Memory Forensics: How to Capture Memory for Analysis

There are several ways to capture memory from a Windows machine for analysis, but want an easy one? I mean a really easy one? Then look no further than MoonSols “DumpIt“.

MoonSols, the creator of the ever popular “win32dd” and “win64dd” memory dump programs have combined both into a single executable that when executed creates a copy of physical memory into the current directory. Just throw DumpIt onto a USB drive or save it on your hard drive, double click it, select yes twice and before you know it you have a complete copy of your machine’s memory sitting on disk.

The only thing you need to make sure of, especially if using a USB drive is that it is large enough to hold the file that is created. The memory dump will be a little larger than the size of your installed RAM. So, for instance, a machine with 4GB RAM will produce about a 5 GB file.

Malware Analysts use memory dumps to analyze malicious software. Once you have the memory dump, you can perform some very interesting analysis on it, like viewing what processes and programs were running on the machine, and what network connections the system had.

You can even pull passwords from them, which we will look at next time.

** Part 2Memory Forensics: How to Pull Passwords from a Memory Dump

Will Corporations Skip Windows 8?

Windows 8 should be released within a year, but will users flock to it as Microsoft is hoping? Honestly, probably not.

A lot of corporations recently (read FINALLY) switched to Windows 7, but Windows XP still has a huge install base. Last year, 74% of business computers still ran Windows XP. From a mix of polls for this year, it looks like Windows XP still has the edge, but in some, Windows 7 had a slight advantage.

Other reports seem to point out that numerous companies are planning to switch to Windows 7, but not for a few more years.

Windows 8 is an interesting creature. It will come with two interfaces. One is a traditional Windows type interface, but the second screams “iPhone”.  The touch based interface looks like a direct port of the iPhone.

But with many corporations planning to switch to Windows 7 in a couple years, Windows 8 could be bypassed all together. Why would businesses take a gamble on a new operating system when Windows 7 has a solid install based and is a proven operating system?

Time will tell, but Windows 8 may not make as big a splash as Microsoft is anticipating.

And by the way, if you haven’t switched to Windows 7 yet and are still hesitant, try it! Windows 7 is very stable and much more secure than Windows XP.

HP to switch to WebOS on Future PC’s

Hewlett Packard CEO Leo Apotheker had some interesting news according to a Business Week article:

Apotheker says he also wants to make better use of WebOS, the computer-operating system acquired last year when Hewlett- Packard purchased smartphone maker Palm Inc. for $1.2 billion. Starting next year, every one of the PCs shipped by HP will include the ability to run WebOS in addition to Microsoft Corp.’s Windows, Apotheker said.

The move is aimed at enticing software developers to create a wider range of applications that would differentiate HP PCs, printers, tablets and phones from those sold by rivals.

That has got to be quite a shocker to Microsoft. Linux based OS’s have made huge strides lately, and with the rise of tables and smart phones, web based OS’s seem to be the future.

As a matter of fact many industry experts are saying that the desktop PC is dead. They envision the future “desktop” PC will be nothing more than a Tablet PC with an external keyboard.

It looks like Microsoft may be forced into making a decision. To change and adapt to the times, or continue with business as usual and end up becoming obsolete. But hey, they still have the Xbox right?

 

Drive Encryption Useless against Online Attacks?

When securing your system, drive encryption is heavily recommended, and it works very well. But just how well will it protect you from online attacks? Well, truth be told, in some situations it may not help you at all.

I wanted to see how well drive encryption would protect a Windows XP SP3 machine from a common online Java based attack. So I installed the latest version of TrueCrypt (a popular open source encryption program) on a test system. I encrypted the whole drive just to be safe:

 

I then rebooted to verify that the system would not boot without the TrueCrypt password:

 

But let’s take this one step further. One level of encryption is good, but I have a very important file that I do not want read by others. And I definetly do not want someone else to be able to copy this to a different system. I encrypted the “Super Secret” folder and the goldmine file “Secret.txt” on the victims machine with Windows built in Encrypting File System (EFS):

All right, green means encrypted, we are good to go. The whole drive is encrypted with one level of encryption and the target file itself is encrypted with another encryption technique.

To see how well the encryption would stand up to an online attack, I used a Linux system running Backtrack 4’s Social Engineering Toolkit, and set up a simulated malicious Java Attack. On the target machine, once I clicked on and allowed the malicious Java file to run, I received a remote shell to the victim machine. Issuing a directory command on the attacker machine’s remote shell I received this:

 

A full directory of the victims encrypted root drive. Well, that is not good. The “Super Secret” directory shows up in the list, I wonder if I can access it:

Absolutely, not only could I read the directory and it’s contents remotely, I was able to view the contents of the encrypted file itself. Well, that is not a fair test. I could read it, but would I be able to copy that double encrypted file to a different computer?

 

Okay, it copied without error, but being encrypted, there is no way I should be able to read it on a different machine…

 

This is a picture of the file in Ubuntu’s Kate Text Editor. After copying the “secret” text file to my remote Linux attacking machine, it opened with no issues and was completely readable. The secret message now unencrypted and on a remote machine says:

Super Secret Insider Tip:
Sell all stocks and buy Tacos.

“Buy Tacos”, that’s a good tip, and it didn’t even come from Wikileaks. Well maybe it will be in the next release.

Okay, how was this possible? Encryption works very good when your machine is off and someone is trying to access it. Or if another user on the local machine or LAN is trying to read it. But since this online attack dropped the attacker into the current logged in user session, the attacker could read all of the encrypted information. The encryption system could not tell that the attacker was a remote attacker, but thought it was the local user.

* Side note – if your laptop is encrypted, and is stolen while it is turned on, even though it might be locked, it could be vulnerable to a cold boot attack.

What do you do to defend yourself against this type of online attack? Do not surf the web from secure systems. Use a virtual machine or a different machine altogether. If you must surf from your encrypted machine, do not allow online programs to run on it. Java applets, online “free” virus scanners, many “free” games, and even the bogus “you need to install this missing video codex” driver install are all things to avoid.

Encryption works very well at what it does, but it can be vulnerable to some online attacks.