Forensics Analysis

Data can persist through reboots of the machine. In a matter of few millisecond data in memory is lost, but some techniques can increase the amount of time of life of the machine (cold boot attacks).

In the past memory checks were performed on boot to erase all RAm and check its consistent state, but this practice is quite abandoned today to speed-up the boot process, and because RAM modules are more reliable.

There are some constraints when dealing with live forensics: first of all the impact of the analysis must be minimized, memory dumps are intrusive, and also the time variable is crucial given that also physical access to the machine is needed.

There are two main approaches of Memory Forensics: Live response, and memory analysis. The first is best suited when time is fundamental, it consists in acquisition and analysis in one step, the tools used are obtrusive. The latter focuses on gathering best evidences, it decouples the acquisition and analysis steps, the analysis is performed on the memory dump, minimizing the footprint of the analysis (cold copy of the memory); the analysis is repeatable, the acquisition is NOT repeatable.

The organization of memory is architecture depends, and different architectures uses different memory addressing techniques, but all architectures implement virtual addressing mechanisms (not true on some embedded devices).

Virtual Memory allows the OS to expose to the processes a uniform, flat a globally available vision of the memory, the OS will map the virtual address space to the physical memory locations (Virtual to Physical translation). The memory allocation unit makes available to the OS data structures to perform the translation, with hardwar support to make it as fast as possible.

The physical memory is divided in, at least, two sub-parts: kernel space and user space. The addresses in x86 architecture are divided in three sections: offset and PDI and PTI.

Bits in the section are used to translate the virtual address to the physical location:

PDEs and PTEs include flags for assessing the validity of a virtual memory page. Then there was introduced an extension during the transition from 32bits and 64bits architectures. The purpose was to allow a further subdivision (another level of indirection) to make larger the addressing space.

Of course VtoP operations are time consuming, so TLBs hold caches of address conversion for processes with the current context.

Processes use the physical memory though the virtual addressing space provided by the OS, that means that even if a process sees its memory as a continuous space, in reality at the physical level data is not contiguous. Data related to the same process is spread all over the physical process.

It consists on the acquisition of the full memory of the system. To minimize the impact on the system some guidelines can be followed Here. Modern OSs are designed to isolate memory associated to different processes and of different users, those features work against the analyst, a low level interactions are required to perform a full memory dump.

interacting with an un-trusted system, the adversary may try to hide is presence. In case of user level malware the amount of tricks that the malware may use is quite limited, and can be easily spotted by using clean tools on external media. In case of root level malware, the level of trickery may be more deep, the malware may change everything, also at the memory level, during analysis.

Hardware based acquisition is possible, it consists on installing hardware modules on the PCI slot of the un-trusted machine, those modules perform a bit-by-bit copy of the memory (no interaction with the OS). This kind of hardware is expensive, and its usage is based on a strong assumption: you have to equip the machine with the module before the compromission takes place.

Software based acquisition consist in using features exposed by the operating system. Clearly software based acquisition tools can be launched only with administrator privileges, and are visible to an adversary. For example the malware can stop when a memory dump is in place, or it can cover its execution by zeroing part of its memory, or in case of rootkits, the information present in memory are fully substituted with crafted info.

A last approach is represented by using Virtual Machines snapshots, but of course the machine under analysis must be a VM (strong assumption), and is quite transparent to the OS. Other sources of memory dumps are hibernation files, and pages swapped from memory to disk (pagefiles); the content of pagefiles is just a collection of pages, they may contain old data.

A memory dump contains everything: data related to processes currently running, open network connection, open files, encryption keys for whole disk encryption schemes, and copies of volatile only malware.

Memory analysis may be performed by simply looking at the whole memory dump as a plain sequence of bytes, looking for patterns, or elements of known data structures (TCP protocols, elements of the OS), it is possible to extract strings, multimedia files and so on.

This kind of analysis tends to produce a lot of noise, because the tool used checks if a certain amount of contiguous bytes has a given pattern, but the fragmentation of memory pages may increase the difficulty of the search itself. Nevertheless this approach is useful when looking for stale data. On the other hand, when looking for data associated with running processes, the memory is analyzed rebuilding the state of the OS when the analysis was made: targeted search.

Volatility is a free tool, that enables to perform memory analysis, it is really good to perform structured analysis. It identify the main kernel data structures, and rebuild the status of the OS. Volatily also tracks the parent->children relationships among processes.

They adversary may hide its presence by altering the kernel level data structures by removing its process from the list, in this case scanning the memory for process artifacts may return better results. Volatility can use the psscan command, to allow the analyst to identify data structure related to processes detached from the main table, and find control blocks of processes that are terminated:

The EPROCESS data structure, is a kernel level data structure (double linked lists), that contains the process environment block that is a pointer to a user level data structure containing the info about the process.

Volatility pslist follows the EPROCESS list data structure to rebuild the list of running processes, furthermore, some malware remove their presence to the EPROCESS data structure to hide. On the other hand the psscan looks for sequences of bytes that satisfy a block of EPROCESS, even if it is not linked to the list.

It is possible to use YARA in combination to volatility to perform a low level analysis.

The YARA rules can be applied also to a single process, using its PID.

The windows process block, called also KDBG it’s linked to the list of running processes, the pslist command, use the KDBG data structure and follows the PsActiveProcessHead to rebuild the list of running processes. The same data structure contains also pointers to running drivers, or modules.

Sometimes microsoft slightly modify the structure of the KDBG, its structure can be used by volatility to infer the version of the OS:

Volatility can be used interactively, it spawn a python shell mapping the memory data structures on python data structures.

🏠 Home