What You Will Learn
ATTACKER TRACES ARE MOST VULNERABLE IN MEMORY. TIME TO GO HUNTING!
FOR532: Enterprise Memory Forensics In-Depth Course will help you to:
- Understand how Memory works in modern operating systems
- Learn how tools like volatility help you to sift the Memory for traces of an attack
- Understand structured and unstructured memory analysis in Windows and Linux operating systems
- Understand how Memory forensics fits into and speeds up modern incident response investigations
- Learn how to scale Memory forensics to thousands of machines all at once
- Learn how advanced attackers try to get around modern detection mechanisms
- Learn how to create your own tools for cutting-edge Memory analysis
Memory forensics is an integral part of successful incident response investigations. Over the last year, incident response procedures have grown from investigating single computer images at time to investigating hundreds of thousand machines all at once. In the beginning of every investigation, the attacker is way ahead. Incident responders need to find ways to get ahead of the attackers quickly and kick them out of our networks. While there has been a lot of light shed on scaling hard drive artifact-based investigations to large numbers of endpoints, the memory forensics part has been the neglected part of classical forensics for a while. This rapidly changes as many attacks are way more lilkely to be uncovered when looking into memory than with more classical means. Memory forensics ties into many disciplines in cyber investigations. From the classical law enforcement investigations that focus on user artifacts via malware analysis to large-scale hunting, memory forensics has several applications that for many teams are still terra incognita. The FOR532 Enterprise Memory Forensics In-Depth class strives to change that and speed up your incident response, your threat hunting, and your malware analysis significantly.
A major step to get started with memory forensics is to understand, that memory can be complex at times, but in a nutshell analyzing memory just means knowing what bytes at specific locations mean. In other terms, the better you can read the street map of memory, the more you can get out of it. For that reason, we will spend some time understanding how memory works. You will become familiar with key memory structures and what they mean.A clear understanding will help you understand how the different presented tools work and what their advantages and limitations are.
In memory forensics, the saying 'A fool with a tool is still a fool' is even more important than in classical forensics. Memory being a very dynamic kind of dataset can be easily misinterpreted which in real investigations can lead to false-negatives or send you down a rabbit hole quickly. For that reason, it is important to understand how the various tools work. Not every aspect you might need for an investigation will already be covered by a tool. Another aspect of the class is to understand what you need and how to use easy measures to get your hands on the data.
Finally, when you understand memory on one machine, it is time to scale your investigation to a larger number of machines. Both structured analysis as well as with unstructured analysis matter. We will use cutting edge toools to scale memory forensics in a unique way.
The digital evidence we leverage in the labs is designed to resemble real cases the author came across in his career. You will be working on the evidence a significant amount of time in many different labs. As it is important to understand how attackers leave certain traces, every now and then you will be asked to switch sides and attack a system that you later analyze. This approach enables incident responders to have a 360 degree view on modern incident response analysis.
In the second half of day 4 you can put your newly acquired knowledge into action in a scoreboard-style capture the flag. You will be presented with new evidence that was built based on real-world cases and score points for correctly answered questions. Regardless of how new you are to memory forensics, there will be interesting traces for you to find in the evidence.
The main goal of the class is to demonstrate, that memory forensics is not as complicated as it seems at first. You will get a set of techniques and tools to add a lot of value to your investigations by saving time and resources as well as rendering results you would not have gotten by using classical IR tactics. Add memory forensics to your toolchest now to battle evil faster and more efficiently even at scale.
