enabledphysicalmemory

Chapter14ACOMPILEDMEMORYANALYSISTOOLJamesOkolicaandGilbertPetersonAbstractTheanalysisofcomputermemoryisbecomingincreasinglyimportantindigitalforensicinvestigations.
Volatilememoryanalysiscanpro-videvaluableindicatorsonwhattosearchforonaharddrive,helprecoverpasswordstoencryptedharddrivesandpossiblyrefutedefenseclaimsthatcriminalactivitywastheresultofamalwareinfection.
His-torically,digitalforensicinvestigatorshaveperformedliveresponsebyexecutingmultipleutilities.
However,usingasingletooltocaptureandanalyzecomputermemoryismoreecientandhaslessimpactonthesystemstate(potentialevidence).
ThispaperdescribesCMAT,aself-containedtoolthatextractsforensicinformationfromamemorydumpandpresentsitinaformatthatissuitableforfurtheranalysis.
AcomparisonoftheresultsobtainedwithutilitiesthatarecommonlyemployedinliveresponsedemonstratesthatCMATprovidessimilarinformationandidentiesmalwarethatismissedbytheutilities.
Keywords:Liveresponse,memoryanalysis,rootkitdetection1.
IntroductionWhenalargeenterpriserespondstoacybersecurityincident,itmaynotbefeasibletoperformtherecommendeddisconnectionandimagingprocesstogatherforensicevidence[13],especiallyinthecaseofserversthatarecriticaltobusinessoperations.
AccordingtoCNET[19],Ama-zonlost$29,000inrevenueperminuteduringitsJune2008outage.
Inaddition,therehavebeenseveralrecentcaseswheredefendantswerefoundinnocentorguiltybasedontheliveresponseinformationretrievedatthetimeoftheincident[2].
Clearly,toolsthatcantakequicksnap-shotsofaectedcomputerswhileminimizingtheimpactonbusinessoperationsandpreservingevidencearevitaltodigitalforensicinves-tigations.
Sincemanyoftheitemsofinterestinaliveresponsearemaintainedincomputermemoryratherthantheharddrive,amini-K.
-P.
Chow,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsVI,IFIPAICT337,pp.
195–204,2010.
cIFIPInternationalFederationforInformationProcessing2010196ADVANCESINDIGITALFORENSICSVImallyintrusiveliveresponsewouldinvolvetheanalysisofalivememorycapture.
Threestepsareinvolvedindevelopingaminimallyintrusivestan-daloneforensictoolformemory:(i)afront-endmemorydumproutinethatdirectlyaccessesphysicalmemory;(ii)amemoryanalysistoolthatextractsenvironmentalandactivityinformationfromthememorydump;and(iii)asynthesistoolthatcorrelatestheenvironmentalinformationtoprovideahuman-understandablenarrativeofwhatoccurredonthemachine.
Thispaperfocusesonthesecondstep:developingacompiledmemoryanalysistool(CMAT)thatextractsenvironmentalandactivityinforma-tionfromamemorydump.
CMATparsesamemorydumptondactive,inactiveandhiddenprocessesaswellassystemregistryinformation.
Itthencompilesliveresponseforensicinformationfromtheseprocessesandregistrylesandassemblesitintoaformatsuitablefordatacorrelation.
CMATistestedagainstseveralutilitiesthatextractforensicinformationfromalivesystem.
ExperimentalresultsindicatethatCMATprovidescomparableinformationastraditionalliveresponseutilities,andalsouncoversmalwarethatthesetoolsmiss.
2.
BackgroundPerformingaliveresponseallowsthecaptureofforensicinformationthatdisappearsafterthecomputeristurnedo.
Thebenetsofaliveresponseinclude:gatheringcluestobetterfocusasearchoftheharddrive[24];retrievingdecryption/encryptionkeysforanencryptedharddrive[24];anddefeatingtheTrojanhorsedefenseof"Ididn'tdoit,itwasthemalwareinstalledonmymachine"[2].
Valuableliveresponseinformationthatresidesinmemoryincludes[4,5,10,24]:SystemdateandtimeLoggedinusersandtheirauthorizationcredentialsNetworkinformation,connectionsandstatusProcessinformation,memoryandprocess-to-portmappingsClipboardcontentsCommandhistoryServicesanddriverinformationOpenles,registrykeysandharddiskimagesOkolica&Peterson197Oneoftheargumentsagainstliveresponseisthattheevidencecap-tureprocessmodiesthemachinestate.
