Post on 14-May-2015
description
आज का आहार
Memory Forensics
Varun Nair
@w3bgiant
#whoami O Security enthusiast.
O For food and shelter, I work with ZEE TV
O For living, I learn 4N6, Malwares and Reverse
Engineering
O Recent developments:
O Chapter lead at Null, Mumbai chapter.
If you listen!!!!! O Forensics Fundamentals
O Action Plan
O Order of Volatility
O Methodologies
O Dead Forensics
O Live Forensics
O Demo
ELSE!!!!
Forensics Fundamentals
O Digital forensics (sometimes known as digital forensic
science) is a branch of forensic science encompassing the
recovery and investigation of material found in digital
devices, often in relation to computer crime.
O "Gathering and analysing data in a manner as free from
distortion or bias as possible to reconstruct data or what
happened in the past on a system [or a network]“
-Dan Farmer / Wietse Venema
Action Plan- First Response
Arrive on Crime scene
LIVE
FORENSICS
DEAD
FORENSICS
Machine state = OFF Machine state = ON
Order of Volatility
MOST
• CPU, cache and register content
• Routing table, ARP cache, process table, kernel statistics
…..
• Memory
• Temporary file system / swap space
LEAST
•Data on hard disk
•Remotely logged data
•Raw Disk Blocks
Forensics Methodologies O “LIVE” Forensics
O “DEAD” Forensics
DEAD FORENSICS
O The dead analysis is more common to acquire data.
O A dead acquisition copies the data without the
assistance of the suspect’s (operating) system.
O Analysing a “dead” system that has had it’s power
cord pulled.
DEAD FORENSICS
O During data acquisition an exact (typically bitwise)
copy of storage media is created.
O Least chance of modifying data on disk, but “live”
data is lost forever.
LIVE FORENSICS
O Focuses on extracting and examination of the
volatile forensic data that would be lost on power
off
O A live acquisition copies the data using the
suspect’s (operating) system
O Live forensics is not a “pure” forensic response as
it will have minor impacts to the underlying
machine’s operating state
– The key is the impacts are known
LIVE FORENSICS O Often used in incident handling to determine if an
event has occurred
O May or may not proceed a full traditional forensic
analysis
O If you work on a suspect’s system you should
boot/use trusted tools (e.g. CD, USB stick):
LIVE FORENSICS
THE IMAGE WILL HAVE
NO
AUTHENTICITY
No two images can have the “same hash value”
Forensic Response Principles
– Maintain forensic integrity
– Require minimal user interaction
– Gather all pertinent information to
determine if an incident occurred for later
analysis
- Enforce sound data and evidence collection
Methodology
ACQUIRE
•Capture RAM Memory
CONTEXT
•Find Memory Offsets and establish contexts
ANALYSE
•Analyse data and recover evidence
In MEMORY data?? O Current running processes and terminated
processes.
O Open TCP/UDP ports/raw sockets/active
connections.
O Caches
O -Web addresses, typed commands, passwords,
clipboards, SAM databases, edited files.
O Memory mapped files
O -Executable, shared, objects(modules/drivers), text
files.
DEMO
O Collecting Memory dumps:
DUMPIT by MOONSOLS
O Analysing Memory dumps:
WinHex and Volatility Framework 2.3
और कोई सवाल