FOR532 ENTERPRISE MEMORY FORENSICS IN-DEPTH COURSE TOPICS:
- Integrate Memory forensics into their investigation workflow
- Acquire Memory on single machines with Linux, Windows and MacOS
- Acquire interesting Memory parts from many machines
- Understand how Memory works
- Identify the key Memory structures
- Effortlessly walk through the memory using volshell to identify even more traces of an attack and better understand how malware can hide
- Find malware using a standardized process
- Uncover malware capabilities and configurations
- Understand which attacker actions lead to which traces in Memory
- Understand DKOM (direct kernel object manipulation)
- Understand advanced detection countermeasures that attackers apply to beat EDRs and other detection mechanisms
- Extract memory artifacts needed for the investigation
- Extract and understand user artifacts that tell you what happened on a system
- Counter ransomware actors by identifying exfiltration credentials
- Analyze Memory dumps of single processes with windbg
- Use volatility 2 and 3 to find analyze Memory images
- Understand what options malware authors have to hide the presence of malware or make investigations harder
- Analyze Memory in structured and unstructured ways
- Analyze Memory in a team approach (using centralized analysis servers)
- Write your own tools to fill the gaps of current tools
- Write your own volatility plugin
- Scale Memory forensics to thousands of machines
- Automate parts of Memory forensics
- Leverage frequency of occurence analysis (stacking) to single out machines that need a closer look
Syllabus (24 CPEs)Download PDF
For many incident responders, the inner workings of memory are still terra incognita. Yet, many cases can be solved faster by looking into memory.
The first step towards successful memory forensics is understanding how memory works. Even with the variety of different operating systems, how memory exists is more similar than many would think.
On day 1 we will start looking into the inner workings of memory. We then move on to explore different ways of extracting memory from various operating systems (Windows and Linux, 64 and 32 bit). This includes virtual machines and techniques supporting cloud workloads.
To work with memory, we will leverage volatility 2 and volatility 3 in the labs. There are differences in these versions that will clarify when its best to use one vs the other. We then deep-dive into memory objects using volshell to display that dereferencing memory objects is not as complicated as it might seem.
Once you understand the major memory objects and their use in forensics investigations, we will investigate memory management and how that affects our investigations.
Finally, we work on a 5-step process to rapidly identify malware in memory. We differentiate between malware that runs as its own process and malware code that runs in the realm of another process.
- SIFT Workstation orientation
- Memory Extrcation (Windows & Linux)
- Volshell understand Memory layouts
- Find the malware
- Find the hidden malware (network)
- Fundamentals of Memory
- What is the role of Memory
- Quick wins in Memory forensics
- Kernel Memory vs. Process Memory
- Which Memory artifacts survive a reboot
- History of Memory forensics
- Order of volatility in Memory
- Memory acquisition challenges
- Memory acquisition in practice
- Targeted memory acquisition
- Introduction to Volatility
- Volatility capabilities
- Version 2 vs. version 3
- Volatility 3 layers
- Symbols and types
- Volatility usage
- Understanding Memory Structures
- Understanding byte order
- Basics of Memory objects
- Memory forensics vs. debugging
- Key Memory objects
- Doubly-linked lists in memory
- Object headers
- Memory Management
- Page layout and addressing
- Virtual Memory
- Memory scrambling
- Finding Malware
- Preliminary steps
- Understand the 5-step process
- Locate hidden processes
- 6 process factors
- Network-object based malware detection
During an intrusion, using memory analysis sometimes feels like cheating. Finding active malware should not be this easy.
Malware authors spend a lot of time to hide their malware better. They have one major disadvantage. Malware can hide, but it must run. That means, that the malicious code must eventually hit the CPU in plain sight. Even well-written malware is most vulnerable in memory. On day two we start focusing on well-hidden malware that runs in the memory space of legitimate processes or even interacts directly with the kernel. You will get the chance to manually mimic malware by altering the process list using Direct Kernel Object Manipulation (DKOM). This allows you to better understand how simple hiding techniques can be and that the inner workings of an operating system are nothing monolithic where you cannot change things.
We will also look at windbg which is a free Microsoft tool that supports live memory analysis and even alteration in a running operating system. You can even use it remotely over the network.
