FOR526: Windows Memory Forensics In-Depth
Malware Can Hide, But It Must Run
Acquiring and analyzing physical memory is seen by Digital Forensics and Incident Response (DFIR) professionals as critical to the success of an investigation, whether it be a criminal case, employee policy violation, or enterprise intrusion. Investigators who are not looking at volatile memory are leaving evidence on the table. The valuable contents of RAM hold evidence of user actions as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.
Just as it is crucial to understand disk and registry structures in order to substantiate findings in traditional system forensics, it is equally critical to understand memory structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the current case. There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. This course takes the DFIR professional through acquisition, validation, and memory analysis with hands-on, real-world, and malware-laden memory images. The course draws on best practices and recommendations from top experts in the DFIR field.
FOR526 Windows Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to deftly analyze captured memory images and live response audits. By using the most effective freeware and open-source tools in the industry today and delivering a deeper understanding of how these tools work, this five-day course shows DFIR professionals how to unravel the real story of what happened on a system. It is a critical course for any serious investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.
FOR526 Windows Memory Forensics In-Depth will teach you:
- Proper Memory Acquisition: Demonstrate targeted memory capture ensuring data integrity and combating anti-acquisition techniques
- How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms
- Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior
- Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques and how to devise custom parsing scripts for targeted memory analysis
Remember: Malware can hide, but it must run. It is this malware paradox that is the key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible for them to hide their footprints completely from a skilled incident responder performing memory analysis. FOR526 will ensure that you and your team are ready to respond to the challenges inherent in DFIR by using cutting-edge memory forensics tools and techniques.
|FOR526.1: Acquisition and Unstructured Memory Analysis|
Memory forensics is the study of operating systems, and operating systems, in turn, work extensively with the processor and its architecture. Before we can begin a meaningful analysis of the operating system, we must therefore understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.
Computer memory is a fantastic resource for the forensic investigator even without considering any operating system structures. There are data in memory that are simply not found anywhere else. Without even knowing which operating system was being used, an examiner can glean information that could be critical to a case. These data are generated by the underlying architecture or standards outside of the operating system. In particular, we focus on encryption keys and network packets. These two resources are not part of traditional forensics, but can provide invaluable data to the memory forensics investigator!
While conducting brute force searches for these structures, we are also starting to gather data for examining the operating system later on. Unlike disk forensics, there is no volume header to parse in memory. Instead, we must find values created by the operating system by searching for them manually. There are a number of structures that we can search for which will help us determine what operating system was being used, and the values particular to this execution.
CPE/CMU Credits: 6
Virtual Memory Models
Implementing the Virtual Memory Model
BIOS keyboard buffer
Preparing for Structured Analysis
The SIFT Workstation
Walking vs. Scanning
Section 1 Exercises
|FOR526.2: Windows Memory Internals|
Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software.
We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next will be the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system. Finally, we will talk about the operating system structures involved with threads, the actual blocks of executing code that make up the interactive portion of every process.
CPE/CMU Credits: 6
Dynamic-link Libraries (DLLs)
|FOR526.3: User Visible Structures|
There are a tremendous number of structures used in Microsoft Windows. To understand what the operating system is doing, we have to understand these components. In this section we will begin to explore the complex web of interconnected data structures which make up the operating system. To that end we start with a basic introduction to C structures and how they are put together. From there we talk about which of them are used in Windows and the documentation Microsoft publishes about them.
In this section we will explore, in-depth, all of the components which constitute Microsoft Windows operating systems. We will start with processes and all of the data they contain. From there we will discuss DLLs, drivers, sockets, kernel objects, threads, modules, and virtual address descriptors.
For each of these areas we will talk about how these systems work, what data the operating system maintains, which of those are relevant for forensics, and how to determine if there is something suspicious occurring.
CPE/CMU Credits: 6
Introduction to C structures
Tools for Structures
Injected and Unpacked code
Finding hidden DLLs
Finding hidden processes
Section 3 Exercises
|FOR526.4: Internal Structures in Memory|
Knowing the basics of memory forensics allows us to begin doing it in the real world. First, we must acquire memory images. On any given system there may already be memory images, from the machine's past, which contain highly valuable information. In this section we will discuss how to find and recover such memory images. We'll also cover some of the tools to capture memory images and how to choose the one which is best for you.
CPE/CMU Credits: 6
The Windows Registry
Crash Dump Files
Traditional Imaging Programs
Suspended Virtual Machine
Cold Boot Method
Section 4 Exercises
|FOR526.5: Memory Forensics in the Real World Workbook - Windows Memory Forensics In-Depth - Hands-on Exercises|
This section will present a number of challenges for the memory forensic examiner. We do not want to spoil all of the surprises by listing them in the outline, but we can give you a sense of what you will be working on. These memory images may contain some kind of malicious software or data of interest. Each challenge will provide a little information to go on. (As with real-world examinations, of course, it's never enough information!) Your job will be to determine if there is anything of interest, and if so, what it is.
CPE/CMU Credits: 6
Section 5 EXERCISES
!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!
In the class, you will receive a DVD containing the Ubuntu SIFT Workstation Virtual Machine appliance with updates and evidence files that are specific to the FOR526 Windows Memory Analysis In-Depth class. It is essential that you have VMware installed on your system in order to utilize this VM appliance. Please download and install VMware Workstation 8.0, VMware Fusion 5.0 or VMware Player 5.0 or higher versions on your system prior to class beginning.
(If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.) VMware Player is a free download that does not need a commercial license and is a viable option for this class.
MANDATORY LAPTOP HARDWARE REQUIREMENTS:
MANDATORY SYSTEM SOFTWARE REQUIREMENTS: (Please install the following prior to the beginning of the class):
Download and install 7Zip
Bring a Virtual Machine image of Windows XP SP2/SP3 or Windows 7. (This will be used for memory acquisition techniques that are VM specific. In addition, we will be using some memory parsing tools that work solely on Windows. If obtaining a license for either version is not possible, see Lenny Zeltzers blog on converting the Windows XP Mode Virtual PC format to VMware.)
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|Why Take This Course?|
This Course Prepares you to
|What You Will Receive|
|You Will Be Able To|
|Press & Reviews|
"In our field the recovery of encryption keys is vital and this class not only showed us what was there, but also how to recover them. Additionally it taught me how to track down malware and what effects it was having upon the system and other user data that was capable of being recovered." - Barry Friedman, NY State Police
"It is entirely possible that key evidence, and perhaps, the only evidence on a system, is resident in memory. This class will really help you develop your memory kung fu." - Anonymous
"This class was important to help us fine tune our policies on live memory capture. It introduced some tools and what they're capable of. It's an in depth course that takes you from A to way past Z." - Barry Friedman, NY State Police
PRESS ARTICLES ABOUT THE FOR526 Windows Memory Forensics In-Depth COURSE:
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method