Volatility Memory Analysis Article Featured in eForensics Magazine

eForensics April 2013

Check out this month’s issue of eForenics Magazine for my article on Memory Analysis using Volatility 2.2 and DumpIt!

“Analyzing system memory for artifacts is a technique used by forensic analysts, security specialists and those that analyze malware.

In this article we will cover how to obtain a complete copy of system memory from a computer using the easy to use program “DumpIt”. We will then take this memory dump and analyze it with the popular memory analysis tool “Volatility”.

With Volatility, you can pull a list of what software was installed on a system, what processes were running, what network connections were active, and a whole lot more.

We will look at all of this and even see how to pull password hashes from a memory dump. Lastly we will try our hand at analyzing a memory image infected with a sample of Stuxnet.”

The magazine also includes:

  • Cold Boot Memory Forensics by Alexander Sverdlov
  • MALWARE FORENSICS & ZEUS by Mikel Gastesi ,  Jozef Zsolnai & Nahim Fazal
  • Establishing a Center for Digital Forensics Investigative Services on the Cloud by Dr. Rocky Termanini
  • Digital Continuity of Government Records by Dr. Stilianos Vidalis
  • And more!

Check it out! (Subscription Required)

Windows 8 Open Source Memory Analysis Fail

Wow, spent a lot of time yesterday trying to do some memory analysis on Windows 8 with a couple open source tools…

And completely failed.

I wanted to analyze a suspended Win8 virtual machine’s memory and see what information could be pulled from it. I know VMWare has a “vmss2core” utility that will do the trick. Of course I had Windows 8 in a Virtualbox VM. No problem, I exported and imported to VMWare Workstation with no problems. Okay, it hung up on first boot in VMWare, but a hard reset and everything was right as rain on the next boot.

Next I suspended the VM, grabbed the .vmem and the .vmss suspension files and tried to run it through vmss2core:

C:\VM>vmss2core.exe -W windows8.vmem windows8.vmss
vmss2core version 812388 Copyright (C) 1998-2012 VMware, Inc. All rights reserved.

Unrecognized .vmss file (magic f000ff53).

Unrecognized .vmss file… Okay, not to be deterred, I rebooted the Windows 8 VM and took a snapshot. Vmss2core also works with snapshots!

Same error.

I actually read the help features for Vmss2core and realized that it has a “-W8” command for Windows 8! Doh!

Used that… Same error…

Okay, bothered now, but still undeterred, I figured I would just boot the system up and run MoonSols DumpIt command to get a copy of the active RAM. Then I can use the memory dump output and feed it into Volatility!

Or so I thought…

DumpIt works great for grabbing a full copy of your active RAM so you can analyze it for artifacts. Simply Download the file, and place it where you want it – USB drive, hard drive etc. Then just run the command, and the full active memory of the system will be saved in the same directory.

I ran DumpIt in Windows 8 and it worked flawlessly:

Yeah! Now all I need to do is take the .raw memory dump file and feed it into the memory analysis program Volatility. And I should be able to see tons of information and artifacts including network connections, users, services and other goodies!  🙂

I started out by using the imageinfo command. This command returns the exact operating system level to Volatility so that it correctly maps memory locations with services when you use the more advanced commands.

(I created a whole series on using volatility to perform analysis on Windows 7 last year)

When I ran Volatility, it was unable to determine the OS level. I was using the latest version that just came out this month. A quick search on their website and it looks like Wind0ws 8 functionality will not be out for several more months…

Well, that was the final brick wall for me. I had other things to do and had to walk away from it at that point.

Anyone have any ideas or know of any other open source memory analysis tools like Volatility that will work with Windows 8?

The Benefits of Network Security Monitoring (NSM)

Advanced threats are specifically made to bypass firewalls and intrusion detection systems, effectively killing defense in depth. So how do you battle these threats? Network Security Monitoring.

Several commercial and open source tools exist for Network Security Monitoring (NSM), so you will need to look around and find the one that works best for your needs. But nowadays you need a tool that records all the traffic coming in and out of your network and analyzes it for suspicious patterns or behaviors.

Security Onion is a great option for small to medium businesses (even home users) that need the power of NSM, but can’t afford a commercial solution. Security Onion comes pre-configured with a ton of intrusion and network security monitoring tools.

But for any NSM solution, you want one that:

  • Records all your traffic
  • Analyzes for suspicious behavior and patterns and warns you when they are detected
  • Provides complete packet captures
  • Provides an easy way to view and analyze captured packets
  • Keeps complete logs of all intrusions and suspicious behavior
  • Keeps a log of all websites visited, DNS lookups, ftp sessions, even chat and mail sessions.

Security Onion can do all of that and more. Plus you can have multiple sensors in multiple locations and have them all report back to a single Security Onion Install.

Why would you want multiple sensors? For any NSM install, you want to have a view of your network traffic at different locations in case the worst happens and you get compromised. You can place a sensor between your incoming data pipe and your main firewall. You can also place one between your firewall and Lan. That way you can see what was hitting your edge firewall and what made it through.

You can also place a sensor between the Lan switch and a single high priority machine. This way you can tell exactly what data was transferred to and from this machine in case of a breach. You need to analyze your network and see where the best places would be to institute monitoring.

Intruders will get in, it is just a fact of life now. The NSA came to this conclusion about network security in 2010.  Debora Plunkett, NSA’s director of the U.S. Information Assurance Directorate said, “There’s no such thing as ‘secure’ any more.  The most sophisticated adversaries are going to go unnoticed on our networks.  We have to build our systems on the assumption that adversaries will get in.  We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”

But you can monitor and hopefully catch them before the worse happens. Or in the event the worse happens, you will have a full forensics trail to follow to make sure that it doesn’t happen again.