A large part of the day focuses on memory-based artifacts that allow you to tell the story of an attack. Often attackers do not install malware on every endpoint they access. Instead, they jump there using legitimate tools like Remote Desktop or psexec. We, as defenders, must remain vigilant to understand what they did on these systems. Memory can give you a quick shot at their actions.
Finally, sometimes it is the legitimate user of a machine who misueses IT assets for criminal actions. There are several artifacts in memory that allow investigators to get a better idea about what users have done most recently on commputers. It includes the extraction of encryption keys and even Facebook chat messages. This can be valuable for internal and criminal investigations. We will also focus on how the corresponding volatility plugins work so you will be able to write your own later in the class.
- Memory Injection
- Manual DKOM
- Memory Artifact extraction
- Finding Malware - Injection
- How does Memory injection work
- Import Address Table (IAT)
- Load Order Hijacking
- Process Hollowing
- Reflective Loading
- Atom Bombing
- Volatility plugins to detect injection
- Finding Malware - Hooks
- What are hooks
- How to write a hook (simplified)
- SSDT Hooks
- IRP Hooks
- IDT Hooks
- IAT Hooks
- Volatility plugins to analyze hooks
- DKOM (Direct Kernel Object Manipulation)
- What is DKOM
- Userland vs. Kernel
- DKOM in Malware
- Frequently modified structures
- Countermeasures against DKOM
- Userland Object manipulation
- Fundamentals of Windbg
- Using Windbg to identify and understand malware
- Limitations of Windbg
- Artifact extraction
- Process Artifacts
- Extraction strategies
- Limits of process extraction
- User Artifacts
- Types of user artifacts (Red Poster)
- Registry hives in memory vs. on hard drive
- Limits of EDRs
- Case samples
Many responders think that Memory forensics is something for single host investigations. They could not be more wrong.
This part of the course focuses on scaling memory forensics. Current tools allow incident responders to scale core memory forensics techniques to thousands of machines all at once. This drastically reduces survivability of an attacker. We will introduce the memory capabilities of a tool called velociraptor which is the incident response swiss army knife that we also use in the FOR508 and FOR608 classes to demonstrate large-scale repones. Modern incident response comes with a lot of challenges. One of them is resource management. We will also shed light on when memory forensics is the right approach in an investigation and how it can be built into an IR process efficiently.
For thisreason we also dive into memory forensics automation. If you do something the same way more than twice, you should think about automating it to save time in the future. Another important point for large scale response is collaboration and knowledge transfer. We will focus on how to establish that in memory forensics.
As enterprise networks are rarely ever Windows-only, we will discuss Linux memory forensics. That is particularly important as often attackers enter the network via external facing machines and appliances. Memory might give you a quick shot to identify what is actually going on.
Sometimes it is better and faster to leverage unstructured memory analysis rather than a structured analysis. We will focus on the major techniques to apply unstructured analysis techniques locally and in scale.
- DWARF & /proc
- Configure Velociraptor for Memory forensics
- Write your own velociraptor artifact
- Node-red automation
- Unstructured Memory analysis
- Linux memory forensics
- Linux Kernel
- Linux Symbols
- The /proc filesystem
- Scaling memory forensics
- Possible solutions
- Integrating into enterprise IR tactics
- Remote Memory acquisition
- Scaling techniques in IR
- Velociraptor artifacts
- Automated Processing
- Volatility automation considerations
- Requirements for automation
- Node-Red for IR automation
- Collaborative investigations
- Resource management in IR
- Jupyter Notebooks
- Unstructered memory analys is
- Structured vs. unstructured analysis
- Tools and techniques
- Large-scale unstructured analysis
Memory forensics is a cutting-edge field. That means that many possibilities have not been explored yet. So it makes sense to be able to push the current borders of memory forensics further.
Today's enterprise infrastructures heavily rely on containerization. The main representative of that is docker. In this section we will have a shot at docker memory forensics. You will experience how attackers gain access to docker containers firsthand and then you will investigate the breach yourself.
