Rootkits, Exfil and APT: RAM Conquers All

Transcription

5/20/2015
Rootkits, Exfil and APT:
RAM Conquers All
Jamie Levy
The Volatility Project
www.encase.com/ceic
All Rights Reserved by The Volatility Project
Jamie Levy (@gleeda)
Core Developer on the Volatility Framework
Co-Author of The Art of Memory Forensics
Digital Forensics researcher, developer and investigator
Former speaker at CEIC, IEEE ICC and OMFW
Former professor at Queens College and John Jay College
http://memoryanalysis.net
Page 2
Jamie Levy, Volatility Foundation
1
5/20/2015
Documentation
The Art of Memory Forensics
Malware Analyst’s Cookbook
Websites
 volatility-labs.blogspot.com
 volatilityfoundation.org
 memoryanalysis.net
Volatility wiki
 code.google.com/p/volatility/wiki/VolatilityIntroduction
 community documentation: 200+ docs from 60+ different
authors
Page 3
What is Memory Forensics?
Memory forensics is the process of acquiring and analyzing
physical memory (RAM) in order to find artifacts and
evidence
Usually performed in conjunction with disk and network
forensics
Page 4
2
5/20/2015
What can be recovered?
Running processes
Active network connections
Loaded kernel drivers
Console input and output
Malware-created artifacts
Application information (URL history, chat logs, emails)
Disk encryption keys
A whole lot more…
Page 5
Why does it matter?
Can recover the entire state of the operating system and
running applications at the time of the capture
Can also uncover historical information
Much of the information recovered from memory is never
written to disk or the network (i.e. software encryption keys)
Advanced malware operates only in memory
Sandbox, honeypot, automated analysis
This doesn’t mean you shouldn’t build a live IR toolkit
 It just means you should run them after collecting RAM
Page 6
3
5/20/2015
Data lifetime
Page 7
OS view / vs / Memory Forensics
Page 8
4
5/20/2015
Acquisition
The first step in the memory analysis process is acquisition
Acquisition is the copying of physical memory (RAM) to nonvolatile storage
The right tool for the job heavily depends on the job
Page 9
When to acquire?
Suspect’s computer
 Do it while the suspect is online?
 Access to logon session information
 Cloud services or remote storage in use
*BEFORE* BEFORE* DISCONNECTING FROM THE NETWORK!
 Encrypted documents being viewed
Victim’s computer
 Do it while the suspect’s NOT online?
 Else you may tip off the suspect
 Monitor network activity to/from the target
computer for some period?
Page 10
5
5/20/2015
When to Acquire?
Not during times of dramatic change
Avoid disk defragmentation
Avoid antivirus scans
Avoid system backups
Limit your interaction with the machine until the acquisition is
done
Page 11
Software Acquisition
Done through 3rd-party programs that load a kernel driver to
read physical pages (RAM)
Advantages:
 Can be loaded onto any system running a supported
OS
 Can be performed over the network
Disadvantages:
 Requires administrative access
 Potential for malware interference
Page 12
6
5/20/2015
Sampling
Can query only select portions of memory for triage
Example: Gathering the list of processes requires
transferring less than 1MB of data
Sampling can be used to sweep the network for IOCs and
full acquisition started if any are found
Page 13
Hardware Acquisition
Leverages hardware protocols to read physical memory
without software
 Firewire, PCI, Thunderbolt
Advantages
 No need for administrative access
 Less chance for malware interference
Disadvantages
 Hardware usually needs to be pre-installed
