One of the things I find most helpful in the analysis of a possible hacked system is to really comb through the memory. Having direct access to the systems memory and pagefile or at least an image of the memory and a copy of the pagefile at the time is extremely helpful in investigating if a system has been compromised. With the sophistication of attacks these days it may be the only way that you can tell if the system has been compromised or is still compromised.
One thing I have found attackers to do is mount a drive or create a virtual drive, launch their attacks from there and then remove the drives. Leaving nothing for the investigator to pull off the hard disk. There may be some residual traces in the logs etc.., but does that let you find out what they did Or does it just give you an idea that something was done.
The attacker would then have their programs running on the system and unless the system was restarted, full control of whatever they were doing. How often do you restart a mission critical server? Probably no where near as much as you should.
When I do memory analysis I like to use three sets of tools: Strings/Grep, Memoryze/Audit Viewer, and Volatility.
While I'm sure most have used Strings/Grep not everyone has used Memoryze and or Volatility. While I'll go over both of the tools in a later post, I'll say that I am drifting away from Volatility and using Memoryze more. The OSes supported in Memoryze are a great deal more and it doesn't seem as if the primary developer of Volatility has done much to advance the program.
The whole point of the post though is the support of file acquisition from memory. While both programs seem to give you the ability to reconstruct the program from memory, I haven't had much success in getting the accompanying drivers with the executable in Volatility. I've also found that Memoryze works extremely well with the MRI(Malware Rating Index), but unfortunately this only works on live memory. In email exchanges with the developer (Peter Silberman) he was kind enough to explain the reasoning in terms that a moron such as myself could understand.
I'll try to break it down into Barney terms here. When the system memory is dumped you are taking a snapshot of the memory, but you are not taking the pagefile. This is critical for the rating and analysis of memory. Even if you grab the pagefile and then try to merge the two to create a better snapshot the system is constantly paging out files and back in. By the time you are done snatching the memory chunks that were paged out to point A may have moved to point R or not exist at all. So the reference is invalid. He did a much better job of explaining, to the point of even including stack references. If I tried to mimic without plagiarizing what he said, my license to use the internet would be revoked.
So while post wasn't to exciting I plan on more indepth useful information in the future. I'm working on a head to head smack down between Volatility and Memoryze. I've heard there is a bit of bad blood between the two teams, so maybe an unbiased look will help.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment