What You Will Learn
ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!
FOR532: Enterprise Memory Forensics In-Depth Course will help you to:
- Understand how memory works in modern operating systems
- Learn how tools like volatility help you to sift the memory for traces of an attack
- Understand structured and unstructured memory analysis in Windows and Linux operating systms
- Understand how memory forensic fits into and speeds up modern incident response investigations
- Learn how to scale memory forensics to thousands of machines all at once
- Learn how advanced attackers try to get around modern detection mechanisms
- Learn how to create your own tools for cutting-edge memory analysis
Memory forensics is an integral part of successful incident response investigation. Over the last year, incident response procedures have grown from investigating single computer images at time to investigating hundreds of thousand machines all at once. In the beginning of every investigation, the attacker is way ahead. We as incident responders need to find ways to get ahead of the attackers quickly and kick them out of our networks. While there has been shed a lot of light on scaling harddrive atrtifact based investigations to large numbers of endpoints, the memory forensics part has been the neglected part of classical forensics for a while. This rapidly changes as many attacks are way more lilekly to be uncovered when looking into memory than with more classical means. Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement inveatigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensic has a number of applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth calss strives to change that and speed up your incident response, your threat hunting and your malware analysis significantly.
A major step to get started with memory forensics is to understand, that memory can be complex at times, but in a nutshell analyzing memory just means to know what certain bites at specific locations mean. In other terms, the better you can read the streetmap of memory, the more you can get out of it. For that reason we will spand some time understanding how exactly memory works. You will become very familiar with key memory structures and what they tell you.That helps you to better understand how the different presented tools work, what their advantages and limitations are.
In memory forensics, the saying 'A fool with a tool is still a fool' is even more important than in classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted which in real investigations can lead to false-negatives or send you down a rabbit hole quickly. For that reason, it is important to understand how the various tools work. Not every aspect you might need for an investigation will already be covered by a tool. So another aspect of the class is to understand what you need and use easy measures to get your hands on the data.
Finally when you understand memory on one machines it is time to scale your investigation to a larger number of machines. That works with structured analysis as well as with unstructured analysis. We will use cutting edge tools to scale memory forensics in a very unique way.
The digital evidence we will use is set up in a way to ressamble real cases the author came across in his career. You will be working on the evidence a significant amount of time in many different labs. As it is important to understand how attackers leave certain traces, every now and than you will be asked to switch sides and attack a system that you later analyse. That allows you to have a 360 dgree view on modern incident response analysis.
In the second half of day 4 you can bring your newly acquired knowledge into action in a scoreboard-style capture the flag. You will be presented with new evidence that was build based on real-world cases and score points. Regardless of how new you are to memory forensics, there will be interesting traces for you to find in the evidence.
The main goal of the class is to demonstrate, that memory forensics is not as complicated as it seems at first. You will get a set of techniques and tools to add a lot of value to your investigations by saving time and ressources as well as rendering results you would not have gotten by using classical IR tactics. Add memory forensics to your toolchest now to battle evil faster and more efficiently even at scale.
FOR532 ENTERPRISE MEMORY FORENSICS IN-DEPTH COURSE TOPICS:
- Integrate memory forensics into their investigation workflow
- Acquire memory on single machines with Linux, Windows and MacOS
- Acquire interesting memory parts from many machines
- Understand how memory works
- Identify the key memory structures
- Effortlessly walk through the memory using volshell to identify even more traces of an attack and better understand how malware can hide
- Find malware using a standardized process
- Uncover malware capabilities and configurations
- Understand which attacker actions lead to which traces in memory
- Understand DKOM (direct kernel object manipulation)
- Understand advanced detection countermeasures that attackers apply to beat EDRs and other detection mechanisms
- Extract memory artifacts needed for the investigation
- Extract and understand user artifacts that tell you what happened on a system
- Counter ransomware actors by identifying exfiltration credentials
- Analyse memory dumps of single processes with windbg
- Use volatility 2 and 3 to find analyze memory images
- Understand what options malware authors have to hide the presence of malware or make investigations harder
- Analyze memory in structured and unstructured ways
- Analyze memory in a team approach (using centralized analysis servers)
- Write your own tools to fill the gaps of current tools
- Write your own volatility plugin
- Scale memory forensics to thousands of machines
- Automate parts of memory forensics
- Leverage frequency of occurance analysis (stacking) to single out machines that need a closer look
Syllabus (24 CPEs)
For man incident responders, the inner workings of memory are still terra incognita. Yet, many cases can be solved faster by looking into memory.
The first step towards successful memory forensics is understanding how memory works. Interestingly on this low level of different operating systems, they are way more similar than you would expect on a high level.
