Speaker Name and info Windows Memory Forensic Analysis using EnCase® Takahiro Haruyama, Internet Initiative Japan Inc.

Speaker Name and info Plan • Memory Forensics Overview • Acquisition Hands-on • Analysis Hands-on • Anti Memory Forensics • Wrap-up • Q&A

Speaker Name and info For Starters • Make sure the evidence for hands-on is valid – Name: WindowsMemoryForensics.L01 – MD5: f7fd702b3fefad14868a759946bf6ba3 • Prepare for hands-on tools – For acquisition • WinEn (Check your EnCase-installed folder) • MoonSols Windows Memory Toolkit Community Edition – For analysis • Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript • Crash Dump Analyzer EnScript – Other tool • GetEntropy EnScript

Speaker Name and info Memory Forensics Overview

Speaker Name and info Why Memory Forensics? • Analyzing volatile data is more important than ever before – Anti disk forensic methods by malwares • Modifying file time stamps • Wiping file content • Running only in memory – Erasing or moving data from user’s HDD • Secure Web browsing • Using cloud services

Speaker Name and info Basic Flow of Memory Forensics Target Machine Investigator’s Machine Memory Image File 1. Acquire RAM data as an image file 2. Parse and analyze the image offline

Speaker Name and info Advantage to Memory Forensics • Offline parsing a memory image doesn’t use system APIs • Memory forensics can get – unallocated data (e.g., terminated process) – data hidden by malware (e.g., hidden process) 7 Live Response Tool Memory Forensic Analysis Tool Running Process Hidden Process Terminated Process Allocated Unallocated Windows API Parse binary image and extract information from it Get information through system API

Speaker Name and info Acquisition Hands-on

Speaker Name and info Memory Acquisition • EnScripts can analyze two memory image formats – raw memory image (.bin) – crash dump image (.dmp) • raw memory image + debug info • WinEn – built-in acquisition tool of EnCase – support format: raw image (but .E01) • MoonSols Windows Memory Toolkit (win32/64dd) – Free community Edition – support format: raw image and crash dump image

Speaker Name and info hands-on 1: Memory Acquisition • WinEn – Specify the following options (on execution or interactively) • -p : destination path and name to save (without extension) • -m : evidence name in EnCase view • -c : case number • -e : examiner name • -r : evidence number • -d : compression level (0=None, 1=better, 2=best) • MoonSols Windows Memory Toolkit – Execute win32dd.exe or win64dd.exe • /f : destination path and name to save (with extension) • /d : Microsoft Crash Dump Format

Speaker Name and info Analysis Hands-on

Speaker Name and info Analysis EnScripts • For raw image – Raw Image Analyzer (RIA) • Porting of Volatility Framework • Newly Added function – Keyword search specifying multilingual codepages – Calculate entropy values of processes and VADs • Support x86 Windows XP/2003/7 • For crash dump image – Crash Dump Analyzer (CDA) • Support x86 XP/2003/7 and x64 2003/2008/7

Speaker Name and info hands-on 2: Memory Analysis (Raw) • Drag and drop raw image files into EnCase • Blue-check one entry in Table Pane – Don’t blue-check folders • Make sure your image’s OS version and expand folders of RIA in Filter Pane • Run the following scripts – PsList: List all processes – KMList: List all kernel modules – DllList: List all DLLs loaded by a specified process – OpenFiles: List all files opened by a specified process – ProcDump: Extract an executable of a specified process

Speaker Name and info hands-on 3: Memory Analysis (Raw) • Blue-check hands-on3_DKOM_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan • Any difference?

Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf

Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf

Speaker Name and info IA32(x86) Address Translation OS loads Directory Table Base (Start physical address for address translation) into Control Register (CR3) How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx 17

Speaker Name and info Implementation: Finding Directory Table Base of Windows Kernel • OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS) • Tree & List Traversal method of RIA scans _EPROCESS signature and get DTB of “Idle” process – Idle process is running in kernel space – The signature changes per OS versions _EPROCESS Signature Process ID：0 Process Name：Idle DTB of Kernel

Speaker Name and info PsActiveProcessHead Key Address for Traversal • Windows has key virtual addresses of various structures – Lead addresses for linked lists • e.g., PsActiveProcessHead for a running process list – Root addresses for binary trees • e.g., VadRoot (explain later) for process address space _EPROCESS “System” _EPROCESS “smss.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK FLINK BLINK ... ... ...