Severaltechniqueshavebeenproposedtoaddressthisissue[1,3,9,22].
Thesetechniquesattempttocaptureallthememoryinsteadofspecicpiecesofforensicinformation.
Thishelpsanswertheimmediateforensicquestionsandalsoprovidesameanstoansweradditionalquestionsthatmaycomeuplaterintheinvestigation.
Thealternativesincludehardware-basedmemoryacquisi-tion[1,3],virtualmachines,hibernationles[22]andoperatingsystempatches[9].
Hardware-basedmemoryacquisitiontechniquescircumventthere-lianceontheoperatingsystembyusinghardwarethatinteractsdirectlywithmemory.
Thesetechniquesinvolvetheuseofcustomhardware[3]ortheFireWireinterface[1]fordirectmemoryaccess.
Butthetwotechniquessuerfromthe"northbridgeexploit"[16].
Sinceallperiph-eraldevicesusethenorthbridgetointerfacewiththeCPUandmainmemory,malwarecanbeloadedontothenorthbridgetosubvertmem-oryaccessbyaperipheralwhileleavingtheCPUandoperatingsystemuntouched.
Thisenablesthemalwaretoremainundetected.
ThenorthbridgeexploitcanbecontainedbyconstrainingmemorycapturetechniquestotheCPUandoperatingsystem.
Virtualmachinesprovideaneasymethodfordumpingmemory.
Whenanincidentoccurs,aforensicinvestigatortakescontroloftheactualmachine,suspendsthevirtualmachine,andthendumpsthememoryinthevirtualmachine.
However,oneproblemwiththismethodisthatimplementingsuchapolicywithinalargeorganizationincurshighcostsintermsoftimeandmoney.
Moreover,softwarevirtualizationcanslowtheperceivedresponsivenessofacomputerbecauseeverycommandhastogothroughanadditionallevelofabstraction.
Hibernationlesoeranalternativememorycapturemethodthatre-liesontheoperatingsystem[22].
Theprocessofanalyzinghibernationlesrequiresplacingthesysteminthehibernationmode,copyingthehibernationlesandextractingtheircontents.
However,whilethehi-bernationfunctionisenabledonmanylaptops,itisdisabledbydefaultonmostdesktops.
Desktopscanbereconguredtoenablethehiberna-tionmode,butthismustbedoneinadvance.
Otherdicultiesincludethelackofpublisheddescriptionsofhibernationleformatsandthefactthatnoteverythinginmemorymaybestored.
LibsterandKornblum[9]haveproposedanalternativemethodforacquiringapristinecopyofmemory.
Themethodinvolvesmodifyingtheoperatingsystemkernelsothatauser-denedfunctionkeywouldcausetheoperatingsystemtoimmediatelysuspend,generateamemorydumpthatitsendsoveranetworktoasecuremachine,andthenresume198ADVANCESINDIGITALFORENSICSVIexecution.
Thedicultywiththismethodistoensurethatitisdeployedforallthedisparatesystemsofalargeenterprisepriortoanincident.
Whileapre-installedoperatingsystempatchappearstobeanidealsolutionincaseswhereprioraccessisnotpossible,theonlyoptionavail-ableistoinitiateanewprocesstodumpsystemmemory.
Tominimizetheimpact,theapplicationshouldlimitapplicationprograminterfaces(APIs)thatinterfacewiththeoperatingsystemandtheuseofagraphi-caluserinterface(GUI).
Unfortunately,whilemanyavailabletools(e.
g.
,[12,23])arerunfromthecommandline,mostuseoperatingsystemAPIstodumpmemory.
TheonlyexceptionappearstobeMemoryze[11].
Memoryanalysistoolsextractdierentamountsandtypesofliveresponsedatafromamemorydump.
TheVolatilitytool[25]extractsthedateandtime,runningprocesses,openports,process-portmappings,strings-processmappings,process-lemappings,processdynamiclinklibraries(DLLs)andopenconnections.
Additionalplug-insareavailabletoenhancethefunctionalityofVolatility,includingtheabilitytoextractregistryinformation.
