Windows Memory Forensic Analysis using EnCase

Transcript

1. Speaker Name and info Windows Memory Forensic Analysis using EnCase®

   Takahiro Haruyama, Internet Initiative Japan Inc.

2. Speaker Name and info Plan • Memory Forensics Overview •

   Acquisition Hands-on • Analysis Hands-on • Anti Memory Forensics • Wrap-up • Q&A

3. Speaker Name and info For Starters • Make sure the

   evidence for hands-on is valid – Name: WindowsMemoryForensics.L01 – MD5: f7fd702b3fefad14868a759946bf6ba3 • Prepare for hands-on tools – For acquisition • WinEn (Check your EnCase-installed folder) • MoonSols Windows Memory Toolkit Community Edition – For analysis • Memory Forensic Toolkit EnScript Raw Image Analyzer EnScript • Crash Dump Analyzer EnScript – Other tool • GetEntropy EnScript

4. Speaker Name and info Memory Forensics Overview

5. Speaker Name and info Why Memory Forensics? • Analyzing volatile

   data is more important than ever before – Anti disk forensic methods by malwares • Modifying file time stamps • Wiping file content • Running only in memory – Erasing or moving data from user’s HDD • Secure Web browsing • Using cloud services

6. Speaker Name and info Basic Flow of Memory Forensics Target

   Machine Investigator’s Machine Memory Image File 1. Acquire RAM data as an image file 2. Parse and analyze the image offline

7. Speaker Name and info Advantage to Memory Forensics • Offline

   parsing a memory image doesn’t use system APIs • Memory forensics can get – unallocated data (e.g., terminated process) – data hidden by malware (e.g., hidden process) 7 Live Response Tool Memory Forensic Analysis Tool Running Process Hidden Process Terminated Process Allocated Unallocated Windows API Parse binary image and extract information from it Get information through system API

8. Speaker Name and info Acquisition Hands-on

9. Speaker Name and info Memory Acquisition • EnScripts can analyze

   two memory image formats – raw memory image (.bin) – crash dump image (.dmp) • raw memory image + debug info • WinEn – built-in acquisition tool of EnCase – support format: raw image (but .E01) • MoonSols Windows Memory Toolkit (win32/64dd) – Free community Edition – support format: raw image and crash dump image

10. Speaker Name and info hands-on 1: Memory Acquisition • WinEn

    – Specify the following options (on execution or interactively) • -p : destination path and name to save (without extension) • -m : evidence name in EnCase view • -c : case number • -e : examiner name • -r : evidence number • -d : compression level (0=None, 1=better, 2=best) • MoonSols Windows Memory Toolkit – Execute win32dd.exe or win64dd.exe • /f : destination path and name to save (with extension) • /d : Microsoft Crash Dump Format

11. Speaker Name and info Analysis Hands-on

12. Speaker Name and info Analysis EnScripts • For raw image

    – Raw Image Analyzer (RIA) • Porting of Volatility Framework • Newly Added function – Keyword search specifying multilingual codepages – Calculate entropy values of processes and VADs • Support x86 Windows XP/2003/7 • For crash dump image – Crash Dump Analyzer (CDA) • Support x86 XP/2003/7 and x64 2003/2008/7

13. Speaker Name and info hands-on 2: Memory Analysis (Raw) •

    Drag and drop raw image files into EnCase • Blue-check one entry in Table Pane – Don’t blue-check folders • Make sure your image’s OS version and expand folders of RIA in Filter Pane • Run the following scripts – PsList: List all processes – KMList: List all kernel modules – DllList: List all DLLs loaded by a specified process – OpenFiles: List all files opened by a specified process – ProcDump: Extract an executable of a specified process

14. Speaker Name and info hands-on 3: Memory Analysis (Raw) •

    Blue-check hands-on3_DKOM_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan • Any difference?

15. Speaker Name and info Two Memory Analyzing Methods*1 • Tree

    & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf

16. Speaker Name and info Two Memory Analyzing Methods*1 • Tree

    & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf

17. Speaker Name and info IA32(x86) Address Translation OS loads Directory

    Table Base (Start physical address for address translation) into Control Register (CR3) How PAE X86 Works http://technet.microsoft.com/en-us/library/cc736309(WS.10).aspx 17

18. Speaker Name and info Implementation: Finding Directory Table Base of

    Windows Kernel • OS switches its context by loading Directory Table Base (DTB) of each process – DTB is stored in each process object (_EPROCESS) • Tree & List Traversal method of RIA scans _EPROCESS signature and get DTB of “Idle” process – Idle process is running in kernel space – The signature changes per OS versions _EPROCESS Signature Process ID：0 Process Name：Idle DTB of Kernel

19. Speaker Name and info PsActiveProcessHead Key Address for Traversal •

    Windows has key virtual addresses of various structures – Lead addresses for linked lists • e.g., PsActiveProcessHead for a running process list – Root addresses for binary trees • e.g., VadRoot (explain later) for process address space _EPROCESS “System” _EPROCESS “smss.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK FLINK BLINK ... ... ...

