1
Computer Forensics - 101
Cosmin Anghel
Security Systems Sr Advisor @ Dell Secureworks
What is Digital Forensics?
• Emerging discipline in computer security - “voodoo science” • Investigation that takes place after an incident has happened • Standards:
ISO/IEC FDIS 27037RSS Information technology - Security techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO/IEC 27041 - Guidance on assuring suitability and adequacy of investigation methods ISO/IEC 27042 - Guidelines for the analysis and interpretation of digital evidence ISO/IEC 27043 - Investigation principles and processes
• Determine the incident “characteristics” and help you to respond to: Who?/What?, When?, Why?, Where?, How?.
• Internal investigation
– Should be based on IR policy
– May lead to criminal investigation
• Criminal investigation
• Support for “real world” investigations
Types of investigations
• Criminal Prosecutors
– Rely on evidence obtained from a computer to prosecute suspects and use as evidence
• Civil Litigations
– Any data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases
• Private Corporations
– Digital evidences from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
• Law Enforcement Officials
– Rely on computer forensics to backup search warrants and post-seizure handling
• Individual/Private Citizens
– Obtain the services of professional computer forensic specialists
to support claims of harassment, abuse, or wrongful termination from employment
Who Uses Computer Forensics?
Forensics Methodology
Acquisition
Recover as much evidence without altering the crime
scene
Recovery
extract data from the acquired evidence
Analysis
depending on the objectives of the
investigation
Presentation
a report or presentation may be
required
Identification of System
Securing the Scene
System Description
Remote or Local System Access
(Memory / Drives)
IDENTIFICATION INVESTIGATION and ANALYSIS
Be prepared
Pack everything imaginable and take at least two of everything!
Toolkits.
Digital camera
Network cross-over cables
Portable field imaging computer
Hub or switch
Storage hard drives
Tags, labels, bags, antistatic bags
Field logbook or notebook
Adapters: IDE to SATA, USB to SATA, etc
Tableau hardware write-blocking device
Forensically sound bootable Linux distributions and network cables
System Description
In general, describe the system you are analyzing
Where did you acquire the system?
What is/was it used for?
What is the confguration of the system (OS, network)?
Include any other information you feel may be necessary
Preservation
Risk Assessment
Securing the Scene: provide ongoing security and perimeter control throughout the search-and-seizure operation
Seizing Computer Evidence
Physical Evidence
Volatile Digital Evidence: protecting and capturing the physical memory
Bagging and Tagging
• Proper evidence handling means that evidence must be identified, documented,
collected, and protected.
• Once the evidence item(s) has been collected, the identity of the person(s) locating
and collecting the item should be logged along with the date and time of collection
• Logging and tracking of the item(s) should be maintained: when the item(s) is being
transferred into the possession of another person, placed into evidence holding,
removed from evidence holding, returned to the custodian, etc.
• Maintaining a secure storage area.
Chain-of-custody and storage of the evidences
Scenarios
• Target systems are switched off
• Hard Drive and Hibernation File (hiberfil.sys)
Offline acquisition
• Target system is turned on
• Capture the contents of RAM
Live Acquisition*
• Memory is collected remote via dedicated channels or mechanisms.
Remote
Based on the incident type and the logistics you should choose the proper type of acquisition.
• Tableau features:
Write-blocked
Computer forensic software recognition
Plug and Play (No new drivers)
USB 2 support
Various models depending on interfaces
FastBloc/Tableau Acquisitions (offline)
• LinEn utility is a Linux version of the industry-standard DOS-based EnCase acquisition
tool.
• Steps to acquiare drives with LinEnL:
1. Make a bootable USB with LinEn (Linux distribution). You find LinEn in the instalation
folder of Encase Examiner.
2. Boot your target system with the USB
3. Check to see what devices are available: fdisk -l
4. Mount your storage drive: mount /dev/xxx /mnt/ewf
5. Launch LinEn: ./LinEn
6. Select the options for acquisition.
Also, you have the option to acquire via network cable: connect your Linux
imaging machine (lab or suspect) to a Windows machine running EnCase using a
network crossover cable. In EnCase in “Add Evidence” menu you can choose
“Add Crossover Preview”.
LinEn Acquisitions (offline)
1. Comercial solution: dumpIT - MoonSols.
2. Free tool: winpmem.exe [usefull options]
-o </path/to/file>, --output </path/to/file> - Output file to write to
-c <zlib, snappy, none> - Type of compresion to use
-i </path/to/file/or/device> - File to image
• You can run it from a USB stick.
Memory Acquisition
Incident
Responder
Enterprise Network
Remote Acquisition
• Read-only Access to Remote System
RAID disks
Physical drives
Logical volumes
Physical Memory
• Single executable (“exe”) that requires no drivers or installation components
• Does not require a reboot.
• Are two USB drives paired for life: plug USBs devices into subject and examiner
machines, execute, and then they will fin each other (in they are in the same network).
After that the examiner will see all physical and logical drives and RAM on the subject
machine.
F-Response Tactical
Memory Forensics Why?
CPU
Virtu
al M
em
ory
Cache RAM Disk
Everything in the OS traverses RAM
Running processes and the system
objects/resources with which they interact. Portions of nonvolatile sources of evidence such as the registry, event log, and Master File Table.
Active network connections Malware
Remnants of previously executed console commands.
Open Files
Loaded drivers Encryption keys and clear-text data that is otherwise encrypted on disk.