 Firewire is limited to first 4GB of memory
Page 14
7
5/20/2015
Acquisition and Sampling with EnCase® Enterprise
Acquisition
Page 15
Volatility Framework
Implemented in Python under the GNU General Public License
Extracts digital artifacts from volatile memory (RAM) samples.
Extraction techniques are performed completely independent of the system being
investigated
Offers visibility into the runtime state of the system
Page 16
8
5/20/2015
150+ plugins in the code repository
Features include:
 Sample identification
 Enumerating Processes/DLLs
 Process Memory
 Kernel Memory Objects
 Networking
 Registry
 Sample Conversion to another sample format
 Malware/Rootkit Specific
Page 17
Single, cohesive framework
 x86 (PAE, non-PAE) and x64
windows
 x86/x64 Linux kernels 2.6.11 – 3.5
 x86/x64 Mac 10.5 (Leopard) – 10.9
(Mavericks)
 32-bit Android
Open source, GNU GPLv2
 read it, learn from it, extend it
 understand how it works
Python
 RE and forensics language
 distorm3, pycrypto, yara
 Modular: add new OS and
architectures
Page 18
9
5/20/2015
Listing Processes
$ python vol.py –f win7x86.dmp --profile=Win7SP1x86 pslist
Volatility Foundation Volatility Framework 2.4
Offset(V)
Name
PID
PPID
Thds
Hnds
Sess
Wow64 Start
---------- -------------------- ------ ------ ------ -------- ------ -----0x84f4a958 System
4
0
95
519 -----29 ------
0 2014-08-17 17:09:40 UTC+0000
0x865b8918 smss.exe
280
4
2
0x86faf4d8 csrss.exe
372
356
9
566
0
0 2014-08-17 17:09:46 UTC+0000
0 2014-08-17 17:09:40 UTC+0000
0x8682e698 wininit.exe
424
356
3
74
0
0 2014-08-17 17:09:46 UTC+0000
0x872a8030 services.exe
508
424
14
226
0
0 2014-08-17 17:09:46 UTC+0000
0x872ac030 lsass.exe
516
424
7
604
0
0 2014-08-17 17:09:46 UTC+0000
0x872ac3b0 lsm.exe
524
424
10
146
0
0 2014-08-17 17:09:46 UTC+0000
0x8733f488 svchost.exe
652
508
11
367
0
0 2014-08-17 17:09:47 UTC+0000
Page 19
Active Network Connections
$ python vol.py -f win764bit.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P)
Proto Local Address
Foreign Address State
0xf882a30 TCPv4 0.0.0.0:135
0.0.0.0:0
LISTENING
0xfc13770 TCPv4 0.0.0.0:49154
0.0.0.0:0
LISTENING
0xfdda1e0 TCPv4 0.0.0.0:49154
0.0.0.0:0
LISTENING
0xfdda1e0 TCPv6 :::49154
:::0
LISTENING
0x1121b7b0 TCPv4 0.0.0.0:135
0.0.0.0:0
LISTENING
0x1121b7b0 TCPv6 :::135
:::0
LISTENING
0x11431360 TCPv4 0.0.0.0:49152
0.0.0.0:0
LISTENING
0x11431360 TCPv6 :::49152
:::0
LISTENING
Pid
Owner
628
svchost.exe
916
svchost.exe
916
svchost.exe
916
svchost.exe
628
svchost.exe
628
svchost.exe
332
wininit.exe
332
wininit.exe
[snip]
0x17de8980 TCPv6
0x17f35240 TCPv4
0x17f362b0 TCPv4
0x17f362b0 TCPv6
0x17236010 TCPv4
0x1725d010 TCPv4
0x17270530 TCPv4
0x17285010 TCPv4
:::49153
0.0.0.0:49155
0.0.0.0:49155
:::49155
-:49227
-:49359
10.0.2.15:49363
-:49341
:::0
LISTENING
0.0.0.0:0
LISTENING
0.0.0.0:0
LISTENING
:::0
LISTENING
184.26.31.55:80
CLOSED
93.184.220.20:80 CLOSED
173.194.35.38:80 ESTABLISHED
82.165.218.111:80 CLOSED
444
lsass.exe
880
svchost.exe
880
svchost.exe
880
svchost.exe
2820 iexplore.exe
2820 iexplore.exe
2820 iexplore.exe
2820 iexplore.exe
Page 20
10
5/20/2015
Traditional Uses of Memory Forensics
Memory forensics was initially researched in order to fight advancing malware
capabilities
Artifacts focused on included those related to code injection, API hooking, and attempts
of malware to hide from the live system
 Hidden processes, kernel drivers, etc.
Page 21
Traditional Uses of Memory Forensics
Incident response analysts utilized memory forensics to find relevant artifacts not written
to disk
 Command shell input and output
