Sei sulla pagina 1di 59

Introduzione alla Memory Forensics

METODOLOGIE E TECNICHE DI ACQUISIZIONE E ANALISI DEI DATI VOLATILI 18 DICEMBRE 2010


MASTER UNIVERSITARIO DI I LIVELLO IN SICUREZZA IINFORMATICA E DIGITAL FORENSICS ANNO ACCADEMICO 2009/2010 - UNIMOL

Dott. Francesco Schifilliti

Attivit svolte Information Security and Forensics Expert


DESIGNING OF COMPLEX NETWORK SECURITY INFRASTRUCTURES SVOLGIMENTI E REVISIONI DI VULNERABILITY ASSESSMENT E PENETRATION TEST REDAZIONE DI STANDARD OPERATIVE PROCEDURE PER AZIENDE SU INTRUSION/EXTRUSION DETECTION INCIDENT HANDLING E COMPUTER FORENSIC LAB SUPPORTO TECNICO AD INDAGINI PER: VIOLAZIONI DI PROPRIET INTELLETTUALE
E IL DIRITTO INDUSTRIALE, ACCESSO ABUSIVO E DI DANNEGGIAMENTO DI UN SISTEMA INFORMATICO, DETENZIONE E DIVULGAZIONE DI MATERIALE PEDO-PORNOGRAFICO, RELATIVI AL FENOMENO DI PHISHING, RELATIVI ALLA VIOLAZIONE DELLE NORME SULLA PRIVACY, REATI TRIBUTARI E CONTRO IL PATRIMONIO, FRODI E TRUFFA.

SUPPORTO TECNICO

AD

AZIENDE

IN ATTIVIT DI INCIDENT

RESPONSE

001

Servizi Offerti da ForensicTech.IT

q Information Forensics q Incident Handling q Security Advisoring q Training

002

DISCLAIMERS

q Il riferimento ai soli processori INTEL e alla loro


architettura solo per motivi di semplicit

q Le informazioni sui software indicati nelle presenti


slide devono essere verificate nel momento del loro utilizzo q Saranno trattati principalmente i sistemi Windows

003

Dove sono i dati in un computer?

004

Definizione di Memory Forensic

M EMORY F ORENSICS REFERS TO FINDING AND EXTRACTING FINDING AND EXTRACTING MEMORY ORENSICS REFERS FORENSIC ARTIFACTS FROM A COMPUTERS PHYSICALPHYSICAL MEMORY, FORENSIC ARTIFACTS FROM A COMPUTER S OTHERWISE KNOWS AS RAM. MEMORY, OTHERWISE KNOWS AS RAM. RAM

RAM OF THE SYSTEM CRITICAL SYSTEM IS ACTIVE CONTAINS INFORMATION STATE WHILE THE

ABOUT THE RUNTIME STATE OF THE SYSTEM WHILE THE SYSTEM IS ACTIVE

CONTAINS CRITICAL INFORMATION ABOUT THE RUNTIME

005

Locards Exchange Principle


Every contact leaves a trace *
When we interact with a live system, whether as the user or as the investigator, changes will occur on that system. On a live system, changes will occur simply due to the passage of time, as processes work, as data is saved and deleted, as network connections time out or are created, and so on. Some changes happen when the system just sits there and runs. Changes also occur as the investigator runs programs on the system to collect information, volatile or otherwise. Running a program causes information to be loaded into physical memory, and in doing so, physical memory used by other, already running processes may be written to the page file. As the investigator collects information and sends it off the system, new network connections will be created. Changes that occur to a system as the system itself apparently sits idle are referred to as evidence dynamics and are similar to rain washing away potential evidence at a crime scene.
* Edmund Locard - Director of the First Crime Lab. (www.south-wales.police.uk)

006

Perch interessante il contenuto della RAM


NELLA MEMORIA VOLATILE SONO CONTENUTI DATI NON PRESENTI ALTROVE
SOLO
NELLA

ACCESO E IN

MEMORIA VOLATILE RUNNING

CONSERVATO LO

STATO

DI UN COMPUTER

USANDO

LE INFORMAZIONI NELLA MEMORIA VOLATILE POSSIBILE SUPERARE LE PROBLEMATICHE POSTE DA TECNICHE DI ANTI-FORENSICS SUL DISCO

CORRELANDO

LE INFORMAZIONI OTTENUTE DAI SECURITY-AGENT CON I DATI

CONTENUTI NELLA MEMORIA COINVOLGE IL DISCO

VOLATILE

SI PU COMPRENDERE UN

ARTIFACT

CHE

SOLO

ATTRAVERSO LANALISI DEI DATI NELLA

MEMORIA VOLATILE

POSSIBILE

COMPRENDERE COME STATO REALIZZATO UN ATTACCO INFORMATICO CHE NON LASCIA TRACCE SUL DISCO

007

In altre parole
DATA IN MEMORY AS REGISTER INFORMATIONS, CACHE CONTENTS
RUNNING
PROCESSES CONSOLE COMMANDS TEXT IN MEMORY)

