Presented by:Anishka Singh

Everything in OS traverse RAM: Network Sockets and URLs

Windows Registry keys
Hardware Configuration
Password,caches and clipboards
User generated contents
MALWARE

CPU

Cache

RAM

Virtual Memory
Disk

DIGITAL FORENSIC ANALYSIS

Goals of Digital Forensics
Identify Digital Evidence
Generally only a part of crime investigation
Examples
computer intrusion
unauthorized use of corporate computers
any physical crime whose suspect had a computer
Three major phases:
Acquisition
Analysis
Presentation

Acquisition Phase
Which data as digital evidence ????????
Goal is to save the state of digital system for analysis.
Similar to taking photographs, fingerprints, blood samples,
from a crime scene.
The allocated and unallocated areas of a hard disk are
copied known as image.
Tools are used to copy data from the suspect storage
device to a trusted device.
Tools must modify the suspect device as little as possible
and copy all data.
Capture the acquired data for identifying pieces of
evidence.

Acquistion : MoonSols Kit for

obtaining memory
image
Advanced toolkit for Windows physical memory snapshot management.
Designed to deal with :A) Microsoft Windows hibernation file (from Microsoft Windows XP to
Microsoft Windows 7 both 32-bits and 64-bits (x64) Editions).
B)Microsoft full memory crashdump (in both 32-bits and 64-bits (x64)
Editions).
C)Raw memory dump files (from memory acquisition tools like win32dd or
win64dd, or Virtualization application like VMWare.

Contains new version of win32dd and win64dd.

C:\win32dd.exe /l /f
mem1.vmem

Identify
Context

Find KPCR

Parse
Memory
Structure

Executive Process Blocks

Process Environment Blocks
Track loaded DLLs
Virtual Address Descriptor
Process Memory Sections
Kernel Modules
Drivers

Scan For
outliers

Unlinked Process DLLs,sockets and threads

Unmapped page with execute privelage
Hook Detection
Know Heuristics and signatures

Analysis of Memory through

volatility
Open collection of tools.
Python implemented under GNU General Public License for the extraction
of digital artifacts from volatile memory (RAM).
Extraction performed are independent of system being investigated but
offer unprecedented visibilty into the runtime state of system.
Intended to introduce people: Techniques and complexities associated with extracting digital artifacts
from volatile memory samples
Work into this exciting area of research.

Volatility
versions

Supports

x86

Windows XP SP 2, 3
Windows 2003 Server SP 0, 1, 2
Windows Vista SP 0, 1, 2
Windows 2008 Server SP 1, 2
Windows 7 SP 0, 1

Windows

Running
Process
Image Date
and Time

OS Kernel
Modules

Open Network Sockets &

connections

Extract Executables From

Memory Samples

Mapping Physical offset to

virtual address

Virtual address Descriptor

Information

Processs addressable
Memory

Scanning Process , threads,

modules

Open Registry Handles

DLLs Loaded For Process

Static RAM analysis from an image or

against a live system
Enumerate all running processes, including those hidden by
rootkits, and display associated DLLs, network sockets and
handles in context.
Dump a process and associated DLLs for further analysis in
third-party tools.
Memory string search allows you to identify hits in memory
and automatically map them back to a given process, DLL
or piece of unallocated space and dump the corresponding
item.
Volatility provides VAD tree analysis and exposes registry
artifacts in memory and will parse and display handle
information from memory.

Analyzing
Image Name

Parent Process

Full Path

Processes

Legitimate process?
Spelled correctly?
Matches system
context

Appropriate
path for
system
executable?
Running from
a user or
temp directory

Command Line

Executable
matches image
name?
Do arguments
make sense?

Is the parent
Process what
you would
expect?

Start Time

Was the process

started at boot
(with other system
processes)?
Processes started
near time of known
attack.

Volatility Commands
a)Spot hidden processes

psxview

b)List all processes

c)Show a registry key
d)Extract process image
e)Extract process memory
f)List open handles, files, DLLs
and mutant objects
g)List services, drivers and
kernel modules
h)View network activities

pslist, psscan
printkey -K key
procexedump
memdump, vaddump
handles, filescan, dlllist,
mutantscan
svcscan, driverscan, modules,
modscan
connscan, connections,
sockets, sockscan, netscan
timeliner, evtlogs
malfind, apihooks

i)View activity timeline

j)Find and extract malware

Imageinfo
Used for Knowing what type of system your image
came from.
Output shows suggested profile that you should
pass as the parameter to --profile=PROFILE.

