Save $200 thru 8/2 on Courses at SANS San Francisco Fall 2017.

FOR526 Beta

Denver, CO | Mon, Nov 5 - Fri, Nov 9, 2012
This event is over,
but there are more training opportunities.

FOR526: Memory Forensics In-Depth Sold Out

Alissa brings memory dumps back to life.

Stephanie Denis, Canadian Police College

The SANS Institute is currently the leader in the commercial IR and Computer Forensic training market. They have a large number of quality courses.

Jason Luttgens, Matthew Pepe, Kevin Mandia, Incident Response & Computer Forensics, Third Edition - July 2014

FOR526 - Memory Analysis In-Depth is a critical course for any serious investigator who wishes to tackle advanced forensic and incident response cases. Memory analysis is now a crucial skill for any investigator who is analyzing intrusions.

Malware can hide, but it must run -- The malware paradox is key to understanding that while intruders are becoming more advanced with anti-forensic tactics and techniques, it is impossible to hide their footprints completely from a skilled incident responder performing memory analysis. Learn how memory analysis works through learning about memory structures and context, memory analysis methods, and the current tools used to parse system ram.

Attackers will use anti-forensic techniques to hide their tracks. They use rootkits, file wiping, timestamp adjustments, privacy cleaners, and complex malware to hide in plain sight avoiding detection by standard host-based security measures. Every action that adversaries make will leave a trace; you merely need to know where to look. Memory analysis will give you the edge that you need in order to discover advanced adversaries in your network.

FOR526 - Memory Analysis In-Depth is one of the most advanced courses in the SANS Digital Forensics and Incident Response Curriculum. This cutting edge course covers everything you need to step through memory analysis like a pro.

FIGHT CRIME. UNRAVEL INCIDENTS... ONE BYTE AT A TIME.

Course Syllabus


Jesse Kornblum
Mon Nov 5th, 2012
9:00 AM - 5:00 PM

Overview

Memory forensics is the study of operating systems, and operating systems, in turn, work extensively with the processor and its architecture. Before we can begin a meaningful analysis of the operating system, we must therefore understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.

Computer memory is a fantastic resource for the forensic investigator even without considering any operating system structures. There are data in memory that are simply not found anywhere else. Without even knowing which operating system was being used, an examiner can glean information that could be critical to a case. These data are generated by the underlying architecture or standards outside of the operating system. In particular, we focus on encryption keys and network packets. These two resources are not part of traditional forensics, but can provide invaluable data to the memory forensics investigator!

While conducting brute force searches for these structures, we are also starting to gather data for examining the operating system later on. Unlike disk forensics, there is no volume header to parse in memory. Instead, we must find values created by the operating system by searching for them manually. There are a number of structures that we can search for which will help us determine what operating system was being used, and the values particular to this execution.

CPE/CMU Credits: 6

Topics

Computer architectures

  • 32-bit vs. 64-bit operating systems
  • x86, x86_64, and IA-64 architectures
  • Virtual and physical address spaces
  • Physical Address Extensions

Virtual Memory Models

  • Process memory and system memory
  • Shared view of system memory
  • Calls between these spaces

Implementing the Virtual Memory Model

  • Virtual to physical address translation
  • Differences between virtual and physical memory size
  • Invalid memory

Process Memory

  • Modeling a process as a container
  • Code
  • Threads
  • Stack
  • Heap

System Memory

  • Code
  • Drivers
  • Scheduling
  • Interrupts
  • Memory Management
  • Services

BIOS keyboard buffer

Encryption keys

  • How a password becomes a key
  • Keys and key schedules
  • Structures of key schedules
  • Searching for key schedules
  • AES and TrueCrypt keys

Network Packets

Traditional Data

  • Credit card numbers
  • Email addresses
  • URLs
  • Phone Numbers

Preparing for Structured Analysis

  • No defined starting point like a volume header
  • Searching for processes
  • Validating data
  • Searching for debugging structures

The SIFT Workstation

  • SIFT Workstation review
  • Pros and cons of Volatility
  • Installation
  • Basic Usage