However,VolatilitysuersfromthelimitationthatitdoesnotextractportinformationforallWindowsoperatingsystemservicepackandpatchcongurations.
Comprehensiveopensourcememoryanalysistoolswrittenincom-piledlanguagessuchasC/C++arenotavailableforWindowsXPsys-tems.
Betz[21]hasdevelopedatoolthatndsprocessesandthreadsinmemoryandextractssomeinformation,butitislimitedtoWindows2000systemsanddoesnotsupporttheanalysisofregistryles,net-workactivityandprocesscreators.
PTnder[17]alsosearchesthroughmemoryforprocessesandthreads,andhandlesmemorycapturesfromWindowsXPsystems.
However,likeBetz'stool,itdoesnotsupporttheanalysisofregistryles[7],networkactivityandprocesscreators[8].
3.
CompiledMemoryAnalysisToolThecompiledmemoryanalysistool(CMAT)isaC++commandlineutilitythatrunsonLinuxandWindowsoperatingsystems.
ItparsesaWindowsXPmemorydumptoobtaininformationonuseraccounts,theWindowsregistryandrunningprocesses.
CMATprovidessystem,pro-cess,registry,openportsanduserinformationinastandalonetoolthatrunswithoutAPIcallsorhigh-levellanguageinterpreters.
CMATop-eratesintwopasses.
Duringtherstpass,CMATsearchesthememorydumpleforprocesses,threadsandregistryhives.
Inthesecondpass,CMATorganizestheprocess,threadandregistryentriesithasfoundOkolica&Peterson199andproducesoutputinaformatsimilartothatproducedbycommonliveresponsetools.
TheWindowskernelincorporatesdatastructuresneededfortheop-eratingsystemtofunction.
Thesedatastructuresareusefulforex-tractingliveresponseinformation.
Forexample,processesarestoredinmemoryasEPROCESSstructures.
PotentialprocessstructurescanbefoundbysearchingforstringsformattedasaDISPATCHHEADERofaKPROCESS.
InthecaseofWindowsXPSP2,thiscorrespondstoaDISPATCHHEADERof0x03andaKPROCESSsizeof0x1b.
Afteralikelyprocessisfound,itisdouble-checkedtoensurethatthepagedirectorytablebaseisavalidvirtualmemorylocation[15,18].
Ifthepagedirectorytabledoesnotpointtoavalidlocation,thenwhathasbeenfoundisaprocessexecutableorprocessdata,notaprocessheader.
Thismethodndsallprocesses,includingnormalactiveprocesses,hid-denactiveprocesses(e.
g.
,processeshiddenbyarootkitlikeFUTo[20]),defunctprocessesandprocessesfrompreviousbootsthathavenotbeenremovedfrommemory.
Inaddition,becausetheEPROCESSstructurealsocontainsadoubly-linkedlistofallactiveprocesses,processesthatweremissedduringthestringsearchcanstillbefoundbytraversingthelinkedlist.
Thescanofthelinkedlistalsoassistsinidentifyingprocessthathavebeendisconnectedfromthelist(whichishowFUTohidesprocesses).
CMATthensearchesthroughthememorydumpforregistryhives.
Inamannersimilartohowitsearchesforprocesses,CMATlooksforCMHIVEstructureswithasignatureinWindowsXPof0xbee0bee0[7].
Justasaprocessmusthaveavalidmemoryaddressforitspagedirec-torytablebase,aregistryhivemusthaveavalidmemoryaddressforitsbaseblock.
CMATalsotakesadvantageofthedoubly-linkedCMHIVEstructurestoensurethatalltheregistriesarefound.
CMATthenmovesthroughthedefaultuserregistrytondrelationshipsbetweensessionIDsandusernames.
InWindowsXP,itndstheProleListkeyunder\USER\MICROSOFT\WindowsNT\CurrentVersionandthenmakesarecordofthesessionIDsandtheirassociatedProleImagePaths,pro-vidinghuman-understandablenamesfortheusersthatwereloggedin.
Asapartofitsprocessing,CMATtranslatesthevirtualaddressesstoredinWindowskerneldatastructuresintophysicalmemoryloca-tions.
WindowsXPhastwolevelsofindirectionwhenitisrunona32-bitmachine;thisisachievedbysplittingavirtualaddressintoapagedirectoryindex,apagetableindexandanoset.
