Volatile MemoryForensicsby datagram & VidiotMay 18, [email protected] – [email protected]
Software Dumping• UNIX/Solaris: /dev/mem• Linux: /proc/kcore, /dev/mem• OS X: /var/vm, /dev/mem*• Windows: \\.\PhysicalMemory*• e.g.dd if=/dev/mem of=
Software Preparation• Create trusted toolkit– Statically compiled binaries (gcc –static) • Prepare remote system (for nc) • Consider scripts• Understa
Software Basics• Gather live info :) • Use trusted commands– statically compiled, read only media• Remember $PATH!• nc/cryptcat data to remote system–
Software Basics• Rootkit hunting:– chkrootkit– rkhunter*– Hunter.o (kernel mod) – 99luftballons– Manual inspection
Offline Dump Analysis• More or less Rev. Eng• String searching• Carving• Interpreting Kernel structures
String Searching• Tried and true : ) – strings –a –t x dump.img– grep * dump.img• Specialized Algorithms: EnCase, etc• Hilarious (sometimes)
Hilarity Often Ensues696195554 ]0;newb@x:/dev/shm/newb/newb <--------------Full path from PS1 696195591 [newb@x newb]$ rm -rf acycmech.tar69619567
Hilarity Often Ensues (2) • Attempts at logging out:696194744 [newb@x acycmech]$ unset HISTFILE;exit696194789 logout696194797 There are stopped jobs.6
File Carving• Grab memory-mapped files• Affected by Kernel security• Free tools: Scalpel, Foremost• Commercial: EnCase, FTK, etc.
Interpreting Kernel Structures• Un-fucking /dev/mem--/proc/kcore dump• Few ready-to-use Linux tools… : (• IDETECT (http://forensic.seccure.net) • Read
About Us• We really don’t have time for this– it would suck anywaysP.S. – We like beer.
Cold Boot Attacks• Not our research• Developed at Center for Information Technology Policy, Princeton University– Read: “Lest We Remember: Cold Boot A
Cold Boot Attacks• DRAM remanence effects– Different from the Gutmann “burn in” effect.– Assuming memory loss is instantaneous = FAIL– Memory decay oc
Cold Boot Attacks5 sec. 30 sec. 60 sec. 5 min.Image excerpt from: Lest We Remember: Cold Boot Attacks on Encryption Keys, Princeton University, 2008,
Cold Boot Attacks• 3 Types of attack– Reboot to custom kernel• Pros: Fast and easy• Cons: Data destruction during OS shutdown, potential to overwrite
Cold Boot Attacks• Locating keys in memory dump– Search for known contents or known structure– Example: Locating an RSA private key• Searching memory
Cold Boot Attacks• Hamming Distance– The number of positions for which the corresponding symbols are different between two strings of equal length.– F
Countermeasures• Scrubbing memory– Avoid storing keys in memory and overwrite them when no longer needed.– Alternatively, systems can be configured to
Countermeasures• Pass/key required to wake system– Suspending (sleep mode) a system will not protect keys already in memory.– Hibernation mode also vu
Countermeasures• Avoid precomputation– Precomputing can speed cryptographic operations, but often leads to redundant storage of key information.• Key
Countermeasures• Architectural changes– Build DRAM with faster decay rate– Build key management hardware into motherboard– Encrypt the contents of RAM
Our Agenda• What is Live Forensics?• Live Forensic Process• Hardware vs. Software• Offline Analysis Basics• Cold Boot Attacks (the new hotness) • Coun
Countermeasures• Encryption in disk controller– Enable a write-only key register into which software can write a user derived symmetric key.– Data blo
Countermeasures• Advances in Trusted Computing– Current TPM’s do not implement bulk encryption• Instead they monitor the boot sector to determine if i
Countermeasures• Physical Defenses– Encase RAM (epoxy, etc) to frustrate transplant attack.– Trip switches, accelerometers, motion sensors, RFID, etc.
Conclusions• Exercise caution• Understand your actions• Not a solution, an addition• Think about physical security• Have fun• Good luck!
Q&A?
More!• Google :D• Mariusz Burdach, (forensic.seccure.net) – IDETECT tool• Joanna Rutkowska, Black Hat Feb 2007– Anti-DMA Forensics Attacks• FATKit fra
What isLive Forensics?
Good…and BadGood…• Scope of information• Availability• Combats modern anti-dead forensicsBut…• No data integrity• All actions affect memory• Cannot be
In-Memory Data• Running Kernel/modules info• Running/dead processes• Network connections/configuration• Memory-mapped files• User logins• Firewall set
Live Forensics Process• Regular rules apply : ) • Dump live memory (software/hardware) • Gather volatile data (software) – Optional• Offline analysis
Memory Dumping• Hardware– Custom hardware devices– Access memory directly (DMA) – Can also be cheated : (• Software– Trusted toolkit– WILL alter memor
Hardware Dumping• DMA can subvert OS• Custom DMA device– PCI, PCMCIA, USB, Firewire– http://www.csoonline.com/read/050106/ipods_pf.html• But…can be de
Commentaires sur ces manuels