On day 1 we will start looking into the inner workings of memory. We then move on to explore different ways of extracting memory from various operating systems (Windows and Linux, 64 and 32 bit). That includes virtual machines and some techniques also work on cloud workloads.
To actually work with memory we start using volatility 2 and volatility 3 right away. You will learn the differences between the two versions and why it might still make sense to use volatility 2 every now and then.
We then deep-dive into memory objects using volshell to display, that dereferencing memory objects is actually not as complicated as it might seem at first.
Once you understand the major memory objects and their use to forensics investigation we will look into memory management and how that affects our investigations.
Finally we work on a 5-setp process to identify malware in memory quickly. There we differentiate between malware that runs as its own process and malware code that runs in the realm of another process.
- SIFT Workstation orientation
- Memory Extrcation (Windows & Linux)
- Volshell understand memory layouts
- Find the malware
- Find the hidden malware (network)
- Fundamentals of Memor y
- What is the role of memory
- Quick wins in memory forensics
- Kernel Memory vs. Process Memory
- Which memory artifacts survive a reboot
- History of memory forensics
- Order of volatility in memory
- Memory acquisition challenges
- Memory acquisition in practice
- Targeted memory acquisition
- Introduction to volatility
- Volatility capabilities
- Version 2 vs. version 3
- Volatility 3 layers
- Symbols and types
- Volatility usage
- Understanding Memory Structur es
- Understanding byte order
- Basics of memory objects
- Memory forensics vs. debugging
- Key memory objects
- Doubly-linked lists in memory
- Object headers
- Memory Management
- Page layout and addressing
- Virtual memory
- Memory scrambling
- Finding Malware
- Preliminary steps
- Understand the 5-step process
- Locate hidden processes
- 6 process factors
- Network-object based malware detection
During an intrusion, using memory analysis sometimes feels like cheating. Fnding active malware should not be this easy.
Malware authors spend a lot of time to hide their malware better. They have one major disadvantage. Malware can hide, but it must run. That means, that the malicious code must eventually hit the CPU in clear. So even well-written malware is most vulnerable in memory. On day two we start focusing on well-hidden malware that runs in the memory space of legitimate processes or even interacts directly with the kernel. You will get the chance to manually mimick malware by altering the process list using Direct Kernel Object Manipultion (DKOM). This allows you to better understand how simple hiding techniques can be and that the inner workings of an operating system are nothing monolithic were you cannot change things.
We will also look at windbg which is a free Micrsosoft tool that supports live memory analysis and even alteration in a running operating system. You can even use it remotely over the network.
A large part of he day focuses on memory-based artifacts that allow you to tell the story of an attack. Very often attackers do not even install malware on every endpoint the acces, they rather jump there using legitimate tools like Remote Desktop or psexec. We as defenders would still be interested what they did on these systems. Memory can give you a quick shot at their actions.
Finally sometimes it is the legitimate user of a machine who misueses IT assets for criminal actions. There are a number of artifacts in memory that allow investigators to get a better idea about what users have done on computers recently. It includes the extraction of encryption keys and even facebook chat messages. This can be very valuable for internal and police investigations. We will also focus on how the corresponding volatility plugins work so you will be able to write your own later in the class.
- Memory Injection
- Manual DKOM
- Memory Artifact extraction
- Finding Malware - Injection
- How does memory injection work
- Import Address Table (IAT)
- Load Order Hijacking
- Process Hollowing
- Reflective Loading
- Atom Bombing
- Volatility plugins to detect injection
- Finding Malware - Hooks
- What are hooks
- How to write a hook (simplified)
- SSDT Hooks
- IRP Hooks
- IDT Hooks
- IAT Hooks
- Volatility plugins to analyze hooks
- DKOM (Direct Kernel Object Manipulation)
- What is DKOM
- Userland vs. Kernel
- DKOM in Malware
- Frequently modified structures
- Countermeassures against DKOM
- Userland Object manipulation
- Fundamentals of Windbg
- Using Windbg to identify and understand malware
- Limitations of Windbg
- Artifact extraction
- Process Artifacts
- Extraction strategies
- Limits of process extraction
- User Artifacts
- Types of user artifacts (Red Poster)
- Registry hives in memory vs. on hard drive
- Limits of EDRs
- Case samples
Memory forensics is something for single host investigations, is what many responders think today. They could not be more wrong.
This part focuses on scaling memory forensics. Current tools allow incident responders to scale core memory forensics techniques to thousands of machines all at once. This reduces survivability of an attacker even more. We will introduce the memory capabilities of a tool called velociraptor which is the incident response swiss army knife that we also use in the FOR508 and FOR608 class to demonstrate large-scale reponse. Modern incident response cames with a lot of challenges. One of them is resource management. We will also shed a light on how to decide that memory forensics is the right way to answer a question or not and how it can be build into an IR process efficiently.
