Memory Forensic: Investigating Memory Artefact (Workshop)
?Download as PPTX, PDF?
0 likes?90 views
Workshop of memory forensic Atmajaya University Yogyakarta, 2017-04-29 What is memory forensic? How could it be important? How can we use memory forensic in certain case? Should we do memory forensic? This is the workshop side with hands-on material.
Memory Forensic: Investigating Memory Artefact (Workshop)
- 1. Memory Forensic Investigating Memory Artefact http://xathrya.id/ 1 Satria Ady Pradana@ Universitas Atma Jaya Yogyakarta 29 April 2017 Workshop
- 2. # Whoami? ? Cyber Security Consultant at Mitra Integrasi Informatika (MII) ? Researcher at dracOs Dev Team ? Coordinator of Reversing.ID http://xathrya.id/ 2
- 3. Organization ? Divided to some sections related to forensic stages. ? Each section has objectives ? Has background explanation if necessary http://xathrya.id/ 3
- 4. Overview ? Engage in practical forensic activity ? Acquisition ¨C Windows Memory Acquisition ? Analysis ¨C Process & DLLs ¨C Registry ¨C Connections http://xathrya.id/ 4
- 5. Assumption ? Have understanding of simple UNIX command (explained in previous workshop) http://xathrya.id/ 5
- 6. Windows Brief Introduction to Our Target¡¯s Internal http://xathrya.id/ 6
- 7. Volatility Tools of the Trade http://xathrya.id/ 7
- 8. Profile? ? Each operating system has different internal structure ? Event for minor version different ? Volatility needs to know what type of system our memory dump came from, so it knows which data structures, algorithms, and symbols to use. ? List all profiles $ vol.py --info http://xathrya.id/ 8
- 9. Command Line ? Typical command $ vol.py ¨Cf memdump.img --profile profile plugins ? Every command / task is implemented as plugin http://xathrya.id/ 9
- 10. Preliminary $ export VOLATILITY_PROFILE=Win7SP0x86 $ export VOLATILITY_LOCATION=file:///tmp/image.img $ vol.py pslist $ vol.py files http://xathrya.id/ 10
- 11. 0x1 Acquisition Objectives: ? Understanding the memory (RAM) and volatile data. ? Understanding the acquisition technique for memory forensic. ? Know how to dump memory on Windows http://xathrya.id/ 11
- 12. ? Acquisition can be hardware based or software based. ? Hardware based, require special hardware and has capability of DMA. ¨C Firewire (IEEE 1394) ? But we are talking about software based. http://xathrya.id/ 12
- 13. Tools ? DumpIt & Hibr2Bin ? Winpmem http://xathrya.id/ 13
- 14. Image Format ? Raw ? Crash Dumps ? Hibernate http://xathrya.id/ 14
- 15. Using DumpIt & Hibr2Bin Producing crash dump > DumpIt.exe Converting Hibernate File > Hibr2Bin.exe http://xathrya.id/ 15
- 16. Using Winpmem Producing dump in AFF4 compression > winpmem.exe -o imagedump.aff4 Export to raw from AFF4 > winpmem.exe imagedump.aff4 ¨Cexport PhysicalMemory -o memory.img Producing raw dump > winpmem.exe imagedump.aff4 ¨Cexport PhysicalMemory -o memory.img http://xathrya.id/ 16
- 17. Vmware Memory Dump ? Applied to OS running on top of Vmware ? To generate memory dump, we should suspend the running VM ¨C It will generate a .vmem file http://xathrya.id/ 17
- 18. VirtualBox Memory Dump ? Applied to OS running on top of VirtualBox ? Start VM and use Vboxmanage $ vboxmanage debugvm ¡°GuestVM¡± dumpguestcore --filename dump.elf http://xathrya.id/ 18
- 20. ? Gain information about memory dump $ vol.py imageinfo http://xathrya.id/ 20
- 21. PROCESS & DLL View & Dump http://xathrya.id/ 21
- 22. View ? List all process $ vol.py pslist $ vol.py psscan $ vol.py pstree $ vol.py psxview $ vol.py privs Different? http://xathrya.id/ 22
- 23. View ? List all threads $ vol.py threads $ vol.py thrdscan Different? http://xathrya.id/ 23
- 24. View ? List modules/libraries of process (ex: pid 135) $ vol.py dlllist ¨Cp 135 http://xathrya.id/ 24
- 25. Dump ? Dump process $ vol.py procdump -p 135 --dump-dir /tmp/procdump ? Dump DLL $ vol.py dlldump -p 135 ¨Cdump-dir /tmp/dlldump http://xathrya.id/ 25
- 27. ? List connections made $ vol.py connscan $ vol.py netscan ? List opened sockets $ vol.py sockets $ vol.py sockscan http://xathrya.id/ 27
- 29. View $ vol.py hivelist $ vol.py hivescan http://xathrya.id/ 29
- 31. ? Scan opened files in memory $ vol.py files ? Dump files $ vol.py dumpfiles http://xathrya.id/ 31