FOR500.1: Windows Digital Forensics and Advanced Data Triage | FOR500.2: Core Windows Forensics Part 1: Windows Registry Forensics and Analysis [FOR500_C01_01 ed.]

FOR500.1: Windows Digital Forensics and Advanced Data Triage Overview The Windows Forensic Analysis course starts with a

965 91 50MB

English Pages 280 Year 2017

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

FOR500.1: Windows Digital Forensics and Advanced Data Triage | FOR500.2: Core Windows Forensics Part 1: Windows Registry Forensics and Analysis [FOR500_C01_01 ed.]

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

4081500.1

Windows Digit Forensics and Advanced Data Tñage 4081500.2 ,

Core Windows Forensics I: Windows Regist

Copyright © 2017, The SANS Institute. All rights reserved. The entire contents of this publication are the property of the SANS Institute. PLEASE READ THE TERMS AND CONDITIONS Of THIS COURSEWARE LICENSE AGREEMENT (“CLA”) CAREFULLY BEFORE USING ANY Of THE COURSEWARE ASSOCIATED WITH THE SANS COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND THE SANS INSTITUTE FOR THE COURSEWARE. YOU AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. With the CLA, the SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware includes all printed materials, including course books and lab workbooks, as well as any digital or other media, virtual machines, and/or data sets distributed by the SANS Institute to the User for use in the SANS class associated with the Courseware, User agrees that the CLA is the complete and exclusive statement of agreement between The SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA. BY ACCEPTING THIS COURSEWARE YOU AGREE TO BE BOUND BY THE TERMS OF THIS CLA. BY ACCEPTING THIS SOFTWARE, YOU AGREE THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO THE SANS INSTITUTE, AND THAT THE SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND), SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If you do not agree, you may return the Courseware to the SANS Institute for a full refund, if applicable. User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of the SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form without the express written consent of the SANS Institute, If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof, An amendment or addendum to this CLA may accompany this courseware. SANS acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in this courseware are the sole property of their respective trademark/registered/copyright owners, including: AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Sin, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA. FOR5OO4O8j2_CO1 01

FORSOO

Windows Forensic Analysis

.BFIR ‘‘Vindows Forensic Analysis

BIfllTA FDRENSICS

INCIflENT RESPONSE

© 2017 Rob Lee jAIl Rights Reserved jVersion # FOR5OQC0 1 0 I

This page intentionally left blank.

©2017 Rob Lee

FOR!Od

FOP4OB

Advanced Incident Response

Windows Forensics

Dh1ITA1 FflENSIX

INGIDENT REXPBNXE

F0R572

Advanced Network Forensics and Analysis GNFA rCR8

Mac Forensics

FOR

Cyber Threat Intelligence

.

A

Memory Forensics In-Depth

(

AFM

i rI [

MG155

F0R585

Incident Response Team Management

sansfotensics

Ufirto!DFlRLsnkedlntommunitj

This page intentionally left blank.

2

REM Malware Analysis

Hacker Tools jechniques, Exploits, and Incident Handling

q

Advanced Smartphone Forensics GASF

@sansIorensics

FOR6W

©2017 Rob Lee

dfir.to/gpius-sanslorensics

dfirto/IIMI-UST

©

(4)

CD CD

r

C U

0

F0R408

@sansIorensics

Advanced Smartphone Forensics

FQRSBS

Menwry Forensics In-Depth

FORS2%

Mac Forensics

FORStS

Windows Forensics

4 \f/

a

“1137

sansforensics



-

OPERATING SYSTEM & DEVICE IN DEPTH

dfirso/DflRlinkedlnCommunity

1731

L dfirto/gplus-sansforensics

INCIDENT RESPONSE & ADVERSARY HUNTING

DIGITAL FORENSICS Li INCIDENT RESPONSE

SS AFIR FORSO8

dfir.to/MAIL-1ISt

incident Response Team Management

MGTS3S

Hacker Tools, Techniques, Exploits, and Incident Handling

S2C504

REM: Maiware Analysis

FQR6IO

Cyber Threat Intelligence

FORS7B

Advanced Network Forensics and Analysis

FORS7%

Advanced Incident Response

This page intentionally left blank.

4

©2017 Rob Lee

FOR500. I

Windows Forensic Analysis

Windows Digital SANS DFIR Forensics and Advanced Triage

OIDITAL FORENSICS

INCIDENT RESPONSE

@2017 Rob Lee All Rights Reserved I Version # FOR50QCO l0l

Authors: Ovie Carroll oviecarroIlgmail.corn Rob Lee [email protected]

http://twitter.com/robtlee http://twitter.com/sansforensics

©2017 Rob Lee

5

Core Windows Forensics:Focus on Analysis 1iemory and Triage Acquisition

Móunbng Disk Ithages

Advanced Acquisition

nfl,

ftiROO

The Donald Blake Case Core Windows Forensics: Focus on Analysis Memory and Triage Acquisition Mounting Disk Images Filesystem Overview Advanced Acquisition Data Stream Carving

File Metadata File Carving

6

©20J7 Rob Lee

Wndr.

SANS UFIR

OllTA1 FRENSlCS 6 INCIOENT RESPDNSE

The Donald Blake Case

OFIR

FOR500

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

7

I

( FORSOO

0 FIR

VVxnc’ows Forc sicAna!vsis

(

This page intentionally left blank

8

I

©2017 Rob Lee

Donald 13ake is starting a ne company taking akey clientwithhim—EetterWrdgets

DFIR

FOR500

I

Windows Forensic Analysis

This page intentionally left blank.

©2017 Rob Lee

9

Smartphone Details •

Nokia 92$: Windows Phone



Office 365, SkyDrive, Skype, SharePoint, and Exchange Integration

Laptop: Hybrid Tablet Lenovo Yoga Series Touch Screen ClamShell Laptop

10



Windows $1 OS 64b1t



4GBRAM Office 365, SkyDrive, Skype, SharePoint, and Exchange Integration

©2017 Rob Lee

Asgard Inc systems include 0ffice365

SbflePoiflt Server SkyDnve Integiation Exchange Online • Microsoft Portal Online • Whatever the employee wants to add a

Officc36 DFIR

FOR500

Windows Forensic Analysis

OS Type: Windows 8.1 (NOTE: Win8.1 is nearly identical to Wini 0 artifacts. Only minor changes between both operating systems) •

Fully patched and updated



Single-user system



EST5 EDT (Eastern Time)



Office 365 Exchange e-mail: dblakeasgard-ventu re-capital.com

Asgard Inc. systems include: •

Office 365



SharePoint Server



SkyDrive Integration



Exchange Online



Microsoft Portal Online Whatever the employee wants to add

©2017 Rob Lee

11

l

D FIR

I

Windows Forensic Analysts

Donald Blake

Fired from work due to stock dumping of BetterWidgets due to suspected insider trading. Jordan Boone Chief Analyst Derek Velez Sr. Business Analyst Jamie Alexander CEO of Asgard Venture Capital Inc. Jane Blake

Wife of Donald Blake

12

©2017 Rob Lee

t2

DFIR

FOR500

I

Windows ForensicAnalysis

Your goal is to answer the following questions over the next few days while learning about forensic artifacts that exist: 1. Did Donald Blake steal intellectual property from ASGARD Inc.? (Yes OR No) 2. What did he steal? 3, Where did he put it? 4. Howdidhetakeit? 5. When did he do any of this activity?

6. Did Donald Blake know he was going to be fired?

©2017 Rob Lee

13

TheDornddB1ákeCase

Memory and Triage Acquisition Mounbng Disk Images

Advanced Acquisition

OFIR

FORSOO

The Donald Blake Case Core Windows Forensics: Focus on Analysis Memory and Triage Acquisition Mounting Disk Images Filesystem Overview Advanced Acquisition Data Stream Carving File Metadata File Carving

14

-

©2017 Rob Lee

f

Windows ForensicAnalysis

‘4

• Understanding 0$, applications, and investigation • Evidence created: Determme Query

• User action

System action • Problem-solving skills

• Requires analysis: • Not just data extraction • W,W,W,W,W,H

DFIR

FORSOO

I

Windows Forensic Analysis



Understanding OS and Applications

A forensic examiner/analyst should have a solid understanding of the operating system and the application he is examining. Only by understanding the OS and applications on the system you are examining will you understand where to look for evidence of an action. Many times, you will find that you will have to conduct tests in your lab on applications to find what evidence is created by the application when an action is taken, and then go to the hard drive you are analyzing and look for that piece of evidence. A forensic examiner should also understand the investigation for which she is doing the analysis. Understanding what is being investigated will help guide an analyst in the direction evidence is likely to be found. In most law enforcement situations, the analyst should have a copy of the search warrant, which will also have the affidavit that establishes the circumstances for which probable cause exists that convinces the courts to grant the search warrant. That search warrant also frames the boundaries of the search or “scope of the search.” When working with law enforcement, it is imperative that an examiner understands and stays within the scope of the warrant or any evidence he finds may be suppressed and not allowed to be used in proceeding against the defendant. As we mentioned before about simply conducting a key word search and exporting the results for review by the case agent, do you think a non-technical, non-forensic trained agent or investigator understands computer systems enough to ask for link files or to know what in the registry could help his investigation? No. Understanding Evidence Created Evidence of action or activity is created by both the user of the computer and the system itself. An example of this might be a directory that is created by a user with the name describing the contents, such as ‘My Hacking Tools.” Another example of evidence created by the actions of a user might be the creation of a LINK file when a file is opened by the user.

©2017 Rob Lee

15

run at the Evidence created by a system action might be an audit log showing default system maintenance has run. being automatically scan antivirus an by changed being default time or file access times better Understanding what kinds of evidence are created, how they are created, and why will help you be a examiner. Requires Analysis findings are the result of your key word searches or individual items of significance you find during the course of your examination. of data, as Analysis is the act of looking at all the individual findings, including the existence or lack thereof taken on were actions which determining well as associated metadata (location of the file, timestamps), and what, who, the determine can we this Using the computer that would have caused those artefacts to exist. when, where, why and how. findings, and In a court of law, your expert opinion is based on conducting an analysis of the totality of your opinion Your whom. and by place took events the information you have about the investigation as to what must be in turn supported by your findings. to If you find someone that is only doing key word searches or exporting specific files for someone else Specialist. Extraction a Data is person This review, you should not be calling this person a forensic analyst. user and This class is about giving you the skill and knowledge to understand what evidence is created by about or conclusion opinion an form and evidence system actions so that you can find those pieces of digital what happened on a computer. Problem Solving skills. The One of the most valuable skills a forensic examiner/analyst can have is his problem-solving he should be forensic examiner/analyst should be a master of problem solving because for each investigation, that asking himself what crime is being investigated and what actions might a user have taken to facilitate that action crime. Of those actions, what evidence would be created by the user, application, or system when should be there was taken? When analyzing a computer system, if you are not finding the evidence you know actions based on the information you have about the investigation, you need to ask yourself, “Why?” What be a would a user have taken to hide his activities or prevent him from being where he should be? It may or it simple configuration setting a user changed that causes logs or files to be saved in a different location to take you could be used some form of counter forensic programs. If the latter is true, what actions would problem determine whether a counter forensic program was installed or run? This goes right back to the when certain application or system, operating user, a by created is evidence what of g solving and understandin actions are taken. forensics is as So when we think about the computer forensic fundamental mindset, we know that computer looking much an art as it is a science. It takes an investigative and iterative approach with the forensic analyst inquiry to at each item and file and finding and asking if that finding warrants an additional search or that item was if and the computer on originated file that how and why, when, determine who, what, where, understanding solid a having by only achieved be can All this action, system or created or modified by a user of the operating system and applications being examined.

16

©2017 Rob Lee

Proper analysis is not about simply about • Finding artifacts, pictures, and documents • Or, recovering deleted files

• “Evidence of...” Categories (Download, Execution, file Opening, File Knowledge) • Intersecting evidence and facts verifies

Build timelii.w 1.ased On key anal sis questions • FocUs on detailing facts via analysis, not theories

DFIR

FORSOO

f

Windows ForensicAnalysis

7

One of the key ideas of this course is that proper analysis is essential to successfully navigate cases. The proper way to accomplish this is not simply to recover a bunch of artifacts and recover some deleted items, paste them into a report, and hand them to a prosecutor or management. You need to recover the artifacts and then analyze the data that they hold to determine a clear picture of what the user was doing, when they were doing it, why, and many other details that might go unnoticed unless your trained eye began to exam them. Many artifacts you will uncover will help substantiate a fact. Multiple artifacts that all substantiate the same fact are much more effective at increasing the overall weight of your evidence. The poster you receive with the class (Red DFIR Poster) will be useful to you as you begin to focus on ‘Evidence of.. analysis. This type of analysis relies on artifacts, but helps pair similar artifacts together that help answer a specific question or action. For example, you wilt learn that there are commonly four to six locations on an average Windows system that will point to a user’s file opening or file creation. We start to quickly build up the many artifacts that can answer many of the key types of questions on the next page. .