For thet reason we also dive into memory forensics automation. If you do something the same way more than twice, you should think about automating it to save time in the future. Another important point for large scale response is collaboration and knowledge transfer. We will focus on how to establish that in memory forensics.
As enterprise networks are rarely ever windows-only, we will discuss linux memory forensics. That is particularly important as often attackers enter the network via external facing machines and appliances. Memory might give you a quick shot to identify whats going on.
Sometimes it is better and faster to leverage unstructured memory analysis rather than a structured analysis. We will focus on the major techniques to apply unstructured analysis techniques locally and in scale.
- DWARF & /proc
- Configure Velociraptor for memory forensics
- Write your own velociraptor artifact
- Node-red automation
- Unstructured memory analysis
- Linux memory forensics
- Linux Kernel
- Linux Symbols
- The /proc filesystem
- Scaling memory forensics
- Possible solutions
- Integrating into enterprise IR tactics
- Remote memory acquisition
- Scaling techniques in IR
- Velociraptor artifacts
- Automated Processing
- Volatility automation considerations
- Requirements for automation
- Node-Red for IR automation
- Collaborative investigations
- Ressource management in IR
- Jupyter Notebooks
- Unstructered memory analys is
- Structured vs. unstructured analysis
- Tools and techniques
- Large-scale unstructured analysis
Memory forensics is a cutting-edge field. That means that many possibilities have not been explored yet. So it makes senset o be able to push the current borders of memory forensics further.
Today's enterprise infrstaructures more and more rely on containerization. The main representative of that is docker. In this section we will have a shot at docker memory forensics. You will experience how attackers gain access to docker containers first hand and then you will investigate the breach yourself.
As volatility 3 is powerfull but still lacks a large number of plugins compared to volatility 2, we will dig into how to write our own psxview plugin for volatility 3. Based on that you will be able to build a plugin for every technique you applied using volshell.
Memory is short-lived is what we hear a lot. This is not quite true. First of all servers keep running for long stretches of time and even than they are rarely switched off but rebooted. Secondly most people do not fully shutdown their machines anymore which also preserves a number of memory artifacts. Finally there are a few portions of memory that are preserved on the harddrive for indefinite amounts of time. Thes might make the difference between success and failure in critical investigations.
We will look into page files, hibernation files, and crash dumps.
Finally you can test your knowledge in a scoreboard-style capstone.
- Docker memory forensics
- Write your own volatility plugin
- Docker memory forensics
- Docker basics
- Usefull docker commands
- Find and extract container process memory
- Docker in enterprise setups
- Custom volatility plugins
- How do plugins work in volatility 3
- Our plugin idea
- Pagefiles & Hibernation
- Page files and challenges
- Hibernation in modern OS
- FOR532 is an advanced enterprise memory forensics course that focuses on detecting and responding to advanced persistent threats by applying memory forensics at scale. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course.
- We recommend that you should have a background in one of the following SANS courses: FOR500, FOR508, or equivalent training.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.
MANDATORY FOR532 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- It is critical that your CPU and operating system support 64-bit so that our 64-bit Intel-based guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit Intel-based capability for your particular model.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VT"
- Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
- 32 GB of RAM is highly recommended. 16 GB (Gigabytes) of RAM is minimum.
- 350 Gigabytes of Free Space - Note that about 150 GB is required for downloaded evidence files. This data can be stored on an external drive
- Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- Wireless 802.11 Capability
MANDATORY FOR532 HOST OPERATING SYSTEM REQUIREMENTS:
- Host Operating System: Latest version of Windows 10 or macOS 10.15.x
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
- Download and install 7Zip (for Windows Hosts) or Keka (macOS)
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure. SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
During my incident response carreer memory forensics has guaranteed for many break throughs in difficult investigations. Todays detection and prevention stacks often use memory observations to detect evil. At the same time, many incident response teams only use memory forensics on single machines if at all. They miss out on many opportunities to speed up their investigations.
Just recently I came across a case where analysts restaged a machine an EDR alerted on. A classical incident Response investigation using a major EDR did not render any usefull results. 2 months later the EDR raised the same alert, but this time on a number of machines. I chose to acquire the memory image of the suspisious process. Simple string analysis on the dump revealed what kind of malware it was within minutes.
With this class, I want to show, that memory forensics should be an integral part of incident response investigations. I do understand, that memory seems to be overwhelmingly complex at first (that is a feeling I know too well), but after taking this class, you will easily navigate through memory and be even able to write your own volatility plugins that meet your investigation needs.
Large-scale investigations also come with non-technical requirements like ways to collaborate analyzing the same evidence. We will cover that part as well.
Let us leverage the fact, that it is nearly impossible for attackers to fully hide in memory to root out evil. - Mathias Fuchs