Windows Memory Analysis and Forensics

 

Tools:  http://forensics.sans.org/community/downloads

Windows Memory Acquisition

 

     <<>>      Acquisition from Live Systems

ü      Win32dd.exe http://win32dd.msuiche.net

ü      Mdd.exe http://www.mantech.com/mmsa/mdd.asp

ü      Memorize http://www.mandiant.com

<<>>      Dead System

ü      Hybernation file hyberfil.sys

  • Contain compressed RAM image

 

Usage

C:\win32dd winxp_memory.img

Windows Memory Analysis

 

<<>> windows 2000 Memory

ü      Memparser

  • Ability to load and examine processes
  • Extract information from memory for specific process
  • Saving the contents of process memory to file, strings
  • Other more specific info can be extracted

 <<>> Windows XP and Vista

ü      Memoryze

  • Windows based analysis capability
  • Author Jmie butler and peter silberman
  • Recommended to use Auditviewer for GUI analysis
    • Batch scripts that analyze memory image and live machine

 

<<>> XP SP 2

ü      Volatility

  • Framework for analysis of volatile memory images
  • It is series of python scripts

 

 

 

 

Case Study: XP 2 with Root Kit

 

General IR Scan

ü      Run  fport to see all network connection on what ports

ü      Run pslist to list all processes running

Nothing Suspicious

Scan using volatility

 

ü      #python volatility pslist –f /path/to/xpimage.img

Whoa…Gotcha

There is a backdoor process nc.exe (netcat)

ü      Lets list all opensockets using volatility   Checkout the create time to see if this process loads on booting or not.

ü      Identify the parent rootkit.

ü      Retreive the process from the memory 

Conclusion on Rootkit Analysis

 

CASE 2 : Pass the Hash

Analyse Hiberfil.sys

 

ü      Hiberfil.sys is compressed, so first decompress

ü      Now you can proceed as stated above using volatility.

 

Passwords in Memory : where is the Hash?

 

ü      Find Registry hives in memory

ü      Find SYSTEM  and SAM Hives

ü      Dump Hashes from those hives

ü      Crack Passwords with Hashes.

More Info: http://moyix.blogspot.com

1. Find Registry hives in memory

 

ü      Plugin hivescan will scan the memory image and pullout memory locations of registry hives. You can take any of these locations to start analyzing.

2. Find SYSTEM  and SAM Hives

      Plugin hivelist takes the offset and starts scanning from that location for any registry entries.

ü      Software has application setting

ü      SAM has security related information

ü      SYSTEM has hardware related information

We have to note them down as there is syskey protection for SAM to defend cracking passwords from SAM database. This syskey breaks the key into four keys and place in four different location in SYSTEM hive.

 

3. Dump Hashes from SAM and SYSTEM hives

 

Plugin hashdump retrieves the hashes of all user accounts stored in SAM.

 

 

4. Crack the Passwords using Hashes.

 

            Use Password cracker like Ophcrack, John the Ripper, Rainbow tables online

 

 

Registry Examination

 

RegRipper http://www.regripper.net

rip.pl is a perl script that analyzes the memory dump from specified registry hive-address we retrieved previously and specify the hivetype.

Now we got the registry settings.

 

All the tools can be found in SANS Investigative Forensic Toolkit Workstation

http://forensics.sans.org

Advertisements

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Articles, security, Tutorials and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s