©2017 Rob Lee

17

18

In this course, we begin to focus on answering the key questions. Did a user have knowledge a file existed on his machine? Did the user open the file and when? Did the user execute Regedit to delete registry entries? How and when did a user download a file wiper to a machine? Seeing that there are specific questions that can be answered by these pairings, we have created the “Evidence of categories. We will continually build these categories in this class until they are populated fully. You will then be able to use this list as a “cheat guide” to help you remember where you can check to discover key items inside a Microsoft Windows machine. Evidence of categories: • User Communication File Download Program Execution File Opening/ Creation • •

File Knowledge Physical Location USB Key Usage Account Usage Browser Usage

In a little bit, we will start to create our first timeline, The timeline will include major artifacts that make up facts from the case. The “Evidence of’ slides will help you determine the activity that occurred as multiple artifacts should intersect for the same item. For example, when Office Word executes, you might observe Evidence of Execution via

18

©2017 Rob Lee

multiple prefetch files and userassist entries. In the same example, you should see the document that Word opened up via file opening creation artifacts, such as LNK files, Recent Docs, and more. The idea behind this analysis technique is that instead of teaching you artifact after artifact and hoping you can figure out how they fit together, it focuses instead on the key question the artifacts help solve and it categorizes them appropriately.

©2017 Rob Lee

19

!I!

:

-

Windowsmja%oiaJ2o1&; FORSOO j Windows Forensic Anaiysis

DFIR

XP, Windows 7, Over the course of the next few days, we examine the core Windows operating systems: Windows for the Windows OS look system, operating specific a in only found is artifact Windows 8, and Windows 10. When an will be found. artifact the system operating specific which in note to slide the icon to appear in the upper right side of 8.1 and Windows 10? One question we always get in the class is how much difference is there between Windows mainly in how tools are these But class. this in teach we artifacts core the in There are just a few small differences change? They added main The 10. Windows 8.1 to Windows from updated is parse the items. For example, prefetch all of the tools we Luckily it, parse to able be to compatible be to need tools compression to the prefetch file and your 10. Windows and 8.1 Windows both teach in this class are compatible across artifacts, the two What about additional artifacts? More might be coming out, but with the exception of Cortana in the community many that DNA backend the in perspective forensics operating systems are so identical from a been developed to have no tools almost and ongoing, still is research called Windows 10, Windows 8.2. [1] Cortana of raw a variety parse to techniques and tools provide will we students aid in analysis. However, to future-proof are tools fancy before even Cortana like artifacts new on database formats, allowing analysis to be completed available. [1j http://www.cornputerworld.com/article/28453 I 3/say-hi-to-windows-8-2-er- I 0,html

20

©2017 Rob Lee

The Donald Blake Case Core Windows Forensics Focus onAnalysis

Mounting Disk Images Filesystem Overview Advanced Acquisition

File Metadata

DFIR

FOR500

I Windows ForensicAnalysis

2

The Donald Blake Case Core Windows Forensics: Focus on Analysis Memory and Triage Acquisition Mounting Disk Images Filesystem Overview Advanced Acquisition Data Stream Carving File Metadata File Carving

©2017 Rob Lee

21

DFIR. DIGITAL FORENSICS

INCIDENT RESPONSE

Triage Acquisition 99% of Forensic Analysis Focuses on 1% of the Data

wit FnicMaIy

OfIR This page intentionally left blank.

22

©2017 Rob Lee

• Capture Mernoiy



EDDEXE

FfKirnager Create Custom Content Image

BHR



Windows SIFf Workstation

FQRSOO

f



ONlXlfNecessa;y FfK Imager Create Disk Image

Windows ForensicAnalysis

This page intentionally lefi blank.

