesystems.com/mailman/listinfo
• Research References• www.4tphi.net/fatkit
45 VVVV LATILESYSTEMS
Resources (Cont.)
• Blogs• http://volatility.tumblr.com/• http://volatilesystems.blogspot.com/• http://moyix.blogspot.com• http://computer.forensikblog.de/en/• http://windowsir.blogspot.com/• http://jessekornblum.livejournal.com/
• Books• Malware Forensics (Aquilina, Casey, and Malin)• Windows Forensic Analysis (Harlan Carvey)• Forensic Discovery (Farmer and Venema)