CHAD TILBURY

0 Former: Special Agent with US

Air Force Office of Special
Investigations
0 Current: Incident Response and
Computer Forensics Consultant
0 Over 12 years in the trenches
0 SANS Forensics and Incident
Response Instructor & Author
chad@forensicmethods.com
ForensicMethods.com

@chadtilbury
The Ugly
Im with the government
and Im here to help.

I cant tell you how, but
we have evidence of
malicious activity
originating from several
of your internal systems.

<EOT>


Organizations Simply Fail
to Detect Intrusions
6 Step IR Process and
Forensics
Preparation
Identification
and Scoping
Containment
/ Intelligence
Gathering
Eradication /
Remediation
Recovery
Follow Up /
Lessons
Learned
No Identification =
No Containment
Memory
Forensics
& Triage
Deep
Dive
Forensics
Network
Forensics
Malware
Analysis
Intrusion
Analysis
Why Memory Forensics?
Everything in the OS traverses RAM
0 Network sockets, URLs
0 Windows Registry keys
0 Hardware configuration
0 Passwords, caches, clipboards
0 User generated content
0
If you have a problem, if
no one else can help
Malicious Code
One Slide Primer:
Windows Memory Analysis
Find the Kernel Processor Control Region (KPCR) or Kernel Debugger Data
Block (KDBG)
1. Identify Context
Executive Process (EPROCESS) blocks
Process Environment (PEB) blocks
DLLs loaded
Virtual Address Descriptors (VAD) Tree
List of memory sections belonging to the process
Kernel modules / drivers
2. Parse Memory Structures
Unlinked processes, DLLs, sockets and threads
Unmapped memory pages with execute privileges
Hook detection
Known heuristics and signatures
3. Scan for Outliers
4. Analysis: Search for anomalies
Memory Forensics Triage
Identify rogue processes
1
Analyze process DLLs and handles
2
Review network artifacts
3
Look for evidence of code injection
4
Check for signs of a rootkit
5
Dump suspicious processes and drivers
6
Suspicious
Processes
Step 1: Analyzing Processes


Image Name
Legitimate process?
Spelled correctly?
Matches system
context?
Full Path
Appropriate path
for system
executable?
Running from a user
or temp directory?
Parent Process
Is the parent
process what you
would expect?
Command Line
Executable matches
image name?
Do arguments make
sense?
Start Time
Was the process started
at boot (with other
system processes)?
Processes started near
time of known attack.
Introducing: edline
Free GUI tool for guided memory analysis
Processes
Handles
Network Connections
Memory sections
Hooks and drivers
x86 and x64 support for:
Win2000 | WinXP | Win2003 | Vista | Win2008 | Win7 | 2008R2 |
Win8 | Win2012
Heuristics for suspicious processes and code
Live memory analysis and IR capability
Indicator of Compromise (IOC) matching
File whitelisting
Comprehensive timelining

http://www.mandiant.com/resources/download/redline/
Identify Rogue Processes:
MRI - Malware Risk Index
1. Process Anomalies
0 Code injection detection
0 Process Image Path Verification
0 svchost outside system32 = Bad
0 Process User Verification (SIDs)
0 dllhost running as admin = Bad
0 Process Handle Inspection
0 iexplore.exe opening cmd.exe = Bad
0 )!voqa.i4 = known Poison Ivy mutant
2. Verify Digital Signatures
0 Only available during live analysis
0 Executable, DLL, and driver sig checks
0 Not signed?
0 Is it found in >75% of all processes?
Conficker Worm
APT Hiding in Plain Sight
Step 2: Analyzing Process Objects
(Least Frequency of Occurrence)
0 Malware and its associated artifacts should be among
the rarest objects in a memory image
0 Redline keeps a count of each time a process object is
referenced
0 Sort by the Occurrences column to identify outliers