However,iflarge(4MB)pagesareused,thereisonelevelofindirection;ifphysicaladdressextensionsareused,therearethreelevelsofindirection.
WhileCMATcandetectiflargepagesarebeingused,itrequiresuserassistanceinthe200ADVANCESINDIGITALFORENSICSVIformofaparametervaluetodiscernifphysicaladdressextensionsareinuse.
Onemethodtoavoidthisistotryalternativevirtual-to-physicalmappingsuntilthecorrectmappingisfound[25].
Anothermethodistolocatethekernelsystemvariablesthatstorethisinformation[6].
Aftertheprocessentriesandregistryhivesarefound,CMATeitherinteractivelyorinthebatchmodeprovidesforensicinformationofin-terest.
Thisincludesgeneralsysteminformation(operatingsystemandnumberofprocesses)andprocessinformation,whichincludestheuserwhocreatedtheprocess,fullpathoftheexecutable,commandlineusedtoinitiatetheprocess,fullpathsofloadedDLLs,andthelesandreg-istrykeysaccessedbytheprocess.
4.
TestMethodologyTheCMAToutputwascomparedwiththeoutputsofveSysinternalsutilities:psinfo,pslist,logonsessions,handlesandlistdlls[14].
Systeminformationthatwasexaminedincludedtheoperatingsystemversion,numberofprocessorsandnumberofprocesses.
Theprocessinformationexaminedincludedtheprocesscreator,lesopened,registrykeysaccessedandmodulesloaded.
Theonlytypeofvolatileinformationnotexaminedwasnetworkinformation,includingtheportsandsocketsopenedbyprocesses.
Also,acomparisonwasmadeofthenumberofdistinctDLLsusedbyManTech'sphysicalmemorydump(mdd)utilitycomparedwiththenumberofdistinctDLLsusedbytheSysinternalsutilities.
AWindowsXPSP3systemwith2,038MBRAMwasusedinthetests.
SeveralapplicationprogramswerelaunchedonthemachineincludingInternetExplorer,Word,PowerPoint,VisualStudio,Calculator,KernelDebuggerandtwocommandlineshells.
OneofthecommandlineshellswashiddenbytheFUTorootkit[20].
ThememorydumpwascollectedusingManTech'smddutility(version1.
3),whichrequired67seconds.
5.
TestResultsThetestresultsinTable1demonstratethatCMATprovidesthesameorequivalentinformationastheSysinternalsutilities.
Inaddition,CMATfoundtheprocesshiddenbyFUTowhiletheSysinternalsutilitiesdidnot.
TheSysinternalsutilitiesfailedtoassociateseveralprocesseswiththeusersthatstartedthem.
ExceptfortheinabilityofCMATtoprovidenetworkinformation,CMAT'sperformanceinthetestswasexemplary.
SystemInformation:CMATandpsinfoprovidetheoperat-ingsystemversion,majorandminorversion,servicepacknumberOkolica&Peterson201Table1.
CMATvs.
Sysinternalsutilities.
InformationResultCorrelationOperatingSystemVersionWindowsXPSP3v5.
1Build2600100%ProcessorCount2100%ProcessCount56of5897%UserIDs50of5788%LoadedModules57of57100%Files57of57100%RegistryKeys57of57100%DLLsUsed15(CMAT)vs.
48(Sysinternals)andbuildnumber.
Also,theybothprovidethenumberofpro-cessors.
Thepsinfoutilityalsoprovidestheprocessortypeandspeedalongwiththevideodriverused.
However,thisinformationappearstohavelimitedforensicuse;therefore,thisfeaturewasnotimplementedinCMAT.
Theoneadditionalpieceofinforma-tionprovidedbypsinfocomparedwithCMATisifaphysicaladdressextensionisused(asdescribedabove,thisinformationispassedtoCMATasaparameter).
AfutureversionofCMATwilladdressthisshortcoming.
Processes:CMATreported58activeprocesseswhilepslistre-ported57processes;56oftheprocessesmatched(97%equality).
TheprogrammissingfromtheCMATresultswaspslist,whichwasnotrunningwhenthememorywasdumped.
Similarly,thepro-grammdd1.
3wasmissingfromthepslistresult,whichmakessensebecausethememorywasalreadydumpedwhenpslistwasexecuted.