Pool Memory

  • Shared memory for the kernel
  • Structure of pool memory
  • Validating frames of pool memory
  • Pool tags of interest

Walking vs. Scanning

  • The benefits of each approach
  • Leftover from a previous boot
  • Unlinked data
  • Comparing the Results

Section 1 Exercises

  • Recovering encryption keys, network packets, and more with brute force searching tools
  • Brute force searches of Windows Pool Memory
  • Writing a pool tag scanner for Volatility


Jesse Kornblum
Tue Nov 6th, 2012
9:00 AM - 5:00 PM

Overview

Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software.

We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next will be the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system. Finally, we will talk about the operating system structures involved with threads, the actual blocks of executing code that make up the interactive portion of every process.

CPE/CMU Credits: 6

Topics

Processes

  • Process Environment Block
  • Process Parameters
  • Command line
  • Relationships between processes
  • Direct Kernel Object Manipulation

Dynamic-link Libraries (DLLs)

  • Purpose and Use
  • Legitimate DLLs
  • Search Order Hijacking
  • Lists of loaded DLLs
  • DLL abnormalities

Drivers

  • Legitimate drivers
  • Driver stacking
  • The driver dispatch table
  • Recovering drivers

Sockets

  • Review of networking technologies
  • Changes in Windows over time
  • TCP and UDP sockets
  • TCP connections

Kernel Objects

  • Structure
  • Finding hidden processes with objects

Threads

  • Execution context
  • Stack
  • Thread scheduling
  • Using threads to find hidden code

Jesse Kornblum
Wed Nov 7th, 2012
9:00 AM - 5:00 PM

Overview

There are a tremendous number of structures used in Microsoft Windows. To understand what the operating system is doing, we have to understand these components. In this section we will begin to explore the complex web of interconnected data structures which make up the operating system. To that end we start with a basic introduction to C structures and how they are put together. From there we talk about which of them are used in Windows and the documentation Microsoft publishes about them.

In this section we will explore, in-depth, all of the components which constitute Microsoft Windows operating systems. We will start with processes and all of the data they contain. From there we will discuss DLLs, drivers, sockets, kernel objects, threads, modules, and virtual address descriptors.

For each of these areas we will talk about how these systems work, what data the operating system maintains, which of those are relevant for forensics, and how to determine if there is something suspicious occurring.

CPE/CMU Credits: 6

Topics

Introduction to C structures

  • Structures, nesting, enumerations and unions

Microsoft Structures

  • Backward compatibility
  • Symbol files
  • Organization of symbols

Tools for Structures

  • Kd and WinDBG
  • Livekd

Modules

  • The Windows loader process
  • Reversing the loader's changes
  • Recovering unpacked executables
  • Recovering trashed executables

Injected and Unpacked code

  • Executable regions of memory
  • Finding code in the heap
  • Sorting out false positives

Finding hidden DLLs

Finding hidden processes

  • Combining multiple data sources
  • Defeating DKOM

Driver Hooking

  • When it's normal
  • What it's abnormal

Section 3 Exercises

  • Exploring Windows structures on a live system
  • Searching for kernel debugging structures
  • Finding suspicious processes from their command lines
  • Searching for illegitimate DLLs
  • Recovering suspicious drivers
  • Enumerating network listeners
  • Writing Volatility plugin to recognize potential TrueCrypt containers
  • Identifying code being executed using threads
  • Recovering a packed program as an unpacked program
  • Working with the MHL Plugins on memory images
  • Malfind, psxview, ldrmodules, driverirp, svcscan

Jesse Kornblum
Thu Nov 8th, 2012
9:00 AM - 5:00 PM

Overview

Knowing the basics of memory forensics allows us to begin doing it in the real world. First, we must acquire memory images. On any given system there may already be memory images, from the machine's past, which contain highly valuable information. In this section we will discuss how to find and recover such memory images. We'll also cover some of the tools to capture memory images and how to choose the one which is best for you.