EXECUTED

PASSWORDS (CLEAR UNENCRYPTED DISK

DATA

ENCRYPTION SYSTEMS

INSTANT MESSAGES IP ADDRESSES CURRENTLY OPEN


LOGGED ON USERS

PORTS AND LISTENING APPLICATIONS INFORMATION

SYSTEM
ETC

008

ACPO Guide for Computer Based Electronic Evidence

www.7safe.com

009

DallACPO Guide
THE
TYPES OF INFORMATION THAT MAY BE RETRIEVED ARE ARTIFACTS SUCH AS RUNNING PROCESSES, NETWORK CONNECTIONS (E.G. OPEN NETWORK PORTS & THOSE IN A CLOSING STATE) AND DATA STORED IN MEMORY. MEMORY ALSO OFTEN CONTAINS USEFUL INFORMATION SUCH AS DECRYPTED APPLICATIONS (USEFUL IF A MACHINE HAS ENCRYPTION SOFTWARE INSTALLED) OR PASSWORDS AND ANY CODE THAT HAS NOT BEEN SAVED TO DISK ETC. IF THE POWER TO THE DEVICE IS REMOVED, SUCH ARTIFACTS WILL BE LOST. IF CAPTURED BEFORE REMOVING THE POWER, AN INVESTIGATOR MAY HAVE A WEALTH OF INFORMATION FROM THE MACHINES VOLATILE STATE, IN CONJUNCTION WITH THE EVIDENCE ON THE HARD DISK. BY PROFILING THE FORENSIC FOOTPRINT OF TRUSTED VOLATILE DATA FORENSIC TOOLS, AN INVESTIGATOR WILL BE IN A POSITION TO UNDERSTAND THE IMPACT OF USING SUCH TOOLS AND WILL THEREFORE CONSIDER THIS DURING THE INVESTIGATION AND WHEN PRESENTING EVIDENCE. A RISK ASSESSMENT MUST BE UNDERTAKEN AT THE POINT OF SEIZURE, AS PER NORMAL GUIDELINES TO ASSESS WHETHER IT IS SAFE AND PROPORTIONAL TO CAPTURE LIVE DATA WHICH COULD SIGNIFICANTLY INFLUENCE AN INVESTIGATION

010

Non staccare la Spina!

011

Campi di Applicazione della Memory Forensics

012

Titolo Slide

013

Dal NIST SP800-86

Before copying the files from the affected host, it is often desiderable to capture volatile information that may not be recorded in a file system or image backup,... This data may hold clues as to the attackers identity or the attack methods that were used.... However, risks are associated with acquiring information from the live system. Any action performed on the host itself will alter the state of the machine to some extent. Also, the attacker may currently be on the system and notice the handlers activity, which could have disastrous consequences.

014

Dal NIST SP800-86, contd

A well-trained and careful incident handler should be able to issue only the minimum commands needed for acquiring the dynamic evidence without inadvertently altering other evidence. A single poorly chosen command can irrevocably destroy evidence; for example, simply displaying the directory contents can alter the last access time on each listed file. Furthermore, running commands from the affected host is dangerous because they may have been altered or replaced (e.g., Trojan horses, rootkits) to conceal information or cause additional damage. After acquiring volatile data, an incident handler with computer forensics training should immediately make a full disk image to sanitized writeprotectable or write-once media.

015

Live Analysis Requirement


PROFONDA COMPRENSIONE CONOSCENZA TECNICHE C.F.