As volatility 3 is powerful but still lacks a large number of plugins compared to volatility 2, we will dig into how to write our own psxview plugin for volatility 3. Based on that you will be able to build a plugin for every technique you applied using volshell.
Memory is short-lived is what we hear a lot. This is not quite true. First of all, servers keep running for long stretches of time and even than they are rarely switched off but rebooted. Secondly most people do not fully shutdown their machines which also preserves a number of memory artifacts. Finally, there are a few portions of memory that are preserved on the hard drive for indefinite amounts of time. These might make the difference between success and failure in critical investigations.
We will investigate page files, hibernation files, and crash dumps.
Finally, you can test your knowledge in a scoreboard-style capstone.
- Docker Memory forensics
- Write your own volatility plugin
- Docker Memory forensics
- Docker basics
- Useful docker commands
- Find and extract container process Memory
- Docker in enterprise setups
- Custom volatility plugins
- How do plugins work in volatility 3
- Our plugin idea
- Pagefiles & Hibernation
- Page files and challenges
- Hibernation in modern OS
- FOR532 is an advanced enterprise memory forensics course that focuses on detecting and responding to advanced persistent threats by applying memory forensics at scale. We do not cover the introduction or basics of incident response, Windows digital forensics, or hacker techniques in this course.
- We recommend that you should have a background in one of the following SANS courses: FOR500, FOR508, or equivalent training.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
This is common sense, but we will say it anyway. Back up your system before class. Better yet, do not have any sensitive data stored on the system. SANS can't responsible for your system or data.
MANDATORY FOR532 SYSTEM HARDWARE REQUIREMENTS:
- CPU: 64-bit Intel i5/i7 (4th generation+) - x64 bit 2.0+ GHz processor or more recent processor is mandatory for this class (Important - Please Read: a 64-bit system processor is mandatory)
- CRITICAL NOTE: Apple systems using the M1 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
- It is critical that your CPU and operating system support 64-bit so that our 64-bit Intel-based guest virtual machine will run on your laptop. VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit Intel-based capability for your particular model.
- BIOS settings must be set to enable virtualization technology, such as "Intel-VT"
- Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary. Test it!
- 32 GB of RAM is highly recommended. 16 GB (Gigabytes) of RAM is minimum.
- 350 Gigabytes of Free Space - Note that about 150 GB is required for downloaded evidence files. This data can be stored on an external drive
- Local Administrator Access is required. This is absolutely required. Don't let your IT team tell you otherwise. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
- Wireless 802.11 Capability
MANDATORY FOR532 HOST OPERATING SYSTEM REQUIREMENTS:
- Host Operating System: Latest version of Windows 10 or macOS 10.15.x
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
PLEASE INSTALL THE FOLLOWING SOFTWARE PRIOR TO CLASS:
- Download and install VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+ on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website
- Download and install 7Zip (for Windows Hosts) or Keka (macOS)
Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure. SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
"During my incident response career memory forensics has guaranteed many break throughs in difficult investigations. Todays detection and prevention stacks often use memory observations to detect evil. At the same time, many incident response teams only use memory forensics on single machines if at all. They miss out on many opportunities to speed up their investigations.
Just recently I came across a case where analysts restaged a machine an EDR alerted on. A classical incident response investigation using a major EDR did not render any useful results. Two months later the EDR raised the same alert, but this time on a number of machines. I chose to acquire the memory image of the suspicious process. Simple string analysis on the dump revealed what kind of malware it was within minutes.
With this class, I want to show, that memory forensics should be an integral part of incident response investigations. I do understand that memory seems to be overwhelmingly complex at first (that is a feeling I know too well), but after taking this class, you will easily navigate through memory and be even able to write your own volatility plugins that meet your investigation needs.
Large-scale investigations also come with non-technical requirements like ways to collaborate analyzing the same evidence. We will cover that part as well.
Let us leverage the fact, that it is nearly impossible for attackers to fully hide in memory to root out evil." - Mathias Fuchs