5 Days Left to Save $400 on SANS Security East 2015, New Orleans

FOR526 Beta

Denver, CO | Mon, Nov 5 - Fri, Nov 9, 2012
 

FOR526: Memory Forensics In-Depth

Malware Can Hide, But It Must Run

Acquiring and analyzing physical memory is seen by Digital Forensics and Incident Response (DFIR) professionals as critical to the success of an investigation, whether it be a criminal case, employee policy violation, or enterprise intrusion. Investigators who are not looking at volatile memory are leaving evidence on the table. The valuable contents of RAM hold evidence of user actions as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the "smoking gun" that unravels the story of what happened on a system.

Just as it is crucial to understand disk and registry structures in order to substantiate findings in traditional system forensics, it is equally critical to understand memory structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the current case. There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. This course takes the DFIR professional through acquisition, validation, and memory analysis with hands-on, real-world, and malware-laden memory images. The course draws on best practices and recommendations from top experts in the DFIR field.

FOR526 - Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to deftly analyze captured memory images and live response audits. By using the most effective freeware and open-source tools in the industry today and delivering a deeper understanding of how these tools work, this five-day course shows DFIR professionals how to unravel the real story of what happened on a system. It is a critical course for any serious investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.

FOR526 - Memory Forensics In-Depth will teach you:

  • Proper Memory Acquisition: Demonstrate targeted memory capture ensuring data integrity and combating anti-acquisition techniques
  • How to Find Evil in Memory: Detect rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms
  • Effective Step-by-Step Memory Analysis Techniques: Use process timelining, high-low level analysis, and walking the Virtual Address Descriptors (VAD) tree to spot anomalous behavior
  • Best Practice Techniques: Learn when to implement triage, live system analysis, and alternative acquisition techniques and how to devise custom parsing scripts for targeted memory analysis

Remember: "Malware can hide, but it must run." It is this malware paradox that is the key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible for them to hide their footprints completely from a skilled incident responder performing memory analysis. FOR526 will ensure that you and your team are ready to respond to the challenges inherent in DFIR by using cutting-edge memory forensics tools and techniques.

Course Syllabus
Course Contents InstructorsSchedule
  FOR526.1: Acquisition and Unstructured Memory Analysis Jesse Kornblum Mon Nov 5th, 2012
9:00 AM - 5:00 PM
Overview

Memory forensics is the study of operating systems, and operating systems, in turn, work extensively with the processor and its architecture. Before we can begin a meaningful analysis of the operating system, we must therefore understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.

Computer memory is a fantastic resource for the forensic investigator even without considering any operating system structures. There are data in memory that are simply not found anywhere else. Without even knowing which operating system was being used, an examiner can glean information that could be critical to a case. These data are generated by the underlying architecture or standards outside of the operating system. In particular, we focus on encryption keys and network packets. These two resources are not part of traditional forensics, but can provide invaluable data to the memory forensics investigator!

While conducting brute force searches for these structures, we are also starting to gather data for examining the operating system later on. Unlike disk forensics, there is no volume header to parse in memory. Instead, we must find values created by the operating system by searching for them manually. There are a number of structures that we can search for which will help us determine what operating system was being used, and the values particular to this execution.

CPE/CMU Credits: 6

Topics

Computer architectures

  • 32-bit vs. 64-bit operating systems
  • x86, x86_64, and IA-64 architectures
  • Virtual and physical address spaces
  • Physical Address Extensions

Virtual Memory Models

  • Process memory and system memory
  • Shared view of system memory
  • Calls between these spaces

Implementing the Virtual Memory Model

  • Virtual to physical address translation
  • Differences between virtual and physical memory size
  • Invalid memory

Process Memory

  • Modeling a process as a container
  • Code
  • Threads
  • Stack
  • Heap

System Memory

  • Code
  • Drivers
  • Scheduling
  • Interrupts
  • Memory Management
  • Services

