crazylazy.info

txt

Not just the disks!

it turns out rock climbing sometimes is easier than diving.

Generations of forensic experts just used data from the hard-disk. They dived down deeply into the filesystems to dig for all kinds of incident. But what's with the surface?

It turns out if you've got a chance to get hands on RAM nowadays, you should take it. - Even in pentesting: here's why and how.

Why?

Yesterday I started to listen to Rob Lee's quality webcast about Windows memory analysis and forensics - a available summit from SANS's forensics and incident response.

I'm not directly in the forensics field, but in incident response and penetration testing. It makes a lot of sense to pull the passwords out of memory instead of bruteforceing them; or cracking the hashes via rainbow-tables. Memory forensics allows faster and more elegant solutions: for tracking all kinds of changes, for getting the authentication (password or hash), or to reconstruct the initial situation when the infection happened.

As long as nobody pulled the plug... you're in.

How?

I very much recommend the webcast here... I'll just list headwords and links to follow.

You can find most of the tools in the SIFT VMware applicance, which is a Fedora Linux. It has everything needed in the following directories:

/forensics
Location of the files used for the Autopsy Toolset

/usr/local/src
Source files for Autopsy, The Sleuth Kit, and other tools

/usr/local/bin
Location of the forensic pre-compiled binaries

/images
Location of the images that were seized from your compromised 
system

/mnt/hack
Location of the mount points for the file system images

Furthermore there's a cheat-sheet. The hot stuff is to use mdd or something else on the particular Windows box, and to dump the memory. Than you're able to use the volatility framework - and some of the modules to get the bait.

/usr/local/src/volatility-SIFT Workstation 1.3

The usage instructions are copied from Rob's slides:

volatility command –f /path/to/windows_xp_memory.img 
[Supported commands] 
connscan 		Scan for connection objects 
files        	  	Print list of open files for each process 
hibinfo 		Convert hibernation file to linear raw image 
procdump 		Dump a process to an executable sample 
pslist 			Print list of running processes 
regobjkeys 		Print list of open regkeys 
 
for each process 
sockets       		Print list of open sockets 
sockscan 		Scan for socket objects 
Command Help 
# cd /usr/local/src/volatility 
# python  volatility  command -–help

I guess this is self-explaining. Here's something I just learned yesterday: if you get your hands on a compromised box there's a plugin command "hivedump" in the volatility framework, that dumps the registry to a CSV. That's awesome!

Of course SIFT contains lots of other tools - not EnCase or FTK Imager because these aren't free and just Windows-based.

Perspective

I see a good future point for this in IR. In case of forensics I must admit that maybe there'll be too much own overhead in the acquisition files? - But... that depends. In any case you collected the incident-data.

Links to the Windows tools

• mdd
• win32dd
• Mandiant's tools-collection including Highlighter (a must-have!)

Have fun,
wishi