Windows Memory Analysis and Forensics
Windows Memory Acquisition
<<>> Acquisition from Live Systems
ü Win32dd.exe http://win32dd.msuiche.net
ü Mdd.exe http://www.mantech.com/mmsa/mdd.asp
ü Memorize http://www.mandiant.com
<<>> Dead System
ü Hybernation file hyberfil.sys
- Contain compressed RAM image
Windows Memory Analysis
<<>> windows 2000 Memory
- Ability to load and examine processes
- Extract information from memory for specific process
- Saving the contents of process memory to file, strings
- Other more specific info can be extracted
<<>> Windows XP and Vista
- Windows based analysis capability
- Author Jmie butler and peter silberman
- Recommended to use Auditviewer for GUI analysis
- Batch scripts that analyze memory image and live machine
<<>> XP SP 2
- Framework for analysis of volatile memory images
- It is series of python scripts
Case Study: XP 2 with Root Kit
General IR Scan
ü Run fport to see all network connection on what ports
ü Run pslist to list all processes running
Scan using volatility
ü #python volatility pslist –f /path/to/xpimage.img
There is a backdoor process nc.exe (netcat)
ü Lets list all opensockets using volatility Checkout the create time to see if this process loads on booting or not.
ü Identify the parent rootkit.
ü Retreive the process from the memory
Conclusion on Rootkit Analysis
CASE 2 : Pass the Hash
ü Hiberfil.sys is compressed, so first decompress
ü Now you can proceed as stated above using volatility.
Passwords in Memory : where is the Hash?
ü Find Registry hives in memory
ü Find SYSTEM and SAM Hives
ü Dump Hashes from those hives
ü Crack Passwords with Hashes.
More Info: http://moyix.blogspot.com
1. Find Registry hives in memory
ü Plugin hivescan will scan the memory image and pullout memory locations of registry hives. You can take any of these locations to start analyzing.
2. Find SYSTEM and SAM Hives
Plugin hivelist takes the offset and starts scanning from that location for any registry entries.
ü Software has application setting
ü SAM has security related information
ü SYSTEM has hardware related information
We have to note them down as there is syskey protection for SAM to defend cracking passwords from SAM database. This syskey breaks the key into four keys and place in four different location in SYSTEM hive.
3. Dump Hashes from SAM and SYSTEM hives
Plugin hashdump retrieves the hashes of all user accounts stored in SAM.
4. Crack the Passwords using Hashes.
Use Password cracker like Ophcrack, John the Ripper, Rainbow tables online
rip.pl is a perl script that analyzes the memory dump from specified registry hive-address we retrieved previously and specify the hivetype.
Now we got the registry settings.
All the tools can be found in SANS Investigative Forensic Toolkit Workstation