 Process creation
 Network activity
Page 22
11
5/20/2015
Malware Analysis
Page 23
Userland Code Injection
The process of placing foreign code into the address space
of another process
Three methods:
 Shellcode Injection
 Remote Library Injection
 Reflective DLL Injection
Page 24
12
5/20/2015
Detecting Shellcode Injection
$ python vol.py -f zeus.vmem malfind -p 1724
Volatile Systems Volatility Framework 2.3
Process: explorer.exe Pid: 1724 Address: 0x1600000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01600000
0x01600010
0x01600020
0x01600030
b8 35 00 00 00 e9 cd d7 30 7b b8 91 00 00 00 e9 .5......0{......
4f df 30 7b 8b ff 55 8b ec e9 ef 17 c1 75 8b ff O.0{..U......u..
55 8b ec e9 95 76 bc 75 8b ff 55 8b ec e9 be 53 U....v.u..U....S
bd 75 8b ff 55 8b ec e9 d6 18 c1 75 8b ff 55 8b .u..U......u..U.
0x1600000 b835000000
0x1600005 e9cdd7307b
0x160000a b891000000
0x160000f e94fdf307b
0x1600014 8bff
0x1600016 55
MOV EAX, 0x35
JMP 0x7c90d7d7
MOV EAX, 0x91
JMP 0x7c90df63
MOV EDI, EDI
PUSH EBP
Page 25
Detecting Remote Library Injection
Page 26
13
5/20/2015
Hiding DLLs
$ python vol.py -f flame.raw -p 912 ldrmodules
Pid
Process
MappedPath
Base
-------- ----------------- ----------
InLoad InInit InMem
------
912 services.exe 0x7c900000 True
\WINDOWS\system32\ntdll.dll
------ ----- ---------True True
912 services.exe 0x7c9c0000 False False False
\WINDOWS\system32\shell32.dll
<snip>
Page 27
Detecting Reflective Loading
Page 28
14
5/20/2015
API Hooks
$ python vol.py -f laqma.vmem -p 1624 apihooks
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1624 (explorer.exe)
Victim module: USER32.dll (0x7e410000 - 0x7e4a0000)
Function: USER32.dll!MessageBoxA at 0x7e45058a
Hook address: 0xac10aa
Hooking module: Dll.dll
Disassembly(0):
0x7e45058a 68aa10ac00
0x7e45058f c3
0x7e450590 3dbc04477e
0x7e450595 00742464
0x7e450599 a118000000
0x7e45059e 6a00
0x7e4505a0 ff
0x7e4505a1 70
<snip>
PUSH DWORD 0xac10aa
RET
CMP EAX, 0x7e4704bc
ADD [ESP+0x64], DH
MOV EAX, [0x18]
PUSH 0x0
DB 0xff
DB 0x70
Page 29
Kernel Rootkits
Page 30
15
5/20/2015
Hiding Processes
Malware that has both userland and kernel mode components will often hide from the
live system any associated processes
Volatility’s psxview plugin can detect hidden processes by comparing the set of
processes found from a number of sources
Page 31
Psxview
Page 32
16
5/20/2015
Services
$ python vol.py -f win764bit.raw svcscan --verbose --profile=Win7SP0x64
Offset: 0xa26e70
Order: 71
Process ID: 1104
Service Name: DPS
Display Name: Diagnostic Policy Service
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
ServiceDll: %SystemRoot%\system32\dps.dll
Page 33
Mutexes
Volatility’s mutantscan plugin can recover active mutexes on
the system
Malware often uses mutexes to mark the system as infected
 One of the Conficker prevention tools was a simple
application that created the same mutex Conficker put
on infected systems
Page 34
17
5/20/2015
Rootkit Controlled Callbacks
Malicious callbacks can be registered for system events:
 Process creation
 Registry key/value read/write/create/delete
 Filesystem registration
 Bug checks (BSOD)
 … many more
Page 35
Callbacks
$ python vol.py -f be2.vmem callbacks
Type
Callback
Owner
PsSetCreateThreadNotifyRoutine
0xff0d2ea7 00004A2A
PsSetCreateProcessNotifyRoutine
0xfc58e194 vmci.sys
KeBugCheckCallbackListHead
0xfc1e85ed
NDIS.sys (Ndis miniport)
KeBugCheckCallbackListHead
0x806d57ca hal.dll
(ACPI 1.0 - APIC platform UP)
KeRegisterBugCheckReasonCallback 0xfc967ac0
mssmbios.sys (SMBiosData)
KeRegisterBugCheckReasonCallback 0xfc967a78