CPE/CMU Credits: 6

Topics

The Windows Registry

  • Registry Overview
  • How the Registry is stored in memory
  • The volatile part of the hive
  • Recovering registry data from memory

Hibernation Files

  • Saved system state
  • Power saving feature
  • Serialized memory image
  • File Format
  • Potential vulnerability to malware
  • Decompression and Use

Crash Dump Files

  • Debugging information
  • File Format
  • Reconstruction and Use

Memory Imaging

  • Differences from disk imaging
  • Terminology

Traditional Imaging Programs

Suspended Virtual Machine

USB

Firewire

Cold Boot Method

Section 4 Exercises

  • Cracking passwords recovered from memory images
  • Using traditional memory imaging tools
  • Using a suspended virtual machine to capture memory


Jesse Kornblum
Fri Nov 9th, 2012
9:00 AM - 5:00 PM

Overview

This section will present a number of challenges for the memory forensic examiner. We do not want to spoil all of the surprises by listing them in the outline, but we can give you a sense of what you will be working on. These memory images may contain some kind of malicious software or data of interest. Each challenge will provide a little information to go on. (As with real-world examinations, of course, it's never enough information!) Your job will be to determine if there is anything of interest, and if so, what it is.

CPE/CMU Credits: 6

Topics

Section 5 EXERCISES

  • Ten memory images to be examined

Additional Information

Mandatory Laptop software requirements:

Mandatory Laptop hardware requirements:

  • CPU: 2.0 GHz or higher is recommended (Multi Core preferred)
  • DVD/CD Combo drive
  • Wireless 802.11 B/G/N networking capability
  • 2 Gigabyte of RAM minimum (4GB or higher RAM is recommended)
  • 40 Gigabytes of free space on your laptop hard drive
  • The student should have the capability to have Local Administrator Access within their host operating system

Install the following items:

  • VMware Fusion 4.0 (or higher) or VMware Workstation 7.0 (or higher)
  • Download and unzip "SIFT Workstation 2.11 Distro Version.zip"
  • Follow attached setup guide to set up a separate Windows VM - As part of the Windows Memory Forensics course, SANS FOR526, you will need to create a Windows virtual machine to use in class. We recommend using VMware to do this, and the following instructions are predicated on using VMware Workstation. The course is designed to use a 32-bit version of Windows 7.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Incident Response Team Members
  • Law Enforcement Officers
  • Forensic Examiners
  • Malware Analysts
  • Information Technology Professionals
  • System Administrators
  • And anybody who plays a part in the acquisition, preservation, forensics, or analysis of Microsoft Windows computers

  • All attendees should have some experience with computer networks and computer forensics, as well as some command line experience.
  • Students should have strong command line skills.
This Course Prepares you to

  • Preserve and acquire the memory of Windows systems
  • Conduct brute-force searches for valuable artifacts such as full-content network data and encryption keys
  • Identify suspicious behavior on Windows system without any prior knowledge of its nature
  • Recover and investigate programs and drivers to determine their true nature
  • Begin a detailed analysis of what the machine was truly doing

  • SANS SIFT Workstation
  • Course DVD: Loaded with case examples, tools, and documentation

Author Statement

A forensic examiner is defined by their understanding of the technologies they work with. Somebody who understands what is happening under the hood will have an inherent advantage over somebody who does not. Peeking at the underlying data, poking at them manually, and coming to understand what they represent, is what this course is all about. Afterward, there are tools and methods which can automate many of these processes. But the results of those methods are useless if the examiner doesn't understand what they represent. This class will encourage you to try things out and ask questions. The classroom environment is for learning. If you get everything right the first time, you haven't learned anything! Here you will learn by doing, not listening. Memory analysis is the latest frontier in our field and presents opportunities we have not seen in some time. Taking this class is a great way to get started in this exciting new domain. The technologies involved will unlock some valuable doors. We haven't reached the limits of memory analysis by a long shot. In the near future there will be more advanced techniques and available data. It's important to build a strong foundation now!

-- Jesse Kornblum, Kyrus