BIOS keyboard buffer

Encryption keys

  • How a password becomes a key
  • Keys and key schedules
  • Structures of key schedules
  • Searching for key schedules
  • AES and TrueCrypt keys

Network Packets

Traditional Data

  • Credit card numbers
  • Email addresses
  • URLs
  • Phone Numbers

Preparing for Structured Analysis

  • No defined starting point like a volume header
  • Searching for processes
  • Validating data
  • Searching for debugging structures

The SIFT Workstation

  • SIFT Workstation review
  • Pros and cons of Volatility
  • Installation
  • Basic Usage

Pool Memory

  • Shared memory for the kernel
  • Structure of pool memory
  • Validating frames of pool memory
  • Pool tags of interest

Walking vs. Scanning

  • The benefits of each approach
  • Leftover from a previous boot
  • Unlinked data
  • Comparing the Results

Section 1 Exercises

  • Recovering encryption keys, network packets, and more with brute force searching tools
  • Brute force searches of Windows Pool Memory
  • Writing a pool tag scanner for Volatility

 
  FOR526.2: Windows Memory Internals Jesse Kornblum Tue Nov 6th, 2012
9:00 AM - 5:00 PM
Overview

Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software.

We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next will be the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system. Finally, we will talk about the operating system structures involved with threads, the actual blocks of executing code that make up the interactive portion of every process.

CPE/CMU Credits: 6

Topics

Processes

  • Process Environment Block
  • Process Parameters
  • Command line
  • Relationships between processes
  • Direct Kernel Object Manipulation

Dynamic-link Libraries (DLLs)

  • Purpose and Use
  • Legitimate DLLs
  • Search Order Hijacking
  • Lists of loaded DLLs
  • DLL abnormalities

Drivers

  • Legitimate drivers
  • Driver stacking
  • The driver dispatch table
  • Recovering drivers

Sockets

  • Review of networking technologies
  • Changes in Windows over time
  • TCP and UDP sockets
  • TCP connections

Kernel Objects

  • Structure
  • Finding hidden processes with objects

Threads

  • Execution context
  • Stack
  • Thread scheduling
  • Using threads to find hidden code
 
  FOR526.3: User Visible Structures Jesse Kornblum Wed Nov 7th, 2012
9:00 AM - 5:00 PM
Overview

There are a tremendous number of structures used in Microsoft Windows. To understand what the operating system is doing, we have to understand these components. In this section we will begin to explore the complex web of interconnected data structures which make up the operating system. To that end we start with a basic introduction to C structures and how they are put together. From there we talk about which of them are used in Windows and the documentation Microsoft publishes about them.

In this section we will explore, in-depth, all of the components which constitute Microsoft Windows operating systems. We will start with processes and all of the data they contain. From there we will discuss DLLs, drivers, sockets, kernel objects, threads, modules, and virtual address descriptors.

For each of these areas we will talk about how these systems work, what data the operating system maintains, which of those are relevant for forensics, and how to determine if there is something suspicious occurring.

CPE/CMU Credits: 6

Topics

Introduction to C structures

  • Structures, nesting, enumerations and unions

Microsoft Structures

  • Backward compatibility
  • Symbol files
  • Organization of symbols

Tools for Structures

  • Kd and WinDBG
  • Livekd

Modules

  • The Windows loader process
  • Reversing the loader's changes
  • Recovering unpacked executables
  • Recovering trashed executables

Injected and Unpacked code

  • Executable regions of memory
  • Finding code in the heap
  • Sorting out false positives

Finding hidden DLLs

Finding hidden processes

  • Combining multiple data sources
  • Defeating DKOM

Driver Hooking

  • When it's normal
  • What it's abnormal

Section 3 Exercises

  • Exploring Windows structures on a live system
  • Searching for kernel debugging structures
  • Finding suspicious processes from their command lines
  • Searching for illegitimate DLLs
  • Recovering suspicious drivers
  • Enumerating network listeners
  • Writing Volatility plugin to recognize potential TrueCrypt containers
  • Identifying code being executed using threads
  • Recovering a packed program as an unpacked program
  • Working with the MHL Plugins on memory images
  • Malfind, psxview, ldrmodules, driverirp, svcscan
 