mssmbios.sys (SMBiosRegistry)
Page 36
18
5/20/2015
Malicious Device Handlers
$ python vol.py -f stuxnet.vmem devicetree
[snip]
DRV 0x0253d180 '\\FileSystem\\Ntfs'
---| DEV 0x82166020 (unnamed) FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x8228c6b0 (unnamed) - '\\FileSystem\\sr'
FILE_DEVICE_DISK_FILE_SYSTEM
---------| ATT 0x81f47020 (unnamed) - '\\FileSystem\\FltMgr'
------------| ATT 0x81fb9680 (unnamed) - '\\Driver\\MRxNet'
---| DEV 0x8224f790 Ntfs FILE_DEVICE_DISK_FILE_SYSTEM
------| ATT 0x81eecdd0 (unnamed) - '\\FileSystem\\sr'
---------| ATT 0x81e859c8 (unnamed) - '\\FileSystem\\FltMgr'
------------| ATT 0x81f0ab90 (unnamed) - '\\Driver\\MRxNet'
Page 37
Malicious Use of Timers
$ python vol.py -f rustock-c.vmem timers
Offset(V)
DueTime
Period(ms) Routine
M
odule
---------------------------------------------- -------------0xf730a790 0x00000000:0x6db0f0b4
0
0xf72fb385
srv.sys
0x80558a40 0x00000000:0x68f10168
1000
0x80523026
ntoskrnl.exe
0x821cb240 0x00000000:0x68fa8ad0
0
0xf84b392e
sr.sys
0x8054f288 0x00000000:0x69067692
0
0x804e5aec
ntoskrnl.exe
0x820822e4 0x00000000:0xa2a56bb0
150000 0x81c1642f
UNKNOWN
[snip]
Page 38
19
5/20/2015
Driver IRPs
$ python vol.py -f tdl3.vmem driverirp -r vmscsi --verbose
-------------------------------------------------DriverName: vmscsi
DriverStart: 0xf9db8000
DriverSize: 0x2c00
DriverStartIo: 0xf97ea40e
0 IRP_MJ_CREATE
0xf9db9cbd vmscsi.sys
0xf9db9cbd a10803dfff
MOV EAX, [0xffdf0308]
0xf9db9cc2 ffa0fc000000 JMP DWORD [EAX+0xfc]
0xf9db9cc8 0000
ADD [EAX], AL
0xf9db9cca 0000
ADD [EAX], AL
1 IRP_MJ_CREATE_NAMED_PIPE
0xf9db9cbd vmscsi.sys
0xf9db9cbd a10803dfff
MOV EAX, [0xffdf0308]
0xf9db9cc2 ffa0fc000000 JMP DWORD [EAX+0xfc]
0xf9db9cc8 0000
ADD [EAX], AL
0xf9db9cca 0000
ADD [EAX], AL
Page 39
Extracting Kernel Drivers
$ python vol.py -f win764bit.raw --profile=Win7SP1x64 moddump -D
drivers/
Module Base
Module Name Result
------------------------------------- ----------------------------------------0xfffff8000261a000 ntoskrnl.exe
OK: driver.fffff8000261a000.sys
0xfffff80002bf7000 hal.dll
OK: driver.fffff80002bf7000.sys
0xfffff88000e5c000 intelide.sys
OK: driver.fffff88000e5c000.sys
0xfffff8800349b000 mouclass.sys
OK: driver.fffff8800349b000.sys
0xfffff88000f7c000 msisadrv.sys
OK: driver.fffff88000f7c000.sys
0xfffff880035c3000 ndistapi.sys
OK: driver.fffff880035c3000.sys
0xfffff88002c5d000 pacer.sys
OK: driver.fffff88002c5d000.sys
[snip]
Page 40
20
5/20/2015
Examine an infected memory sample
Hands On
Page 41
Other Uses of Memory Forensics
Recovering historical information
Timelining
Determining end-user activity
Smart string searching (Yara)
Network & file system interactions
Application data
Breaking disk encryption
Page 42
21
5/20/2015
Recovering Historical Information
Data that is freed in memory is not removed until it is reallocated and overwritten
 A very similar process to how file systems work on disk
This allows for recovery of information about previously
terminated processes, network connections, kernel drivers,
and commands entered into cmd.exe
Page 43
Timelining
Many of the artifacts in memory have associated timestamps
These can be used to timeline system activity from the view
of the operating system’s data structures
When combined with disk forensics this can be extremely
powerful
Page 44
22
5/20/2015
Timelining
Mon Nov 26 2012 23:01:53,macb,"[ENG IEHISTORY] explorer.exe->Visited:
callb@http://58.64.132.8/download/Symantec-1.43-1.exe PID: 284/Cache type ""URL
"" at 0x2895000“
Mon Nov 26 2012 23:01:54,macb,"[ENG MFT FILE_NAME]