DELLE

DI

STRUMENTI ADEGUATI, FIDATI

E DI CUI SI CONOSCE IL FUNZIONAMENTO

PROTOCOLLO OPERATIVO FLESSIBILE

OGGETTIVAMENTE

NECESSARIA COME SCELTA OPERATIVA

ESPERIENZA

SUL

CAMPO (PREFERIBILE)

016

Order of Volatility

017

Order of Volatility_2
RFC3227
REGISTERS, CACHE NETWORK STATUS PROCESS INFORMATION MAIN MEMORY TEMPORARY FILE SYSTEMS DISK REMOTE LOGGING AND MONITORING DATA THAT IS RELEVANT TO THE SYSTEM IN QUESTION PHYSICAL CONFIGURATION, NETWORK TOPOLOGY ARCHIVAL MEDIA

FORENSIC DISCOVERY
REGISTERS, PERIPHERAL MEMORY, CACHES, ETC. MAIN MEMORY NETWORK STATUS PROCESS INFORMATION DISK FLOPPIES, BACKUP MEDIA, ETC. CD-ROM, PRINTOUTS, ETC.

NIST SP 800-86
NETWORK STATUS LOGIN SESSIONS MAIN MEMORY PROCESS INFORMATION

OPEN FILES NETWORK CONFIGURATION OPERATING SYSTEM TIME

018

prima donne, bambini e Main Memory

Memoria Principale

Memoria Secondaria

Dati Attuali

Dati di Sicurezza

019

Quando iniziare col dump della RAM anzich dal Disco?

La Memory Forensic risulta particolarmente interessante ANCHE nei casi in cui un utente usa software di CIFRATURA per: q Full Disk Encryption (BitLocker, FileVault, dm-crypt e TrueCrypt (fino alla versione 6.a) q Partial Disk Encryption su file e cartelle usa software che implementano tecniche di SANDBOXING (o RAM DISK) q Private browsing navigation q Programmi come Deep Freeze, Shadow User, RollBack rx, etc usa software che implementa meccanismi di autenticazione

020

Oppure quando il disco NON c proprio

q Kiosk o Internet Caf qThink Client q Data in the Cloud

021

Acquisizione smemoRAMta

DEAD FORENSICS ACQUISITION ANALYSIS LIVE FORENSICS ACQUISITION REPORTING

022

Problemi della Live Forensics


Ottenere laccesso al sistema

Problemi di natura proceduralelegale

Problemi legati alla Live Forensics

Lacquisizione de dati dipendente dal S.O.

Dimostrare lautenticit

I dati sono modificati durante lacquisizione

023

System Inquire vs Memory dumping


Possono essere ottenute informazioni (DATI NON VOLATILI) dal sistema Target su:

Info Sistema

Info Utenti

Info File Aperti

Info Rete

Programmi

Varie
Contenuto della Clipboard

Logged-on

Net Info

Dati Programmi

Process-Port mapping

Librerie

Net Connection

Etc

Share di Rete

024

Cos che devo acquisire?

025

Dove sono i dati che devo acquisire?

Main Memory

026

La CPU non ha accettato la richiesta di amicizia della RAM

027

Processors Fundamental References

028

Windows Reference
Windows Internals, M. Russinovich, D. Solomon and A. Ionescu (Microsoft Press, 2009)

029

Architettura Windows NT semplificata

030

Componenti principali in Windows NT

Ntoskrnl.exe

031

Componenti principali in Windows NT, cont

032

CPU Model e Memory Model

033

Memory Paging Model


da IA-32 Intel Architecture Software Developers Manual, Vol. 3A, Ch. 4

Linear-Address Translation to a 4-KByte Page using 32-Bit Paging

034

Esemplificando

035

Che golosit, posso acquisire tutto?


0

DEVICE MEMORY

R A M

4 GB

Size of Physical Memory


4.5 GB

INACCESIBLE MEMORY

Size of Physical Address Space

036

Strumenti per lAcquisizione della RAM

q Attraverso un mix di strumenti HardwareSoftware

q Attraverso strumenti SOLO Software

037

Strumenti di Acquisizione Hw-Sw

q DMA through PCMCIA card (Tribble by Carrier&Grand, CoPilot by Komoku) q DMA through FIREWIRE interface (Pythonraw1394 by Boileau or SEAT1394 by Piegdon) q DMA through USB interface (Cold Boot Attack by Princeton University, msramdmp by MacGrew)

038

Direct Memory Access

USB based memory acquisi2on

040

DMA-Firewire Acquisition Tools


FireWire: all your memory are belong to us Presented By M. Dornseif & All (Cansecwest, 2005)

Hit by a Bus: Physical Access Attacks with Firewire Presented By Adam Boileau (Ruxcon conference, 2006) http://www.storm.net.nz/projects/16

Targeting Physically Addressable Memory Presented By David Piegdon (DIMVA conference, 2007) http://david.piegdon.de/

pythonraw1394
http://computer.forensikblog.de/en/2008/02/ acquisition_5_firewire.html