  FOR526.4: Internal Structures in Memory Jesse Kornblum Thu Nov 8th, 2012
9:00 AM - 5:00 PM
Overview

Knowing the basics of memory forensics allows us to begin doing it in the real world. First, we must acquire memory images. On any given system there may already be memory images, from the machine's past, which contain highly valuable information. In this section we will discuss how to find and recover such memory images. We'll also cover some of the tools to capture memory images and how to choose the one which is best for you.

CPE/CMU Credits: 6

Topics

The Windows Registry

  • Registry Overview
  • How the Registry is stored in memory
  • The volatile part of the hive
  • Recovering registry data from memory

Hibernation Files

  • Saved system state
  • Power saving feature
  • Serialized memory image
  • File Format
  • Potential vulnerability to malware
  • Decompression and Use

Crash Dump Files

  • Debugging information
  • File Format
  • Reconstruction and Use

Memory Imaging

  • Differences from disk imaging
  • Terminology

Traditional Imaging Programs

Suspended Virtual Machine

USB

Firewire

Cold Boot Method

Section 4 Exercises

  • Cracking passwords recovered from memory images
  • Using traditional memory imaging tools
  • Using a suspended virtual machine to capture memory

 
  FOR526.5: Memory Forensics in the Real World Workbook - Windows Memory Forensics In-Depth - Hands-on Exercises Jesse Kornblum Fri Nov 9th, 2012
9:00 AM - 5:00 PM
Overview

This section will present a number of challenges for the memory forensic examiner. We do not want to spoil all of the surprises by listing them in the outline, but we can give you a sense of what you will be working on. These memory images may contain some kind of malicious software or data of interest. Each challenge will provide a little information to go on. (As with real-world examinations, of course, it's never enough information!) Your job will be to determine if there is anything of interest, and if so, what it is.

CPE/CMU Credits: 6

Topics

Section 5 EXERCISES

  • Ten memory images to be examined
 
Additional Information
 
  Laptop Required

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

In the class, you will receive a DVD containing the Ubuntu SIFT Workstation Virtual Machine appliance with updates and evidence files that are specific to the FOR526 Windows Memory Analysis In-Depth class. It is essential that you have VMware installed on your system in order to utilize this VM appliance. Please download and install VMware Workstation 8.0, VMware Fusion 5.0 or VMware Player 5.0 or higher versions on your system prior to class beginning.

(If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site.) VMware Player is a free download that does not need a commercial license and is a viable option for this class.

MANDATORY LAPTOP HARDWARE REQUIREMENTS:

  • CPU: 2.0+ GHz or higher is recommended (Multi Core preferred)
  • RAM: 4 Gigabyte of RAM minimum (8GB or higher RAM is recommended to get the most out of the course)
  • Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player)
  • Networking: Wireless 802.11 B/G/N networking capability
  • DVD/CD Combo drive
  • Hard Drive Space: ~60 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence we will be adding to your system)
  • Local Admin: The student should have the capability to have Local Administrator Access within their host operating system

MANDATORY SYSTEM SOFTWARE REQUIREMENTS: (Please install the following prior to the beginning of the class):

  • Download and install VMware Workstation 8.0, VMware Fusion 5.0 or VMware Player 5.0 (higher versions are ok)
  • Download and install 7Zip
  • Bring a Virtual Machine image of Windows XP SP2/SP3 or Windows 7. (This will be used for memory acquisition techniques that are VM specific. In addition, we will be using some memory parsing tools that work solely on Windows. If obtaining a license for either version is not possible, see Lenny Zeltzer's blog on converting the Windows XP Mode Virtual PC format to VMware.)