User credentials (hashed, obfuscated, clear text)
Important data structures within the kernel that provide insight into process accounting, behavior, and execution.
Memory Forensics Advantages
• Best place to identify malicious software activity
Study running system
Identify inconsistencies in system
Bypass packers, binary ofuscations, rootkits.
• Analyze recent activity on the system
Identify all recent activity in context
Profile user or attacker activities
• Collect evidence that cannot be found anywhere else
Memory-only malware
Chat threads
Internet activities
Finding the First “HIT”
• Identify rogue processes 1
• Analyze process DLLs and handles 2
• Review network artifacts 3
• Look for code injections 4
• Search for rootkits 5
• Dump suspicious processes and drivers 6
Analyzing Processes
• Legitimate process?
• Spelled correctly?
• Matches system context?
Image Name
•Appropriate path for system executables?
•Running from a user or temp directory?
Full Path • Is the parent process
what you would expect?
Parrent Process
• Executable matches image name?
• Do arguments make sense?
Command Line
• Was the process started at boot?
• Processes started near time of known attack
Start Time • Do the security
identifiers make sense?
• Why would a system process use a user account SID?
Security IDs
Rapid Memory Search
• You can find:
IP Addresses/Domain Names
Malware file names
Usernames
Email addresses
• Step 1: Create ASCII and Unicode strings files
srch_strings –t d –a memory.img > memory.asc
srch_strings –t d –a –e l memory.img > memory.uni
• Step 2: Search for indicators
grep -i string memory.asc
Rootkit/Malware hunting - volatility
• Volatility is one of the best framework analysing memory images
• It is a command line based and is written completely in Python
• Has a lot of plugins: malfind, apihooks, orphanthreads, etc.
• Supports:
Volatility Plugins (examples)
Volatility plugins
apihooks Find API hooks procexedump Dump a process to an executable
file sample
connections Print list of open connections procmemdump Dump a process to an executable
memory sample
dlllist Print list of loaded dlls for each process
pslist print all running processes by following the EPROCESS lists
dlldump Dump a DLL from a process
address space orphanthread Locate hidden threads
files Print list of open files for each
process mutantscan Scan for mutant objects
KMUTANT
getsids Print the SIDs owning each
process pstree Print process list as a tree
malfind Find hidden and injected code sockets Print list of open sockets
Complete list: https://code.google.com/p/volatility/wiki/Plugins
How to use volatility
• vol.py –f [image] [plugin] --profile=[PROFILE]
• you can set an environment variable to replace –f [image]
export VOLATILITY_LOCATION=file://<file path>
vol.py pslist --profile=[PROFILE]
Image identification
• Imageinfo
Recover metadata from a memory image
vol.py –f memory.img imageinfo
Identitfy suspect processes psscan vs pslist
Scan physical memory for EPROCESS pool allocations
Hidden processes may be identified
Identify processes no longer running pslist did not found the dllhost.exe process
psscan found the dllhost.exe process most likely
because it was terminated but lingering in
unallocated memory space.
What process is suspicious???
Winppr32.exe
Rootkit Detection Psxview
• Performs a cross-view analysis using six different process listing plugins to visually identify hidden
processes.
• It is important to know the output differences between each source:
• An entry not found by pslist is often a hidden process
• Processes terminated may only show in psscan column
Analyzing Process Objects Dlllist
• Display the loaded DLLs and the command line used to start each process
• Show information for specific process IDs
• The command line displayed for the process provides full path information of where the executables
was located and what parameters were used to load it
• The base offset provided can be used to extract a specific DLL with dlldump.
Hint???
Running path
Analyzing Process Objects getsids
• Display security identifiers (SIDs) for each process
• Can be useful to determine how a process was spawned and with what permissions.
The suspicious process has 2
user SIDs associated with it and
this tell us that the process was
likely spawned from a user
context and hence is unlikely to
be a true system process.
Analyzing Process Objects malfind
• Scans process memory sections looking for indications of code injection and extract them for further
analysis.
• You may see multiple injected sections within the same process
• Dumped sections can be reverse engineered or sent to A/V
Six injected sections in this image memory
Acquiring DLLs dlldump
• Extract DLL files belonging to a specific process or group of processes
• Use – p (PID), -r (DLLs matching a REGEX name pattern) or –b (specific offset) to limit the number of
DLLs extracted.
• Since many processes point to the same DLLs you may encounter multiple copies of the same DLL
extracted.
Acquiring Processes and Drivers procdump
• Dump a process to an executable memory sample
• Why?
• Anti-virus scanning engines
• Malware analysis sandboxes
• Dynamic malware analysis
• Static malware debugging and disassenbly
Network Artifacts connections & connscan
• Walk linked list of TCP connections (connections plugin) • Scan memory image to find closed or unlinked TCP connection structures (connscan plugin) • Run both plugins and compare results to identify active and closed connections • Pay attention to the PID attached to the connection.
• Understanding of relevant laws
• Knowledge of file systems, OS, and applications
– Where are the logs, what is logged?
– What are possible obfuscation techniques?
– What programs and libraries are present on the system and how are they used?
• Know what tools exist and how to use them
• Be able to explain things in simple terms
DF Investigator Profile
Thank you for your attention!
Cosmin Anghel
Books: • The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory by Michael Hale Ligh,
Andrew Case, Jamie Levy, AAron Walters • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski, Andrew Honig • Incident Response & Computer Forensics, by Jason T. Luttgens (Author), Matthew Pepe (Author), Kevin Mandia (Author