Speaker Name and info Implementation: Finding Key Addresses for Traversal *2 Finding some non-exported kernel variables in Windows XP http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf • Use debug structure – Kernel Processor Control Region (KPCR)*2 1. Get an address pointer to _ KDDEBUGGER_DATA32 from _KPCR – In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000) – Not fixed in Windows 7, so guessing is needed! 2. Get address pointers to the following key addresses from _KDDEBUGGER_DATA32 – PsActiveProcessHead (lead address of running processes) – PsLoadedModuleList (lead address of currently loaded kernel modules)

Speaker Name and info Two Memory Analyzing Methods*1 • Tree & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf

Speaker Name and info Implementation: Object Fingerprint Search 1. Search signatures of headers – e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER – EnScripts use pooltag in _POOL_HEADER • 4-bytes value defined for each object (e.g., “Proc” for process object) 2. Validate search hit results – Check values included in headers – Check values included in objects (content) _Pool_HEADER (0x8 Bytes) _OBJECT_HEADER (0x20 Bytes) _EPROCESS (0x260 Bytes) Size and offset of headers/objects depend on OS version

Speaker Name and info Comparison of Two Methods - Miss unlinked objects (e.g., DKOM) - Unstable - Short time - No noise - Get information from pointers (e.g., process commandline) - Long time - Noisy - Find unlinked objects - Robust cons pros Tree & list traversal Object “fingerprint” searches

Speaker Name and info Memory Forensic EnScripts Usage Note • Address translation and data size vary according to machine architecture (32-bit/64-bit) • Kernel data offset/structures vary according to OS versions (XP/7/2003/2008) • Which analyzing methods each EnScript uses? Tree & List Traversal Object Fingerprint Search Others Library (Not Executed) PsList KMList DllList OpenFiles ProcDump VadSearch VadDump PsEntropyPEB PsEntropyVAD PsScan KMScan ConnScan DMP_Info x86 x86dmp x64dmp Win32 Win64 Vtypes

Speaker Name and info hands-on 4: Memory Analysis (Raw) • Blue-check hands-on4_ExitProcess_XPx86.vmem in WindowsMemoryForensics.L01 • How many processes were dropped from dw8.exe?

Speaker Name and info hands-on 5: Memory Analysis (Crash Dump) • Blue-check hands- on5_DeviceReservedSpace_XPx86.dmp in WindowsMemoryForensics.L01 or dmp file generated by you • Execute some modules in RIA

Speaker Name and info Difference between Raw Image and Crash Dump • Crash dump file doesn’t include – 1st Page – Pages reserved by devices • The file offset is different from the physical address Run[0] BasePage = 0x1, PageCount = 0x9e Run[1] BasePage = 0x100, PageCount = 0xeff Run[2] BasePage = 0x1000, PageCount = 0xeef0 Run[3] BasePage = 0xff00, PageCount = 0x100 1st Page (BIOS Reserved) Address Space Reserved by Devices (Not Included in crash dump) Physical Memory Address Space

Speaker Name and info Implementation: Crash Dump Analysis • Tree & List Traversal – performs Two-stage address translation • Virtual address -> physical address -> file offset – Crash dump includes debug information in 1st page • DMP_Info module can parse it – Stable execution • CDA never needs scanning/guessing to get the debug information • Object Fingerprint Search – Almost same as RIA’s implementation Kernel directory table base 32-bit crash dump signature PsActiveProcessHead PsLoadedModuleList

Speaker Name and info Searching/Dumping Process Memory Address Space • Virtual Address Descriptor (VAD) – Management information about process memory pages – We can read process-specific data by traversing VAD tree • loaded exe/dll image • heap/stack data Vad Root StartingVpn(Start Address) EndingVpn(End Address) Parent LeftChild RightChild VadS Vadl _EPROCESS