SEAT1394

041

DMA-USB Acquisition Tools

Lest We Remember: Cold Boot Attacks on Encryption Keys Presented by J. Halderman & All ( Proc. 2008 USENIX Security Symposium)

Cold Boot Attacks


http://citp.princeton.edu/memory

msramdmp
http://www.mcgrewsecurity.com/tools/ msramdmp/

042

Decadimento delle informazioni in memoria

043

Software Acquisition Tools

Software
Windows Memory Toolkit C.E. (win32dd, win64dd,hibr2dmp, hibr2bin, dmp2bin, bin2dmp) Windows Memory Toolkit Prof memoryze Fastdump, Fastdump Pro FTK Imager from ver. 2.6.0.49 winen, winen64 mdd KnTTools Basic Edition Helix/dd, Helix3 Pro

Vendor/Developer
Matthieu Suiche (Moonsol.com) Mandiant HBGary AccessData Guidance Software Mantech GMG System e-fense

Web Reference

http://moonsols.com

http://www.mandiant.com/software/memoryze.htm http://www.hbgary.com/ http://www.accessdata.com http://www.guidancesoftware.com http://www.mantech.com/msma/MDD.asp http://gmgsystemsinc.com/knttools/ http://www.e-fense.com/helix3pro.php http://www.e-fense.com

044

Caratteristiche Sw di Acquisizione

Software
Windows Memory Toolkit C.E Windows Memory Toolkit Prof memoryze Fastdump Fastdump Pro FTK Imager from ver. 2.6.0.49 winen winen64 mdd KnTTools Basic Edition Helix3 Pro Helix/dd

Freeware/Commerciale
Freeware Commerciale Freeware Freeware Commerciale Freeware Guidance SoftwareCommerciale Freeware Commerciale Freeware Commerciale

045

Caratteristiche Sw di Acquisizione contd


Software
Windows Memory Toolkit (C.E. e Prof) memoryze Fastdump Fastdump Pro FTK Imager from ver. 2.6.0.49 winen winen64 mdd KnTTools Basic Edition Helix3 Pro Helix/dd

Architetture Supportate
x86, x64 x86 x86 x86, x64, itanium x86, x64 x86 x64 x86, x64 x86, x64 x86, x64 x86

046

Caratteristiche Sw di Acquisizione contd


Software
Windows Memory Toolkit memoryze Fastdump Fastdump Pro FTK Imager from ver. 2.6.0.49 winen winen64 mdd KnTTools Basic Edition Helix3 Pro Helix/dd

OS Supportati
Microsoft Windows 2000, XP, 2003, Vista, 2008 (all w/ SP) 32 - 64bit, with more than 4GB of RAM Microsoft Windows 2000 SP 4, XP SP 2&3, Windows 2003 SP 2 up to 4GB of RAM Until Microsoft Windows 2003 (w/o SP1) up to 4GB of RAM Microsoft Windows 2000, XP, 2003, Vista, 2008 Server (all w/ SP) up to 64GB of RAM N.A. Microsoft Windows 2000 or higher 32 bit Microsoft Windows 2000 or higher 64 bit Microsoft Windows 2000, 2003, XP, Vista, 2008 up to 4GB of RAM Microsoft Windows 2000, XP, 2003, Vista, 2008 (all w/ SP)

N.A. Until Windows 2003 (w/o SP1) up to 4GB of RAM

047

Caratteristiche Sw di Acquisizione contd


Dedicated analysis memory platform
No Audit Viewer HBGARY Responder FTK Suite Encase by custom enscript, HBGARY Responder

Software
win32dd, win64dd memoryze Fastdump Fastdump Pro FTK Imager from ver. 2.6.0.49 winen winen64 mdd KnTTools Basic Edition Helix3 Pro Helix/dd

Formato Image File


RAW RAW RAW RAW, Hpack (included also Pagefile) RAW RAW, E0x RAW RAW, RAW with Pagefile RAW

No KnTList No

048

Metodi di acquisizione e loro caratteristiche

049

Una metodologia complessiva? 1 2

050

Overview di win32dd

051

win32dd promt

052

win32 options

053

win32dd internals

054

win32dd output

055

Cosa abbiamo acquisito?

056

Dove sono i dati volatili?

057

Cosa dovremmo analizzare?

058

Grazie

Francesco Schifilliti fschifilliti@forensictech.it

059

Potrebbero piacerti anche