Introduction
• Memory Forensics
• Memory Dump
• Get memory image from real memory(Physical Memory, RAM).
• Memory Analysis
• Get some information from memory data.
• Live Analysis – From live memory
• Static data Analysis – From memory image
Introduction
• Memory Forensics
• Memory Dump
• Get memory image from real memory(Physical Memory, RAM).
• Memory Analysis
• Get some information from memory data.
• Live Analysis – From live memory
• Static data Analysis – From memory image
Introduction
• Memory Forensics
• Memory Dump
• Get memory image from real memory(Physical Memory, RAM).
• Memory Analysis
• Get some information from memory data.
• Live Analysis – From live memory
• Static data Analysis – From memory image
Introduction
• Memory Forensics
• Memory Dump
• Get memory image from real memory(Physical Memory, RAM).
• Memory Analysis
• Get some information from memory data.
• Live Analysis – From live memory
• Static data Analysis – From memory image
ICS Lab. Introduction • Memory Forensics • Memory Dump • Get memory image from real memory(Physical Memory, RAM). • Memory Analysis • Get some information from memory data. • Live Analysis – From live memory • Static data Analysis – From memory image
• Memory Forensics usually used for Digital investigation,
Malware Analysis. How to dump Physical Memory? Hardware-based Cold Boot Attack The effect can be lengthened by cooling the memory, which the researchers did using an old party trick – a can of compressed air held upside down. Chilling the memory can allow data to persist for many seconds, even minutes. Firewire Attack Get Memory Using Firewire Interface A leading method of memory dump using hardware consists in sending the memory to a DMA controller through the PCI bus in order to acquire a part or all of the memory.
Popular Software Windows-based : Dump-It, MDD Linux-based : Lime Forensics Vmware-based : ‘Snapshot’ function of VMware Memory Forensics Experiments • We will deal about user accounts of Windows&Linux
• Experiment 1 • Windows Based Memory dump & Analysis • Windows accounts information from memory image
• Experiment 2 • Linux Based Memory dump & Analysis (Using Vmware) • Linux accounts information from memory image Experiment 1 • Windows Based Memory dump & Analysis • Windows accounts information from memory image
• What we needs? • Dumpit : Memory dump software for Windows • Volatility : Memory Analysis tool Experiment 1 • Step 1 • Memory Dump using DumpIt • Just excute ‘dumpit.exe’ and type ‘y’ • We can find ‘.raw’ file in same folder as ‘dumpit.exe’ file Experiment 1 • Step 2 • Install volatility • 1 : Install python ‘python-2.7.8.msi’ • volatility is based on python. • 2 : Install volatility ‘volatility-2.4.win32.exe’ • 3 : Check run volatility • run ‘volatility-2.4.standalone.exe’ in CMD • Running result like below screenshot Experiment 1 • Step 3 • Check image information of ‘.raw’ file • Command : ‘volatility-2.4.standalone.exe imageinfo –f DUMPFILE’ • It takes some minutes. (It takes 3 minutes to analyse 2GB memory) • We have to remember Profiles Experiment 1 • Step 4 • Extract Hashdump from Memory Image • The "hashdump" post module will dump the local users accounts on the compromised host using the registry. • volatility provides ‘hashdump’ plugin
Experiment 1 • Step 5 • Examine Hashdump file Using tools • Using john the ripper • john the ripper is well-known password cracking tool using dictionary attack, bruteforce attack, etc. • command : john.exe --format=nt • We have five accounts in Hashdump file, but 2 of these have not password, another 2 of these have very easy password. • One left, it takes very long time for cracking Experiment 1 • Step 5 • Using Cain&Abel • Cain&Abel also well-known password cracking tool. • It support GUI for Windows • We can check ‘Time Left’ of brute-force attack. • Only set password length under 8, it takes 3days (It depends system speed) Experiment 1 • Step 5 • Using Cain&Abel • For check the success message on this experiment, I set password length = 6 • It takes only 3 minutes. • User account ‘ajou’s password hashes cracked. • If we have well-made password dictionary, It need only short time to crack. Experiment 1 • Additional Plugins for volatility • Volatility provides many plugins to get information from memory image. • you can check command rules and plugins using ‘volatility.exe –h’ • Here is easily working plugins. Try it. • dlllist, pslist, pstree, sockets • Reference • http://resources.infosecinstitute.com/memory-forensics-and-analysis-using- volatility/ Experiment 2 • Linux Based Memory dump & Analysis (Using Vmware) • Linux accounts information from VM memory image Experiment 2 • Memory dump using ‘Snapshot’ function of VMware • ‘Snapshot’ will make backup the OS full status for restore that status anytime. It also make full backup of Memory to ‘.vmem’ file Experiment 2 • Step 1 • Memory dump using ‘Snapshot’ function of VMware • Make ‘Snapshot’ at Linux login status. • It tested various Ubuntu version. Experiment 2 • Step 1 • Memory dump using ‘Snapshot’ function of VMware • We can found memory image from ‘VMWARE’ folder. • We have to check recently numbered Snapshot. • And check the modify time. Experiment 2 • Step 2 • Find Password shadow from Memory Image • Fine a Text string ‘root:$6$’ from Memory Image Using any HEX Editor • Recent Ubuntu Linux’s password shadow files are started with ‘root:$6$’ Experiment 2 • Step 3 • Copy shadow file from memory image • Just Drag from ‘root:$6$’ to last ‘:::’ • Then write to new file. Experiment 2 • Step 4 • Use John the Ripper to Craking • Command : john.exe SHADOWFILE • It found 1 password hash from test memory Image. References • Cain&Abel : http://www.oxid.it/cain.html • John The Ripper : http://www.openwall.com/john/ • Volatility : https://github.com/volatilityfoundation • Python : https://www.python.org/ • Physical Memory Attacks : https://privatecore.com/resources-overview/physical-memory- attacks/ • RAM Forensics : https://www.ethicalhacker.net/features/root/using-cold-boot-attacks- forensic-techniques-penetration-tests
• JungTaek Seo, Seokjun Lee, Taeshik Shon, A study on memory dump analysis based on digital forensic tools, Peer-to-Peer Networking and Applications, Springer, Online Published, June 2013 • Seokjun Lee, Taeshik Shon, Physical Memory Collection and Analysis in SmartGrid Embedded Platform, MONET, ACM/Springer, Volume 19 Issue 3, June 2014, Pages 382-391