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Incident Response Team Members
  • Law Enforcement Officers
  • Forensic Examiners
  • Malware Analysts
  • Information Technology Professionals
  • System Administrators
  • And anybody who plays a part in the acquisition, preservation, forensics, or analysis of Microsoft Windows computers

 
  Prerequisites
  • All attendees should have some experience with computer networks and computer forensics, as well as some command line experience.
  • Students should have strong command line skills.
 
  Why Take This Course?

This Course Prepares you to

  • Preserve and acquire the memory of Windows systems
  • Conduct brute-force searches for valuable artifacts such as full-content network data and encryption keys
  • Identify suspicious behavior on Windows system without any prior knowledge of its nature
  • Recover and investigate programs and drivers to determine their true nature
  • Begin a detailed analysis of what the machine was truly doing

 
  What You Will Receive
  • SANS SIFT Workstation
  • Course DVD: Loaded with case examples, tools, and documentation
 
  You Will Be Able To
  • Utilize stream-based data parsing tools to extract AES-encryption keys from a physical memory im- age to aid in the decryption of encryption files & volumes such as TrueCrypt & BitLocker
  • Gain insight into the current network activity of the host system by retrieving network packets from a physical memory image and examining with a net- work packet analyzer
  • Inspect a Windows crash dump to discern processes, process objects and current system state at the time of crash through use of various debugging tools such as kd, WinDBG, and livekd
  • Conduct Live System Memory Analysis with the powerful SysInternal's tool, Process Explorer, to collect real-time data on running processes allowing for rapid triage
  • Use the SIFT workstation and in-depth knowledge of PE File modules in physical memory, extract and analyze packed and non-packed PE binaries from memory and compare them to their known disk- bound files.
  • Discover key features from memory such as the BIOS keyboard buffer, Kernel Debugging Data Block (KDBG), Executive Process (EPROCESS) structures, and handles based on signature and offset search- ing, gaining a deeper understanding of the inner workings of popular memory analysis tools.
  • Analyze memory structures using high-level and low-level techniques to reveal hidden and terminated processes and extract processes, drivers, and memory sections for further analysis
  • Use a variety of means to capture memory images in the field, explaining the advantages and limitations of each method

 
  Press & Reviews

"In our field the recovery of encryption keys is vital and this class not only showed us what was there, but also how to recover them. Additionally it taught me how to track down malware and what effects it was having upon the system and other user data that was capable of being recovered." - Barry Friedman, NY State Police

"It is entirely possible that key evidence, and perhaps, the only evidence on a system, is resident in memory. This class will really help you develop your memory kung fu." - Anonymous

"This class was important to help us fine tune our policies on live memory capture. It introduced some tools and what they're capable of. It's an in depth course that takes you from A to way past Z." - Barry Friedman, NY State Police

PRESS ARTICLES ABOUT THE FOR526 Windows Memory Forensics In-Depth COURSE:

NetworkWorld - New course teaches techniques for detecting the most sophisticated malware in RAM only

Security Bistro - New Training From SANS Institute: How To Discover If Malware Is Running In RAM Only On Your Systems

 

Author Statement

A forensic examiner is defined by their understanding of the technologies they work with. Somebody who understands what is happening under the hood will have an inherent advantage over somebody who does not. Peeking at the underlying data, poking at them manually, and coming to understand what they represent, is what this course is all about. Afterward, there are tools and methods which can automate many of these processes. But the results of those methods are useless if the examiner doesn't understand what they represent. This class will encourage you to try things out and ask questions. The classroom environment is for learning. If you get everything right the first time, you haven't learned anything! Here you will learn by doing, not listening. Memory analysis is the latest frontier in our field and presents opportunities we have not seen in some time. Taking this class is a great way to get started in this exciting new domain. The technologies involved will unlock some valuable doors. We haven't reached the limits of memory analysis by a long shot. In the near future there will be more advanced techniques and available data. It's important to build a strong foundation now!

-- Jesse Kornblum, Kyrus