$ volatility f imagename imageinfo

For most accurate and fastest results supply the
profile and KDBG to other Volatility commands.

Pslist
Use to list the processes of a system.
Walks doubly-linked list pointed by PsActiveProcessHead.
Does not detect hidden or unlinked processes.

Syntax:$ volatility f --profile=profilename mem1.vmem pslist

Pstree
Used for viewing the process listing in tree form.
Enumerates processes using the same technique
as pslist.
Child process are indicated using indention and
periods.
$ volatility profile=profilename f imagename
pstree

Psscan
To enumerate processes using pool tag scanning, use
this command.
Finds processes that are previously terminated
(inactive) and hidden or unlinked by a rootkit.

$ volatility f imagename psscan

Connscan
Used for finding connection structures using pool tag
scanning.
Finds artifacts from previous connections that have been
terminated.
It may find false positives sometimes, you also get the benefit
of detecting as much information as possible.
$ volatility f imagename connscan

Malfind
Used for: Finding hidden or injected code/DLLs in user mode memory,
based on characteristics such as VAD tag and page
permissions.
Locating sequence of bytes, regular expressions, ANSI
strings, or Unicode strings in user mode or kernel memory.

$ volatility f imagename malfind D directoryname

Apihook
Used for finding API hooks in user mode or kernel mode.
It finds IAT, EAT, Inline style hooks, and several special types of
hooks.
For Inline hooks, it detects CALLs and JMPs to direct and
indirect locations, and it detects PUSH/RET instruction
sequences.
Special types of hooks that it detects include syscall hooking
in ntdll.dll and calls to unknown code pages in kernel memory.
$ volatility f imagename apihook

Dlllist
For displaying a process's loaded DLLs, use this command.
It walks the doubly linked list of LDR_DATA_TABLE
_ENTRY structures pointed by PEB's InLoad Order Module
List.
DLLs are automatically added to this list when a process calls
LoadLibrary and they aren't removed until FreeLibrary is called
and the reference count reaches zero.
$ volatility f imageinfo dlllist

Dlldump
For extracting a DLL from a process's memory space and dump
it to disk for analysis, use this command.
We can:
Dump all DLLs from all processes .
Dump all DLLs from a specific process (with --pid=PID) .
Dump all DLLs from a hidden/unlinked process (with -offset=OFFSET) .
Dump a PE from anywhere in process memory (with -base=BASEADDR), this option is useful for extracting hidden
DLLs.
$ volatility f imagename dlldump D directoryname

Handles
Used for displaying the open handles in a process.
Process obtains a file handle by calling functions such as
CreateFile, and the handle will stay valid until CloseHandle
is called. This concept applies for registry keys, mutexes,
named pipes, events, window stations, desktops, threads,
and all other types of objects.

$ volatility f imagename handles

Getsids
For viewing the SIDs (Security Identifiers)
associated with a process, use this command.
It helps you to identify processes which have
maliciously escalated privileges.

$ volatility f imageinfo getsids

Memmap
For a brief inspection of the addressable memory
pages in a process use this command.

$ volatility f imagename p PID memmap

Memdump

To extract all data from the various memory segments in

a process and dump them to a single file, use the
memdump command.
$ volatility --profile=Win7SP0x86 -f imagename p PID
memdump D directoryname/

Procmemdump
o For dumping a process's executable (including the slack
space), use the procmemdump command.
o Optionally, pass the --unsafe or -u flags to bypass certain
sanity checks used when parsing the PE header.
o Some malware will intentionally forge size fields in the PE
header so that memory dumping tools fail.

$ volatility --profile=Win7SP0x86 -f imagename -p PID

procmemdump -D memory/

Procexedump
To dump a process's executable (not including the
slack space), use the procexedump command.

$ volatility --profile=Win7SP0x86 -f imagename -p

PID procmemdump -D memory/

Vadinfo
The vadinfo command displays extended information about a
process's VAD nodes. In particular, it shows:
The address of the MMVAD structure in kernel memory.
The starting and ending virtual addresses in process memory.
The VAD Tag.
The name of the memory mapped file (if one exists) .
The memory protection constant (permissions).