** A process object occurring only once is not de facto malicious, but
should be trusted less than one that appears in 50 instances
Least Frequency of Occurence
Network
Artifacts
Step 3: Network Artifacts
Suspicious Ports
Communication via
abnormal ports?
Indications of listening
ports / backdoors?
Suspicious
Connections
External connections
Connections to known
bad IPs
TCP / UDP connections
Socket creation times
Suspicious
Processes
Why does this process
have network
capability (open
sockets)?
TDL3/TDSS
Finding Beacons: Zeus
Code
Injection
Step 4: Detecting Injection
0 DLL injection is very common with modern malware
0 VirtualAllocEx( ) & CreateRemoteThread( )
0 SetWindowsHookEx( ), etc.
0 Process hollowing is another form
0 Malware starts a new instance of legitimate process
0 Original process code de-allocated and replaced
0 Retains DLLs, handles, data, etc. from original process
0 Code injection is relatively easy to detect
0 Review memory sections marked as executable and
having no memory-mapped file present
0 Scan for DLLs (PE files) and shellcode
0 Process image base not backed with file on disk

Detecting Code Injection:
Stuxnet Process Hollowing (1)
Detecting Code Injection:
Stuxnet Process Hollowing (2)
Process
Hollowing!
Introducing: Volatility
Python-based memory analysis framework:
http://code.google.com/p/volatility/
Tremendous versatility via plug-in architecture
Opens the door for very advanced analysis
Supports x86 & x64 bit versions of:
WinXP | Win2003 | Vista | Win2008R2 | Win7 | Linux |
Mac OSX and more!
Pre-installed on SANS SIFT Workstation:
http://computer-forensics.sans.org/community/downloads
Volatility Malfind (Stuxnet)
vol.py f stuxnet.img malfind --dump-dir output_dir
Putting it All Together
Identify rogue processes
Name, path, parent, command line, start time, SID, MRI score
1
Analyze process DLLs and handles
Digital signatures and Least Frequency of Occurrence helpful
2
Review network artifacts
Suspicious ports, connections, and processes
3
Look for evidence of code injection
Injected memory sections and process hollowing
4
Check for signs of a rootkit
SSDT, IDT, IRP, and inline hooks
5
Dump suspicious processes and drivers
Review strings, sandbox, reverse-engineer
6
Intelligence Sharing
Indicator of Compromise
File MD5 checksum is 88195c3b0b349c4edbe2aa725d3cf6ff
File name is ripsvc32.dll
File path contains \system32\mtxes.dll
File PE header compile time is 2008-04-04T18:14:25
Registry key text contains ripsvc32.dll
Registry path contains \SYSTEM\CurrentControlSet\Services\Iprip\Parameters\ServiceDLL
Service DLL is ripsvc32.dll
Process has a handle named RipSvc32.dll
File path contains \system32\msasn.dll
File path contains \system32\msxml15.dll
File size is between 500000 and 900000
File name is SPBBCSvc.exe
File name is hinv32.exe
File name is vprosvc.exe
File name is wuser32.exe
Service name is IPRip
Service DLL is not iprip.dll
Or
And
Or
And
And
Courtesy of Mandiant
IOC Editor
0 IOC Editor (free)
0 Allows users to create, edit and compare Indicators of
Compromise in XML format
0 http://www.mandiant.com/resources/download/ioc-editor/

Automating IOC Analysis
0 IOCs allow a wide range of alert triggers to be set for
known malware
0 Processes, hooks, drivers, handles, strings
0 IOCs can be used with any live / dead memory analysis in
Redline
0 Scan for a single IOC or hundreds
Redline IOC Analysis (Zeus)
Zeus Indicator of
Compromise (IOC Editor)
Redline IOC Report
6 Step IR Process and
Forensics
Preparation
Identification
and Scoping
Containment
/ Intelligence
Gathering
Eradication /
Remediation
Recovery
Follow Up /
Lessons
Learned
No Identification =
No Containment
Memory
Forensics
& Triage
Deep
Dive
Forensics
Network
Forensics
Malware
Analysis
Intrusion
Analysis
Links
0 Getting started with Redline
0 https://www.mandiant.com/resources/download/redline
0 http://holisticinfosec.org/toolsmith/docs/february2009.html
0 http://forensicmethods.com/windows-8-server-2012-memory-forensics

0 Volatility references and sample memory images
0 http://code.google.com/p/volatility/w/list

0 Detailed Analysis using Volatility
0 http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-
memory.html
0 http://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-
volatility-2-0/
0 http://computer-forensics.sans.org/blog/2013/07/08/getting-started-
linux-memory-forensics


www.filmschoolrejects.com