20. Speaker Name and info Implementation: Finding Key Addresses for Traversal

    *2 Finding some non-exported kernel variables in Windows XP http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf • Use debug structure – Kernel Processor Control Region (KPCR)*2 1. Get an address pointer to _ KDDEBUGGER_DATA32 from _KPCR – In Windows XP, the address of _KPCR is fixed (e.g., 0xFFDFF000) – Not fixed in Windows 7, so guessing is needed! 2. Get address pointers to the following key addresses from _KDDEBUGGER_DATA32 – PsActiveProcessHead (lead address of running processes) – PsLoadedModuleList (lead address of currently loaded kernel modules)

21. Speaker Name and info Two Memory Analyzing Methods*1 • Tree

    & List Traversal – Emulate data access performed by OS • Translate virtual addresses to physical ones • Traverse kernel data structure using address pointers • Object Fingerprint Search – Carve signatures of kernel objects • Search data using signatures (e.g., _EPROCESS) • Validate search-hit data *1 http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/ forensics-waits-live-memory-forensics-doha-feb-08.pdf

22. Speaker Name and info Implementation: Object Fingerprint Search 1. Search

    signatures of headers – e.g., _OBJECT_HEADER/_DISPATCHER_HEADER/_POOL_HEADER – EnScripts use pooltag in _POOL_HEADER • 4-bytes value defined for each object (e.g., “Proc” for process object) 2. Validate search hit results – Check values included in headers – Check values included in objects (content) _Pool_HEADER (0x8 Bytes) _OBJECT_HEADER (0x20 Bytes) _EPROCESS (0x260 Bytes) Size and offset of headers/objects depend on OS version

23. Speaker Name and info Comparison of Two Methods - Miss

    unlinked objects (e.g., DKOM) - Unstable - Short time - No noise - Get information from pointers (e.g., process commandline) - Long time - Noisy - Find unlinked objects - Robust cons pros Tree & list traversal Object “fingerprint” searches

24. Speaker Name and info Memory Forensic EnScripts Usage Note •

    Address translation and data size vary according to machine architecture (32-bit/64-bit) • Kernel data offset/structures vary according to OS versions (XP/7/2003/2008) • Which analyzing methods each EnScript uses? Tree & List Traversal Object Fingerprint Search Others Library (Not Executed) PsList KMList DllList OpenFiles ProcDump VadSearch VadDump PsEntropyPEB PsEntropyVAD PsScan KMScan ConnScan DMP_Info x86 x86dmp x64dmp Win32 Win64 Vtypes

25. Speaker Name and info hands-on 4: Memory Analysis (Raw) •

    Blue-check hands-on4_ExitProcess_XPx86.vmem in WindowsMemoryForensics.L01 • How many processes were dropped from dw8.exe?

26. Speaker Name and info hands-on 5: Memory Analysis (Crash Dump)

    • Blue-check hands- on5_DeviceReservedSpace_XPx86.dmp in WindowsMemoryForensics.L01 or dmp file generated by you • Execute some modules in RIA

27. Speaker Name and info Difference between Raw Image and Crash

    Dump • Crash dump file doesn’t include – 1st Page – Pages reserved by devices • The file offset is different from the physical address Run[0] BasePage = 0x1, PageCount = 0x9e Run[1] BasePage = 0x100, PageCount = 0xeff Run[2] BasePage = 0x1000, PageCount = 0xeef0 Run[3] BasePage = 0xff00, PageCount = 0x100 1st Page (BIOS Reserved) Address Space Reserved by Devices (Not Included in crash dump) Physical Memory Address Space

28. Speaker Name and info Implementation: Crash Dump Analysis • Tree

    & List Traversal – performs Two-stage address translation • Virtual address -> physical address -> file offset – Crash dump includes debug information in 1st page • DMP_Info module can parse it – Stable execution • CDA never needs scanning/guessing to get the debug information • Object Fingerprint Search – Almost same as RIA’s implementation Kernel directory table base 32-bit crash dump signature PsActiveProcessHead PsLoadedModuleList

29. Speaker Name and info Searching/Dumping Process Memory Address Space •

    Virtual Address Descriptor (VAD) – Management information about process memory pages – We can read process-specific data by traversing VAD tree • loaded exe/dll image • heap/stack data Vad Root StartingVpn(Start Address) EndingVpn(End Address) Parent LeftChild RightChild VadS Vadl _EPROCESS