$ volatility --profile=Win7SP0x86 -f imagename -p PID vadinfo

Modules
To view the list of kernel drivers loaded on the system,
use the modules command.
This walks the doubly-linked list of LDR_DATA_TABLE
_ENTRY structures pointed to by
PsLoadedModuleList. It cannot find hidden/unlinked
kernel drivers.
$ volatility --profile=Win7SP0x86 -f imagename modules

modscan
For scanning physical memory for kernel modules, use
this command.
It can pick up previously unloaded drivers and drivers
that have been hidden/unlinked by rootkits.

$ volatility --profile=Win7SP0x86 -f win7.dmp modscan

Ssdt
To list the functions in the Native and GUI SSDTs, use the ssdt command.
It displays the index, function name, and owning driver for each entry in the
SSDT.
Some important points: Windows has 4 SSDTs by default (you can add more with
KeAddSystemServiceTable), but only 2 of them are used - one for Native
functions in the NT module, and one for GUI functions in the win32k.sys
module.
Multiple ways to locate the SSDTs in memory:o
Some tools do it by finding the exported KeServiceDescriptorTable
symbol in the NT module.
o
Volatility scans for ETHREAD objects and gathers all unique
ETHREAD.Tcb.ServiceTable pointers.It is more robust and complete,
as it can detect when rootkits make copies of the existing SSDTs and
assign them to particular threads.
$ volatility --profile=Win7SP0x86 -f imagename ssdt

Driverscan
For scaning DRIVER_OBJECTs in physical memory, use this
command.
The DRIVER_OBJECT contains the 28 IRP (Major Function)
tables.

$ volatility --profile=Win7SP0x86 -f imagename driverscan

 To detect listening sockets for any protocol (TCP, UDP, RAW,

etc), use the sockets command.
It walks a singly-linked list of socket structures which is
pointed to by a non-exported symbol in the tcpip.sys
module.
It works for Windows XP and Windows 2003 Server only.

$ volatility f imagename --profile=WinXPSP3x86 sockets

Volatility is the only memory forensics framework with

the ability to carve registry data.
Variour registry commands are:a) Hivescan
b) Hivelist
c) Printkey

Hivescan
To find the physical addresses of CMHIVEs (registry
hives) in memory, use the hivescan command.

$ volatility --profile=Win7SP0x86 -f imagename

hivescan

Hivelist
To locate the virtual addresses of registry hives in memory, and
the full paths to the corresponding hive on disk, use this
command.

$ volatility --profile=Win7SP0x86 f imagename hivelist

Printkey
For displaying the subkeys, values, data, and data types
contained within a specified registry key, use this
command.
By default it will search all hives and print the key
information (if found) for the requested key. Therefore, if
the key is located in more than one hive, the information
for the key will be printed for each hive that contains it.

$ volatility --profile=Win7SP0x86 -f imagename printkey -K

"Microsoft\Security Center\Svc"

Idt
To print the system's IDT (Interrupt Descriptor Table),
use the idt command.
It displays the purpose of the interrupts, along with the
current address and owning module.
Some rootkits hook the IDT entry for KiSystemService,
but point it at a routine inside the NT module (where
KiSystemService should point). However, at that
address, there is an Inline hook detected by Idt.
$ volatility idt -f imagename

Gdt
To print the system's GDT (Global Descriptor
Table), use the gdt command.
It is useful for detecting rootkits like Alipop that
install a call gate so that user mode programs can
call directly into kernel mode (using a CALL FAR
instruction).
$ volatility -f imagename gdt

Conclusion
Volatility is a very powerful tool, which is able to detect
even the most advanced rootkits if its being used properly.
The analyst should have good windows knowledge to
combine the different functions in a smart way and
draw the right conclusions
False positives could be caused by security software like
HIPS, AV or personal firewalls, as they act in a very
similar way malware does. The only way to be 100% sure
if the code is malicious or not the investigator has to
disassemble the dumped code .

Other tools
Mandiant Redline:Mandiant Redline is an interesting tool which can analyse all the
processes running on your PC, and then attempt to highlight any
which might be malicious.