Not just the disks!
it turns out rock climbing sometimes is easier than diving.
Generations of forensic experts just used data from the hard-disk. They dived down deeply into the filesystems to dig for all kinds of incident. But what's with the surface?
It turns out if you've got a chance to get hands on RAM nowadays, you should take it. - Even in pentesting: here's why and how.
Why?
Yesterday I started to listen to Rob Lee's quality webcast about Windows memory analysis and forensics - a available summit from SANS's forensics and incident response.
I'm not directly in the forensics field, but in incident response and penetration testing. It makes a lot of sense to pull the passwords out of memory instead of bruteforceing them; or cracking the hashes via rainbow-tables. Memory forensics allows faster and more elegant solutions: for tracking all kinds of changes, for getting the authentication (password or hash), or to reconstruct the initial situation when the infection happened.
As long as nobody pulled the plug... you're in.
How?
I very much recommend the webcast here... I'll just list headwords and links to follow.
You can find most of the tools in the SIFT VMware applicance, which is a Fedora Linux. It has everything needed in the following directories:
/forensics Location of the files used for the Autopsy Toolset /usr/local/src Source files for Autopsy, The Sleuth Kit, and other tools /usr/local/bin Location of the forensic pre-compiled binaries /images Location of the images that were seized from your compromised system /mnt/hack Location of the mount points for the file system images
Furthermore there's a cheat-sheet. The hot stuff is to use mdd or something else on the particular Windows box, and to dump the memory. Than you're able to use the volatility framework - and some of the modules to get the bait.
/usr/local/src/volatility-SIFT Workstation 1.3
The usage instructions are copied from Rob's slides:
volatility command –f /path/to/windows_xp_memory.img [Supported commands] connscan Scan for connection objects files Print list of open files for each process hibinfo Convert hibernation file to linear raw image procdump Dump a process to an executable sample pslist Print list of running processes regobjkeys Print list of open regkeys for each process sockets Print list of open sockets sockscan Scan for socket objects Command Help # cd /usr/local/src/volatility # python volatility command -–help
I guess this is self-explaining. Here's something I just learned yesterday: if you get your hands on a compromised box there's a plugin command "hivedump" in the volatility framework, that dumps the registry to a CSV. That's awesome!
Of course SIFT contains lots of other tools - not EnCase or FTK Imager because these aren't free and just Windows-based.
Perspective
I see a good future point for this in IR. In case of forensics I must admit that maybe there'll be too much own overhead in the acquisition files? - But... that depends. In any case you collected the incident-data.
Links to the Windows tools
- mdd
- win32dd
- Mandiant's tools-collection including Highlighter (a must-have!)
Have fun,
wishi
Post new comment