©2017 Rob Lee

23

• Memory Acquisition • Volatile data • Order of volatility

• Gold Standard in Acquisition • Why: Without memory image, there is little chance to bypass whole disk encryption

• Massive amount of useful user attributed data

Ii flJ

FOR500

Windows Fot ensic Analysis

Memory acquisition has become one of the most important changes to the computer forensic field. Memory acquisition is not new; it has been around for over 15 years. Previously, and unfortunately now, some resist memory acquisition because of its complexity. With new tools today,

memory acquisition is no longer complex. Tools such as F-Response have made it so that incident responders can image RAM as if it was a physical drive using whatever imaging tools they are comfortable with.

Surprisingly, there is still a lot of discussion about the most appropriate thing to do when responding to a computer system that is still powered on. Some law enforcement agencies are still teaching their agents to pull the plug from the back of the machine, Others are recommending collecting and documenting all volatile data, including RAM, before powering the system down. Because incident responders and investigative agencies may not be immediately aware of what information is evidence when they arrive on scene, the Department of Justice advises incident responders to document and preserve as much information as they can. They suggest all incident responders be trained so they can collect and preserve as much volatile data as possible. The old argument that you are changing or altering evidence if you do anything other than pull the power plug is as ignorant as the assertion that the world is fiat. It was okay when that was all we knew how to do, but we now have the capability to easily collect volatile data. With the increased popularity of encryption programs, pulling the power plug has already resulted in investigative agencies having nothing to examine. In addition, a growing popular claim from defense attorneys is that the system was being controlled by a remote administrative utility/Trojan or a virus was causing all the activity. Without the collection of volatile data, it becomes much more difficult to defend against or refute. When responding to an incident involving digital evidence, the general rule for first responders should be to preserve as much data as possible in the way it was found when they arrived. The most immediate priority should be to capture volatile data.

24

©2017 Rob Lee

Volatile data is what is referred to as data that will disappear or be destroyed once the computer system is powered off. Typically this is RAM, but it goes further. Volatile data is also current active network connections, running applications, open/listening network connections, etc. Much of this data is extremely valuable to determine or refute the claim that someone was remotely connected to the computer controlling its activity and therefore the suspect/defendant is innocent. It becomes extremely difficult (not impossible) to refute these claims if volatile data is not collected. Will Change Evidence Many use the argument that collection of volatile data will change/alter the current state of the evidence as the investigator found it and thereby make it Inadmissible as evidence. This is simply NOT true. To the contrary, not collecting volatile data is beginning to be seen by the courts as the incident responder intentionally destroying 3 gigs of potentially exculpatory evidence (assuming the computer has 3 gigs of ram). So when you consider the legal challenges in defeating the Trojan defense or the SODDI defense (some other dude did it) the return far outweighs risk of the loss of data. Soon to be standard for all live response. There is currently no method to write block memory. For this reason, we obviously have to image RAM and collect Volatile data without a write block. Now some might be saying that you will make changes to the system and won’t this invalidate your evidence? NO. As long as you can document your actions and what changes you caused, your evidence is still admissible and valid. As a matter of fact, the Department of Justice and some courts today are beginning to view the failure to collect RAM and Volatile data as the incident responder destroying potentially exculpatory evidence. Again, this goes back to the SODDI (Some Other Dude Did It) defense of a remote administrative utility being used to control the computer. After memory acquisition, you can now make further assessments of the system to determine it is safe to shut the system down and apply a write block. We will discuss some of the various types of write blocks later. Incident responders responding to computer intrusions/hacks have for a long time now understood the need for conducting onsite triage. That is, immediately looking for specific items needed to immediately further your investigation. This tactic is now being recognized as critically useful in non-intrusion related investigations. Before conducting any further activity, you should apply a write block. Triage’s greatest benefits are the immediate identification of investigative leads. The second benefit, particularly to responding law enforcement, is the ability to immediately confront a suspect and with the benefit of specific incriminating information obtained by the triage the likelihood of a confession is greatly increased. After a triage, with the write block still attached you can initiate your physical or logical image of the drive.