30. Speaker Name and info hands-on 6: Memory Acquisition & Analysis

    (VadSearch) • Blue-check the crash dump acquired in hands-on • Make sure the target process ID by PsList • Configure your keywords and blue-check them • Run VadSearch – Specify the process ID to search • Make sure the result in Bookmark tab

31. Speaker Name and info hands-on 7: Memory Acquisition & Analysis

    (VadDump) • Blue-check hands-on7_VadDump_XPx86.vmem in WindowsMemoryForensics.L01 • Run VadDump of RIA – Select a specific process (winlogon.exe, PID:644) – Dump only code-injected memory pages • VadDump checks protection flag of VAD *3 • Scan code-injected memory pages using VirusTotal *3 “Code Injection and the VAD”, Malware Analyst Cookbook p.610

32. Speaker Name and info Entropy *4 • Entropy stands for

    randomness of data • We can detect similar files by calculating Entropy  = − = 255 0 2 ) ( log i i i P P H 0000000000000000000000 000000000000000000000 Entropy = 0 010101010101010101 010101010101010101 Entropy = 1 0123456789012345678901 23456789012345678901 Entropy = 8 only 1 value two values totally random *4 “Utilizing Entropy to Identify Undetected Malware” http://image.lifeservant.com/siteuploadfiles/VSYM/99B5C5E7-8B46 -4D14-A53EB8FD1CEEB2BC/43C34073-C29A-8FCE-4B653DBE35B934F7.pdf

33. Speaker Name and info hands-on 8: Memory Analysis (PsEntropy*) •

    Blue-check hands-on8_Entropy_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsEntropyPEB – uncheck Matching Mode – make sure entropy values of notepad.exe, notepad_3bytes_diff.exe and notepad_packed.exe • PsEntropyVAD – PsEntropyVAD calculates Entropy values of code- injected memory pages (experimental)

34. Speaker Name and info Anti Memory Forensics

35. Speaker Name and info hands-on 9: Memory Analysis (Anti Memory

    Forensics) • Blue-check hands-on9_AMF_XPx86.bin in WindowsMemoryForensics.L01 • Run PsList and PsScan of RIA • Blue-check hands-on9_AMF_XPx86.dmp in WindowsMemoryForensics.L01 • Run PsList of CDA • Did you find any error or any suspicious processes? Why?

36. Speaker Name and info Anti Memory Forensic Methods (1) •

    Exploit Analyzing methods – Tree & List Traversal • Disable traversing – Hands-on 9: rename “Idle” process name » Prevention: use CDA instead of RIA • Cause false negatives – Hands-on 3: Direct Kernel Object Manipulation (DKOM) » Prevention: use Object Fingerprint Search – Object Fingerprint Search • Cause false positives – Hands-on 9: Insert decoy signatures » Prevention: any idea? ( The file offset is one measure. ) _EPROCESS “System” _EPROCESS “malware.exe” _EPROCESS “win32dd.exe” FLINK BLINK FLINK BLINK FLINK BLINK ... malicious process unlinked by DKOM

37. Speaker Name and info Anti Memory Forensic Methods (2) •

    Other methods – Disturb correct memory acquisition • e.g., Shadow Walker – Prevention: cannot prevent but detect by checking IDT hook – Leave nothing in RAM • Hook Model-Specific Register (MSR) – Windows uses MSR for system calls • VMM/SMM rootkit – Run on Ring -1 or below

38. Speaker Name and info Wrap-up

39. Speaker Name and info Wrap-up • Memory Forensics can get

    unallocated/hidden data by parsing memory image offline • Two analyzing methods – You should know pros and cons of the two methods • The implementation depends on image format – I recommend to acquire/analyze crash dump image • Remember Memory Forensics is not good at everything • Use multiple analysis tools for validation

40. Speaker Name and info Example: TCP connections in Windows 7

    Memorze output EnScript output netstat output log

41. Speaker Name and info Appendix: Comparison of Analysis Tools EnCase

    EnScript Volatility Framework HBGary Responder FTK Memoryze Support Windows OS XP/2003/7/ 2008 XP/Vista/7/ 2008 All All All Support Image Format Raw Crash dump Raw Crash dump Hibernation Raw Raw Raw Support Architecture Intel x86 AMD x64 Intel x86 Intel x86 AMD x64 Intel x86 AMD x64 Intel x86 AMD x64 Implementation T & O T & O T T & O? T & O? Swap Analysis Not support Not support Support Support Not support Feature Multilingual keyword search, Entropy Many kinds of plugin Digital DNA, static code analysis Fuzzy Hash, diffing between images Malware Rating Index T = Tree & list traversal O = Object “fingerprint” searches

42. Speaker Name and info Q&A