Theotherprogrammissingfromthepslistresultwascmd.
exe,whichwashiddenbytheFUTorootkit;thisdemon-stratesthataprogramintentionallyhiddenbymalwarecanstillbefoundbyCMAT.
WhileCMATprovidesasingleprocesslistingthatincludestheuserwhocreatedtheprocess,Sysinternalsusesaseparateutility(logonsessions)forthispurpose.
Compari-sonoftheCMATandlogonsessionsresultsshowedthatnineprocesseswerenotlistedbylogonsessions,includingallthepro-cessesownedbyLocalServiceandNetworkService,andfourpro-cessesownedbySystemProle(includingthesystemandidlepro-cesses).
Identifyingallthesystemprocessesisvitaltodetectingifmaliciousserviceswereexecutingonthemachine.
LoadedModules:CMATandtheSysinternalslistdllutilityprovidedidenticallistsofloadedmodules(100%equality).
202ADVANCESINDIGITALFORENSICSVIFilesandRegistryKeys:Thelistsoflesandregistrykeyspro-videdbyCMATandtheSysinternalshandle.
exeutilitymatched,exceptforthetemporarylesthatwereopenedandclosedbetweenthememorydumpandtheexecutionofhandle.
exe.
Theseleswerelistedashaving[RWD]access.
CMATidentiedlehan-dlesthatwereactuallydevicehandles(e.
g.
,\Device\KsecDD),butwasunabletoprintthenamesofthedevices.
Similarly,whilehandle.
exesummarizedthelongcodeforthecurrentuserwithasuccinctHKU,CMATdisplayedtheentireregistrykey.
DynamicLinkLibraries:Asmentionedabove,minimizingthenumberofloadedmodules(DLLs)usedwhenperformingaliveresponseisdesirablebecauselessevidenceontheharddriveismodied.
ThistestcomparedthenumbersofDLLsusedbyMan-Tech'smddmemorycapturetoolandtheveSysinternalsutilities.
Tocollectthedata,mddwasexecutedduringthetimethateachoftheveSysinternalsutilitieswasrunning.
TheDLLlistsasso-ciatedwiththeveSysinternalsutilitieswereextractedfromthememorydumpsusingCMAT;duplicateDLLsamongtheveutil-itieswereremovedandtheresultswerethentallied.
Theresultsshowthatperformingamemorycaptureinsteadofaliveresponsesignicantlyreducestheimpactontheevidence.
Inparticular,thememorycaptureused15DLLswhiletheveSysinternalsutilitiesintotalused48dierentDLLs,correspondingtoa69%reductioninsystemimpact.
6.
ConclusionsTheCMATliveresponsetoolprovidescomparableinformationfromamemorydumpandproducesa69%lessimpactonsystemstate(poten-tialevidence)thanthepopularSysinternalsutilities.
However,CMATisunabletoextractseveralpiecesofusefulforensicinformation,includingthemappingofportsandsocketstoprocesses(providedbytheSysin-ternalsportmonutility).
ThedicultyarisesbecausethisinformationisstoredinthedatasectionoftheTCP/IPmodule.
WhiletheportandsocketdataresideinspeciclocationsfordierentWindowsoperatingsystemversions,servicepacksandpatchcongurations,theirlocationscanchangewhennewpatchesareinstalled.
AfutureversionofCMATwilltargetMicrosoftWindowsXPoperat-ingsystems.
OnedicultyistocorrectlymapthekerneldatastructuresfordierentWindowsversions(e.
g.
,VistaandWindows7).
Thisdif-cultycanbeaddressedbyretrievingtheoperatingsystemdatastruc-turesdynamicallyaftertheoperatingsystemisidentieduponparsingOkolica&Peterson203thememorydump.
Microsofthasrecognizedtheneedforsuchexibilitybyprovidingthedatastructures(symboltables)fordownloadinrealtimetosupportitskerneldebugger.
CMATwillattempttomakeuseofthesesymboltablestofacilitatememoryanalysisfordierentversionsoftheWindowsoperatingsystem.
References[1]A.
Boileau,Hitbyabus:PhysicalaccessattackswithFireWire(www.
storm.
net.
nz/static/les/abrewirerux2k6-nal.
pdf),2006.
[2]S.
Brenner,B.