WINDOWS\Prefetch\SYMANTEC-1.43-1[2].EXE-3793B625.pf (Offset: 0x17779800)“
Mon Nov 26 2012 23:01:54,.acb,"[ENG MFT FILE_NAME]
WINDOWS\system32\6to4ex.dll (Offset: 0x324c800)“
Mon Nov 26 2012 23:01:55,m...,"[ENG Registry]
$$$PROTO.HIV\ControlSet001\Services\6to4“
Mon Nov 26 2012 23:01:58,.acb,"[ENG THREAD] svchost.exe PID: 1024/TID: 804“
Page 45
Timelining
Mon Nov 26 2012 23:03:10,macb,"[ENG MFT FILE_NAME] WINDOWS\webui (Offset: 0x1bc21000)“
Mon Nov 26 2012 23:06:47,macb,"[ENG MFT FILE_NAME] WINDOWS\webui\gs.exe (Offset:
0x16267c00)“
Mon Nov 26 2012 23:11:58,macb,"[ENG MFT FILE_NAME] WINDOWS\Prefetch\GS.EXE-3796DDD9.pf
(Offset: 0x311800)“
Mon Nov 26 2012 23:11:58,m...,"[ENG Registry] SECURITY\Policy\Secrets“
Mon Nov 26 2012 23:11:58,.a..,"[ENG MFT STD_INFO] WINDOWS\system32\samsrv.dll (Offset:
0x329f000)"
Mon Nov 26 2012 23:11:58,.a..,"[ENG MFT STD_INFO] WINDOWS\system32\cryptdll.dll (Offset:
0x3329c00)"
Page 46
23
5/20/2015
Determining End-User Activity
Which users were logged into the system?
Which privileges did they gain on the system?
How were they logged in (keyboard, RDP, …)?
Who executed rouge software (P2P, anti-forensics, games)?
Who started a network transfer?
Page 47
Which Users Were Logged In?
$ python vol.py -f lab-3.1.mem getsids | grep explorer.exe
explorer.exe (1540): S-1-5-21-1960408961-1844237615-839522115-1004 (Larry)
explorer.exe (1540): S-1-5-21-1960408961-1844237615-839522115-513 (Domain Users)
explorer.exe (1540): S-1-1-0 (Everyone)
[snip]
explorer.exe (1540): S-1-5-5-0-61177 (Logon Session)
explorer.exe (1540): S-1-2-0 (Local (Users with the ability to log in locally))
explorer.exe (1676): S-1-5-21-1960408961-1844237615-839522115-1003 (Justin)
explorer.exe (1676): S-1-5-21-1960408961-1844237615-839522115-513 (Domain Users)
explorer.exe (1676): S-1-1-0 (Everyone)
<snip>
Page 48
24
5/20/2015
Grrcon: What type of access did the attacker gain?
Page 49
How did the user log in?
Page 50
25
5/20/2015
Page 51
Printkey and TypedURLs
$ python vol.py -f case003.dmp printkey -K "Software\Microsoft\Internet
Explorer\TypedURLs" --profile=Win8SP1x64
Volatility Foundation Volatility Framework 2.4 (Beta)
Legend: (S) = Stable (V) = Volatile
---------------------------Registry: \Device\HarddiskVolume1\Documents and Settings\NathanG\NTUSER.DAT
Key name: TypedURLs (S)
Last updated: 2013-10-08 03:36:41 UTC+0000
Subkeys:
Values:
REG_SZ url1 : (S) https://www.torproject.org/
REG_SZ url2 : (S) https://www.piriform.com/
REG_SZ url3 : (S) http://www.cnn.com
Page 52
26
5/20/2015
shellbags
$ python vol.py -f win7.vmem --profile=Win7SP1x86 shellbags
Scanning for registries....
Gathering shellbag items and building path tree...
***************************************************************************
Registry: \??\C:\Users\user\ntuser.dat
Key: Software\Microsoft\Windows\Shell\Bags\1\Desktop
Last updated: 2011-10-20 15:24:46
Value
File Name
Modified Date
Create Date
Access Date
File Attr
Unicode
Name
------------------------- -------------- -------------------- -------------------- -------------------- ------------------------- -----------ItemPos1176x882x96(1) CCLEAN~1.LNK 2011-10-20 15:20:04 2011-10-20 15:20:04 2011-10-20
15:20:04 ARC
CCleaner.lnk
ItemPos1176x882x96(1) VMWARE~1.LNK 2011-10-20 15:13:06 2011-05-15 23:09:08 2011-10-20
15:13:06 ARC
VMware Shared Folders.lnk
ItemPos1366x768x96(1) ERASE~1.LNK 2011-10-20 15:20:04 2011-10-20 15:20:04 2011-10-20
15:20:04 ARC
Eraser.lnk
Page 53
userassist
$ python vol.py -f win7.vmem --profile=Win7SP0x86 userassist