©2017 Rob Lee

25

Network connections

Processes

Configuration parameters

() n passwords

Memory-only exploits/root kit technology

S

FOR500

DFIR

Windows Forensic Analysis

26

What is sifting in memory? You have all the processes, files, directories, and any other information that could be sifting in residue in memory. You can use this information to piece together old history and commands that a previous individual may have typed on the system. You might discover old e-mails or websites that the user surfed to. You might find residue from exited processes. And probably most importantly, you will likely have passwords for both encryption and other programs in clear text still sifting in memory. With the increased use of encryption, particularly whole disk encryption utilities like Windows Bit locker, PGP and data True Crypt, it is more important now than ever before for incident responders to image RAM and collect volatile most the of also one is it evidence, of piece volatile most the it is While to. on any poweredon system they respond valuable. In most cases, programmers will not obfuscate or encrypt these sensitive areas in memory, It will be merely sifting ,” the there in plain text. However, there won’t be ASCII art surrounding it stating that “THIS IS THE PASSWORD string would exist though. FOR5O$ should be the next course yoti take. There you will delve deeper into this advanced forensic technique and actually collect and analyze RAM and volatile data. Encryption Keys -> Bit locker (http://jessekornblum.com/presentations/ornfw08.pdf) Up until recently, memory analysis was essentially limited to performing string searches and byte searches through tools what was seemingly random data. The memory image file format has been recently reverse engineered and new exist that will allow for a more granular approach to examining the contents of memoiy.

26

©201f Rob Lee

• accessclata.eom/product-download •rnagnettorensies.corn/free-tool-rnagnet-ram-captuie

LIVE System

forensic.be&asoft.com/en/rancapturer •http://www.eomaeio •WinPMEM

• http://w;vv.reka11—foresiccorn/down1oadshtrn1 •veAcisition

•www.niandiautcom/resmirces/download/redhne/

•nationfi1e •Contains a compressed RAJ4 image %SysteDr’.ve%J1zberf:1 sys

DEAD System

Ako found in Volume Shadrn Copies • %SysternDrive%/pagefile sys .

%WINDIR%/MEMORY DMP

DFIR

FQRSOO j Windows Forensic Analysis



There are a number of different memory acquisition applications available, and they all operate similarly. Prior to Windows 2003 SPI, a handle named \Device\PhysicalMemory could be used to address and copy memory. Due to the security concerns of allowing access to memory from user-mode, this handle was deprecated and a driver must now be used to access memory through the Windows kernel.’1 The acquisition tool loads a system driver to gain raw access to

memory and then dumps the entire contents of memory into a raw file. There are some things to be aware of with this approach. For those of you with malware httnting experience, you might notice that using a loaded driver for accessing raw memory is quite similar to the steps some maiware takes. Hence, you may occasionally encounter issues with host

protection applications like antivirus and host intrusion prevention software (HIPS). In 64 bit Windows operating systems, all loaded device drivers must be digitally signed. The tools covered in this class have all taken the steps necessary to get their drivers signed, but note that some older tools may not operate on 64 bit systems.

The most important thing to know about memory acquisition is regardless of the tool you choose to dump the memory image, any of the major memory analysis tools will be able to ana/vze it. We will cover a couple of different acquisition options in this class. WinPMEM is one of the most exciting new memory dumping tools to recently emerge.[21 It supports both 32 and 64 bit systems and also includes an interesting option for live memory analysis. In live mode, it will load the driver giving access to raw memory and then allow raw access to memory (read-only or even read-write!). Redline is often used as just a memory analysis tool, but we will see shortly it also has the important ability to conduct something new to this field: live memory analysis. As part of this live analysis, a complete memory image can also be acquired. So far, all of the acquisition tools we have talked about require a system to be up and running. This is hardly surprising since RAM is largely considered volatile data that disappears upon system shutdown, While that is indeed true, don’t overlook some of the copies of RAM that are created automatically by various operating systems. As an example, many Windows systems, particularly laptops, maintain a hibernation file named ‘hiberfil.sys.’ This file is created when the computer is placed into hibemation mode—often by closing the lid or selecting hibernate from the start

menu.