CarrierandJ.
Henninger,TheTrojanHorseDefenseinCybercrimeCases,CERIASTechReport2005-15,CenterforEducationandResearchinInformationAssuranceandSecurity,PurdueUniversity,WestLafayette,Indiana,2005.
[3]B.
Carrier,FileSystemForensicAnalysis,Pearson,UpperSaddleRiver,NewJersey,2005.
[4]B.
CarrierandJ.
Grand,Ahardware-basedmemoryacquisitionprocedurefordigitalinvestigations,DigitalInvestigation,vol.
1(1),pp.
50–60,2004.
[5]H.
Carvey,WindowsForensicAnalysis,Syngress,Burlington,Mas-sachusetts,2007.
[6]B.
Dolan-Gavitt,FindingkernelglobalvariablesinWindows(moyix.
blogspot.
com/2008/04/nding-kernel-global-variables-in.
html),April16,2008.
[7]B.
Dolan-Gavitt,ForensicanalysisoftheWindowsregistryinmem-ory,DigitalInvestigation,vol.
5(S),pp.
S26–S32,2008.
[8]B.
Dolan-Gavitt,Linkingprocessestousers(moyix.
blogspot.
com/2008/08/linking-processes-to-users.
html),August16,2008.
[9]E.
LibsterandJ.
Kornblum,Aproposalforanintegratedmemoryacquisitionmechanism,ACMSIGOPSOperatingSystemsReview,vol.
42(3),pp.
14–20,2008.
[10]K.
Mandia,C.
ProsiseandM.
Pepe,IncidentResponseandComputerForensics,McGraw-Hill/Osborne,Emeryville,Califor-nia,2003.
[11]Mandiant,Memoryze,Washington,DC(www.
mandiant.
com/software/memoryze.
htm).
[12]ManTech,MemoryDD,Vienna,Virginia(cybersolutions.
mantech.
com/products.
htm).
204ADVANCESINDIGITALFORENSICSVI[13]NationalInstititeofJustice,ElectronicCrimeSceneInvestigation:AnOn-the-SceneReferenceforFirstResponders,U.
S.
DepartmentofJustice,Washington,DC,2009.
[14]M.
Russinovich,SysinternalsSuite,MicrosoftCorporation,Red-mond,Washington(technet.
microsoft.
com/en-us/sysinternals/bb842062.
aspx).
[15]M.
RussinovichandD.
Solomon,MicrosoftWindowsInternals,Mi-crosoftPress,Redmond,Washington,2005.
[16]J.
Rutkowska,BeyondtheCPU:Defeatinghardware-basedRAMacquisition(PartI:AMDcase),presentedattheBlackHatDC2007Conference(www.
rst.
org/conference/2007/papers/rutkowska-joanna-slides.
pdf),2007.
[17]A.
Schuster,PTnder(version0.
2.
00),Bonn,Germany(computer.
forensikblog.
de/en/2006/03/ptnder0200.
html),2006.
[18]A.
Schuster,SearchingforprocessesandthreadsinMicrosoftWin-dowsmemorydumps,DigitalInvestigation,vol.
3(S),pp.
S10–S16,2006.
[19]S.
Shankland,AmazonsuersU.
S.
outageonFriday,CNET,SanFrancisco,California(news.
cnet.
com/8301-107843-9962010-7.
html),June6,2008.
[20]P.
Silberman,FUTo,Uninformed,vol.
3(www.
uninformed.
org/v=3&a=7&t=sumry),January2006.
[21]SourceForge.
net,Memparser(sourceforge.
net/projects/memparser),2006.
[22]M.
Suiche,SandmanProject(sandman.
msuiche.
net/docs/SandManProject.
pdf),2008.
[23]M.
Suiche,win32dd(win32dd.
msuiche.
net).
[24]I.
Sutherland,J.
Evans,T.
TryfonasandA.
Blyth,Acquiringvolatileoperatingsystemdata:Toolsandtechniques,ACMSIGOPSOperatingSystemsReview,vol.
42(3),pp.
65–73,2008.
[25]A.
WaltersandN.
Petroni,Volatools:Integratingvolatilememoryforensicsintothedigitalinvestigationprocess,presentedatBlackhatHatDC2007Conference(www.
blackhat.
com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.
pdf),2007.