Transcript Why collect memory?

Memory Forensics During
Incident Response
Jack Crook
Incident Handler
Works for GE
Founded RaDFIRe
Handlerdiaries.com
IR in a nutshell
Consider the following
scenario
It’s been a long night and you finally get to bed only to be woken up
30 minutes later to the sound of your phone alerting you that there’s
an alert that fired and needs to be triaged immediately. Crawling out
of bed you’re thinking this has to be a false positive because you’ve
gone through this same routine each of the past 5 nights you were on
call. Not bothering to turn the lights on for something that’s sure to
be random noise, you peer into the ids console and see an alert that
you have never seen before. You automatically think to yourself,
being the tired analyst that you are, “who was the a$$hole that added
this new rule”, and you’re sure it was added intentionally just to keep
you awake, but you know you can’t get back to bed until the alert is
validated. So you begin sifting through the data and it quickly
becomes apparent that this isn’t a false positive, but rather it’s the
real deal and alerted to the fact that there’s an intruder in your
network attempting to move laterally. You double check your initial
analysis and you come to the realization that you’re not going to feel
the comfort of your bed for a long long time to come. As the
adrenaline begins to rush, your mind starts racing, thinking about
everything that needs to happen and you know you need to act
immediately.
Questions that need answered
Is there a
compromise?
How was
access
obtained?
When do I
contain?
How many
points of
access are
there?
What is the
scope of the
incident?
Was there any
data exfil?
Useful Data Types

Knowing which data will give you the most information when
analyzing intrusions and being able to quickly collect that
data is critical.
• Network (PCAP / Netflow)
• OS logs
• AV, HIPS/HIDS Logs
• MFT
• Memory
• Pagefile
• Prefetch
• Registry Hives
Host based analysis
Questions that need answered
Is host
compromised?
What was
placed on the
host?
Was lateral
movement
performed?
Was there any
data exfil?
Are additional
hosts
compromised?
Memory is one if the richest
pieces of data to collect when
analyzing host data
Acquisition times
Complete system state
Recover artifacts of compromise
Identify command execution
Tools for acquiring memory

There are several tools that you can use to acquire memory
during forensic investigations.
• DumpIt (Moonsols)
• Fastdump Pro (HBGary)
• Memoryze (Mandiant)
• FTK Imager (FTK)
Analysis Tools

There are several freely available tools that you can use to
aid in your forensic investigations.
• Volatility
• Rekall
• Redline
• Responder
• Strings
• Grep
• dd
Questions we can often answer?
Is the host compromised?
How was the host compromised?
Were malicious files dropped?
Who talked to the host?
Who did the host talk to?
Were any user accts compromised?
Was any lateral movement identified?
How was lateral movement performed?
Was any data taken from the host?
Do additional hosts need investigation?
What can we glean?
Memory Terms

Some key terms that will be explained in the following slides
:
• Virtual Memory
• Stack Memory
• Heap Memory
• Paging
• Memory management
• VAD’s
• Shared Memory
Memory Terms
Virtual Memory:
 A mechanism used so that each process can have it’s own
memory space without bleeding into other process space.
Stack Memory:
 This is basically the runtime state of process. This area of
memory includes data such as local variables and functions.
All processes.
Heap Memory:
 This area of memory is used for the dynamic allocation. File
contents and user input are some of the data types in heap
memory. All processes.
Memory Terms
Paging:
 Also know as swapping. Used when physical memory for
that process is exhausted. Pages from memory are written
to disk to free physical memory space. When a swapped
page is needed it is retrieved from disk and rewritten to
memory.
Memory Management:
 The operating system’s process of allocating and tracking
allocated memory.
Memory Terms
VAD:
 Also known as Virtual Address Descriptors. It’s the method
used to record the usage of virtual addresses. It’s possible
to rebuild an entire process (minus paged data) by walking
this tree like structure and extracting each page.
Shared Memory:
 Used for processes to share different pieces of memory.
Think of dll’s.
Demo
2012 GrrCON forensic challenge
 https://docs.google.com/file/d/0B_xsNYz
neAhEQXNZSzh6YTVZQ3M/edit