---------------------------Registry: \??\C:\Users\admin\ntuser.dat
Key name: Count
Last updated: 2010-07-06 22:40:25
REG_BINARY C:\Program Files\Ccleaner\Ccleaner.exe:
Count:
12
Focus Count: 17
Time Focused: 0:05:40.500000
Last updated: 2010-03-09 19:49:20
<snip>
REG_BINARY Z:\tools\Eraser\Eraser.exe :
Count:
11
Focus Count: 266
Time Focused: 1:19:58.045000
Last updated: 2010-03-18 01:56:31
[snip]
Page 54
27
5/20/2015
Cracking Passwords
Page 55
lsadump
Page 56
28
5/20/2015
Mftparser and Removable Drives
mftparser scans for MFT records throughout memory
When someone interacts with an NTFS-formatted external device (SD card, USB, etc.),
the MFT of the device’s file system is read into memory
These records can persist long after the device is removed and can be found by
mftparser
Results can be used to prove external media usage and the names and timestamps of
files contained
Page 57
MFT Records
Page 58
29
5/20/2015
Alternate Data Streams (ADS)
Page 59
Alternate Data Streams (ADS)
Page 60
30
5/20/2015
Recovering Files from Memory
Page 61
Dumping Event Logs
Malicious user logged into one machine using stolen credentials
Started a job on another machine using another set of stolen credentials (At2.job)
Need to find the compromised account
Security event logs were wiped from the system and hence from memory
 Attacker forgot about other logs of interest
Page 62
31
5/20/2015
Dumping Evtx Example
Part of the “Microsoft-Windows-TaskScheduler.evtx” log was memory resident
 It is normal that the entire log is not in memory
Page 63
APT-like scenario
Hands On
Page 64
32
5/20/2015
Smart String Searching (SSS)
When performing forensics you are often given a list of keywords to search and produce
results for
When working fraud/identity theft cases you often want to search for credit card
numbers, SSNs, etc.
You can certainly search across memory for search terms, but how do you know what
they mean (their context)?
 Was the URL string you found inside browser memory, a file cached on disk, or a
spam email the person viewed?
 What about the credit number you found? Inside the person’s password manager?
Inside Stolen-CCs.xls?
Page 65
Adding Context to Strings
yarascan
 A Volatility plugin that leverages Yara to search processes memory and the kernel
for rule matches
 All matches are reported with their associated PID, kernel driver, or kernel region
strings
 A plugin that maps physical offsets from the strings command to virtual addresses
Page 66
33
5/20/2015
Adding Context to Strings
$ python vol.py -f win7_x64.dmp --profile=Win7SP0x64 yarascan -p 3004 -Y "/[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|biz|name|info)/"
Rule: r1
Owner: Process iexplore.exe Pid 3004
0x003e90dd 77 77 77 2e 72 65 75 74 65 72 73 2e 63 6f 6d 2f www.reuters.com/
0x003e90ed 61 72 74 69 63 6c 65 2f 32 30 31 31 2f 30 34 2f article/2011/04/
0x003e90fd 32 34 2f 75 73 2d 73 79 72 69 61 2d 70 72 6f 74 24/us-syria-prot
0x003e910d 65 73 74 73 2d 69 64 55 53 54 52 45 37 33 4c 31 ests-idUSTRE73L1
0x003e911d 53 4a 32 30 31 31 30 34 32 34 22 20 69 64 3d 22 SJ20110424".id="
0x003e912d 4d 41 41 34 41 45 67 42 55 41 4a 67 43 47 6f 43 MAA4AEgBUAJgCGoC
0x003e913d 64 58 4d 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 dXM"><span.class
0x003e914d 3d 22 74 69 74 6c 65 74 65 78 74 22 3e 52 65 75 ="titletext">Reu
Page 67
Building Context with the Strings Plugin
Page 68
34
5/20/2015
Network Share Interactions
symlinkscan plugin
\Device\LanmanRedirector\;Z:0000000000016d56\192.168.2
28.141\Public
\Device\LanmanRedirector\WIN-L8ANB3HN32M\IPC$