©2017 Rob Lee

27

It turns out that “hiberfi1.sys’ is a complete copy of everything in RAM when that lid was closed! Simply copying this file from the root of the system drive gives us a ready-made memory image ready for analysis. Crash dump files are also great sources for RAM analysis. Look for “memory.dmp” files in the %WINDIR% folder. If a full crash dump was taken, it will be a complete copy of RAM. Finally, the Windows “pagefile.sys” is not a complete copy of RAM, but stil] contains parts of memory that were paged out to disk. References [1] hffp:/!technet.microsoft.com/en-us/library/cc787565 .aspx t21 http://scudette.blogspot.com/20l2/1 l/the-pmem-memory-acquisition-suite.html

28

©2017 Rob Lee

Due It 3.D.169201%1007 Copyright (C) 2607 2016, Matthieu Suiche Copyright (C) 2012 2014, WoonSois Limited Copyright (C) 201% 201%, Comae Technologies FtC Dest2nation

DOflPath

path:

ro’’e Proceed to the acquisition ? [yin) y intorsaat;on: Dump Type:

[+2 Dachine Information: Windows version: Mechineld: Timestamp: Cr3: KdCopyhata8lock: KdDebuggerhata: LdpDataBlocktncoded: Current date/time: ÷ Processing...

memdump.mern

Microsoft Crash Dump

Indud pagefAe

10.tLI%%40 8iB44D9%4:C4r4081-3%DD%662433E1l1% 231310600902 P96949 OxIas000 0xf1f1f80241068790 0x11f7f80241282b2%

Cap

e

-

[20i72WI (YYIdiM-DD) 20.41:3% (PlC) I

DFIR

FORSOO j Windows Forensic Analysis

29

FTK Imager supports Random Access Memory (RAM) acquisition. This feature requires Imager to be run with administrator rights. Generally it is best to run RAM acquisition through FTK Irnager that is copied to a USB stick.

‘]

With FTK Imager, the process of capturing RAM is as easy as selecting File from the Menu Bar, and then selecting Capture Memory. This can also be accomplished by selecting the icon of RAM in the Toolbar. This will open a dialog box that will allow you to select the location to create the image of RAM. With the Memory Capture dialog box open, select the Browse button to enter a location to create your memory image. When you image memory, you generally want to avoid exporting memory to the host system for a variety of reasons, including that you would be overwriting unallocated space with your memory image file, (destroying your ability to recover files in that portion of unallocated space). It is usually best to export memory to another networked machine or your attached sanitized USB device FTK Imager is running from, provided your USB device has sufficient storage capacity. Is it possible to create a HASH of memory before and after imaging, such as when imaging hard drives, to verify the memory captured was the same as it was on the system? ANSWER: No. RAM is dynamically changing as you are capturing it; therefore, by the time you obtain a HASH, RAM would have changed and you could never obtain the same HASH again. We will discuss in a moment a possible mitigation strategy. Save the file to your USB Key, name it MY-MEMORY-IMAGE.img, save this file until you need it later. After you save it to your USB key, transfer the file to your c:\cases\memory directory on your Windows SIFT Workstation. FTK lmager also gives you the opportunity to image the Pagefile.sys at the same time. The pagefile.sys is one of the memory-management schemes Microsoft uses to store frames from memory on your local hard drive. For

©2017 Rob Lee

29

forensicators, this is a common place we can find a variety of artifacts, from web surfing activity to encryption keys. Because pagefile.sys is saved on the local hard drive, it may not be considered critical to capture immediately; however, because this is a dynamic file, it is a consideration for capturing before shutting down a live system. We just discussed the challenge of verifying and authenticating the captured image of RAM. Because it is impossible to obtain a matching HASH of RAM from before and after capturing it, FTK Imager offers the capability to immediately image the copy of memory you just captured. It creates this second image in AccessData’s proprietary image format known as ADI. The two advantages of doing this is that when creating an ADI image of memoly, FTK Imager also creates an audit log complete with hashes. The second advantage is it compresses the original image of RAM (which is generally the same size as the amount of RAM imaged). In several test cases, the ADI image of RAM was approximately one quarter the size of the original image. Lastly, select Capture Memory to start the memory capture. To capture a memory image using DUMPIT you simply plug in a USB with DUMPIT on it and double click the DLJMPIT program. It will ask you if you want to proceed with the acquisition. Select Y and the memory image will be saved to the US3 with the current time and date stamp applied to the filename. —

Dumpit %8.189,%8161O87 aIt Sire 2°IL. ‘CC I 2014 oor5oi5 Lmted