Speaker Name and info hands-on 6: Memory Acquisition & Analysis (VadSearch) • Blue-check the crash dump acquired in hands-on • Make sure the target process ID by PsList • Configure your keywords and blue-check them • Run VadSearch – Specify the process ID to search • Make sure the result in Bookmark tab

Speaker Name and info hands-on 7: Memory Acquisition & Analysis (VadDump) • Blue-check hands-on7_VadDump_XPx86.vmem in WindowsMemoryForensics.L01 • Run VadDump of RIA – Select a specific process (winlogon.exe, PID:644) – Dump only code-injected memory pages • VadDump checks protection flag of VAD *3 • Scan code-injected memory pages using VirusTotal *3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610

Speaker Name and info Entropy *4 • Entropy stands for randomness of data • We can detect similar files by calculating Entropy  = − = 255 0 2 ) ( log i i i P P H 0000000000000000000000 000000000000000000000 Entropy = 0 010101010101010101 010101010101010101 Entropy = 1 0123456789012345678901 23456789012345678901 Entropy = 8 only 1 value two values totally random *4 “Utilizing Entropy to Identify Undetected Malware” http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46 -4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf

Speaker Name and info hands-on 8: Memory Analysis (PsEntropy*) • Blue-check hands-on8_Entropy_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsEntropyPEB – uncheck Matching Mode – make sure entropy values of notepad.exe, notepad_3bytes_diff.exe and notepad_packed.exe • PsEntropyVAD – PsEntropyVAD calculates Entropy values of code- injected memory pages (experimental)

Speaker Name and info Anti Memory Forensics

Speaker Name and info hands-on 9: Memory Analysis (Anti Memory Forensics) • Blue-check hands-on9_AMF_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan of RIA • Blue-check hands-on9_AMF_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsList of CDA • Did you find any error or any suspicious processes? Why?

Speaker Name and info Anti Memory Forensic Methods (1) • Exploit Analyzing methods – Tree & List Traversal • Disable traversing – Hands-on 9: rename “Idle” process name » Prevention: use CDA instead of RIA • Cause false negatives – Hands-on 3: Direct Kernel Object Manipulation (DKOM) » Prevention: use Object Fingerprint Search – Object Fingerprint Search • Cause false positives – Hands-on 9: Insert decoy signatures » Prevention: any idea? ( The file offset is one measure. ) _EPROCESS “System” _EPROCESS “malware.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK ... malicious process unlinked by DKOM

Speaker Name and info Anti Memory Forensic Methods (2) • Other methods – Disturb correct memory acquisition • e.g., Shadow Walker – Prevention: cannot prevent but detect by checking IDT hook – Leave nothing in RAM • Hook Model-Specific Register (MSR) – Windows uses MSR for system calls • VMM/SMM rootkit – Run on Ring -1 or below

Speaker Name and info Wrap-up

Speaker Name and info Wrap-up • Memory Forensics can get unallocated/hidden data by parsing memory image offline • Two analyzing methods – You should know pros and cons of the two methods • The implementation depends on image format – I recommend to acquire/analyze crash dump image • Remember Memory Forensics is not good at everything • Use multiple analysis tools for validation

Speaker Name and info Example: TCP connections in Windows 7 Memorze output EnScript output netstat output log

Speaker Name and info Appendix: Comparison of Analysis Tools EnCase EnScript Volatility Framework HBGary Responder FTK Memoryze Support Windows OS XP/2003/7/ 2008 XP/Vista/7/ 2008 All All All Support Image Format Raw Crash dump Raw Crash dump Hibernation Raw Raw Raw Support Architecture Intel x86 AMD x64 Intel x86 Intel x86 AMD x64 Intel x86 AMD x64 Intel x86 AMD x64 Implementation T & O T & O T T & O? T & O? Swap Analysis Not support Not support Support Support Not support Feature Multilingual keyword search, Entropy Many kinds of plugin Digital DNA, static code analysis Fuzzy Hash, diffing between images Malware Rating Index T = Tree & list traversal O = Object “fingerprint” searches

Speaker Name and info Q&A