Page 69
Application Data
Many applications hold interesting data related to user’s
activity
 Chat clients
 Browsers
 Mail clients
 Text Editors
Page 70
35
5/20/2015
Chat Clients
People often discuss illegal topics over chat clients
They may use network encryption (e.g OTR), but this does
not protect against on premise forensics
By using yarascan and strings you can find chat messages,
timestamps, etc
Page 71
Browsers
Browsers process a tremendous amount of data that cannot
be recovered from disk after the fact or the network if SSL is
used
Relevant projects:
 pdgmail – recovers Gmail and Yahoo messages, inbox
views, and attachment names from memory (or page
files)
Page 72
36
5/20/2015
Browsers and Social Media
For the 2013 Volatility plugin contest Jeff Bryner submitted
plugins that search process memory for Facebook and
Twitter artifacts
 https://github.com/jeffbryner/volatilityPlugins
Information recovered included:
 Private (direct) messages
 Pages of other user accounts viewed
 URLs clicked from people’s walls and messages
Page 73
Private Browsing
“Private” browsing isn’t private
The browsers only attempt to hide from casual (nontechnical) inspection of a user’s browsing history or cookies
This does not hide well from disk forensics and certainly not
memory forensics
Page 74
37
5/20/2015
Text Editors
Page 75
Breaking Encryption
… with Memory Forensics
Software encryption works by utilizing an
encryption key that decrypts data as it is
read from the encrypted store and
encrypts data that is being written to the
store
In order for the encryption software to
operate the encryption key must be
available at all times
Your password to encryption applications
unlocks the key, which is stored in a key
file
In 99.9% of applications this means it will
be stored in physical memory (RAM)
By finding the key we can decrypt the store
in the same manner that the software does
Page 76
38
5/20/2015
Truecrypt
Most popular encryption software
Can encrypt entire disks or virtual file systems known as containers
Supports Windows, Linux, and Mac
Page 77
Non-Volatility Key Recovery Methods
Passware Kit Forensic
 Requires a disk image, memory image, and $995
Elcomsoft Forensic Disk Decryptor
 Requires a disk image, memory image, and $299
Cryptoscan, circa 2008
 Passwords must be cached
 TrueCrypt versions after 4.x or 5.x not supported
Key scanning
 AESKeyfinder, Bulk Extractor, etc.
 Only works if AES was used
Page 78
39
5/20/2015
Cached Passphrase Recovery
Page 79
Where is the Container?
Page 80
40
5/20/2015
What if the Passphrase Isn’t Cached?
Page 81
Conclusions
Memory forensics is useful in many more situations than just
malware analysis and incident response
It can be used to uncover relevant artifacts in nearly all
investigative situations and many of these artifacts exist only
in memory
If you aren’t acquiring memory as part of your seizure policy
then you should change that
 Acquire memory first!
Page 82
41
5/20/2015
Questions?
@volatility / @gleeda
Email:
[email protected]
Trainings (http://memoryanalysis.net):
•
Stratford-Upon-Avon: June 1st-5th 2015
•
Amsterdam: August 31st-September 4th 2015
•
Reston, VA: October 5th-9th 2015
Page 83
42

Rootkits, Exfil and APT: RAM Conquers All

Transcription

Similar documents

Joel Selanikio, MD

0615 Newsletter Cueter - Cueter Chrysler Jeep Dodge

commercial vehicle equipment

Church Hill Classics ®

29 Pollet APT

RAM TRUCK ACCESSORIES AMP RESEARCH POWERSTEP

Anti-virus No Thanks

Commuter Link - Off

The 41 Incher - By Michael Moore