WiebeTech RTX800-UR Manuel d'utilisateur

Volatile MemoryForensicsby datagram & VidiotMay 18, [email protected] – [email protected]

Software Dumping• UNIX/Solaris: /dev/mem• Linux: /proc/kcore, /dev/mem• OS X: /var/vm, /dev/mem*• Windows: \\.\PhysicalMemory*• e.g.dd if=/dev/mem of=

Software Preparation• Create trusted toolkit– Statically compiled binaries (gcc –static) • Prepare remote system (for nc) • Consider scripts• Understa

Software Basics• Gather live info :) • Use trusted commands– statically compiled, read only media• Remember $PATH!• nc/cryptcat data to remote system–

Software Basics• Rootkit hunting:– chkrootkit– rkhunter*– Hunter.o (kernel mod) – 99luftballons– Manual inspection

Offline Dump Analysis• More or less Rev. Eng• String searching• Carving• Interpreting Kernel structures

String Searching• Tried and true : ) – strings –a –t x dump.img– grep * dump.img• Specialized Algorithms: EnCase, etc• Hilarious (sometimes)

Hilarity Often Ensues696195554 ]0;newb@x:/dev/shm/newb/newb <--------------Full path from PS1 696195591 [newb@x newb]$ rm -rf acycmech.tar69619567

Hilarity Often Ensues (2) • Attempts at logging out:696194744 [newb@x acycmech]$ unset HISTFILE;exit696194789 logout696194797 There are stopped jobs.6

File Carving• Grab memory-mapped files• Affected by Kernel security• Free tools: Scalpel, Foremost• Commercial: EnCase, FTK, etc.

Interpreting Kernel Structures• Un-fucking /dev/mem--/proc/kcore dump• Few ready-to-use Linux tools… : (• IDETECT (http://forensic.seccure.net) • Read

About Us• We really don’t have time for this– it would suck anywaysP.S. – We like beer.

Cold Boot Attacks• Not our research• Developed at Center for Information Technology Policy, Princeton University– Read: “Lest We Remember: Cold Boot A

Cold Boot Attacks• DRAM remanence effects– Different from the Gutmann “burn in” effect.– Assuming memory loss is instantaneous = FAIL– Memory decay oc

Cold Boot Attacks5 sec. 30 sec. 60 sec. 5 min.Image excerpt from: Lest We Remember: Cold Boot Attacks on Encryption Keys, Princeton University, 2008,

Cold Boot Attacks• 3 Types of attack– Reboot to custom kernel• Pros: Fast and easy• Cons: Data destruction during OS shutdown, potential to overwrite

Cold Boot Attacks• Locating keys in memory dump– Search for known contents or known structure– Example: Locating an RSA private key• Searching memory

Cold Boot Attacks• Hamming Distance– The number of positions for which the corresponding symbols are different between two strings of equal length.– F

Countermeasures• Scrubbing memory– Avoid storing keys in memory and overwrite them when no longer needed.– Alternatively, systems can be configured to

Countermeasures• Pass/key required to wake system– Suspending (sleep mode) a system will not protect keys already in memory.– Hibernation mode also vu

Countermeasures• Avoid precomputation– Precomputing can speed cryptographic operations, but often leads to redundant storage of key information.• Key

Countermeasures• Architectural changes– Build DRAM with faster decay rate– Build key management hardware into motherboard– Encrypt the contents of RAM

Our Agenda• What is Live Forensics?• Live Forensic Process• Hardware vs. Software• Offline Analysis Basics• Cold Boot Attacks (the new hotness) • Coun

Countermeasures• Encryption in disk controller– Enable a write-only key register into which software can write a user derived symmetric key.– Data blo

Countermeasures• Advances in Trusted Computing– Current TPM’s do not implement bulk encryption• Instead they monitor the boot sector to determine if i

Countermeasures• Physical Defenses– Encase RAM (epoxy, etc) to frustrate transplant attack.– Trip switches, accelerometers, motion sensors, RFID, etc.

Conclusions• Exercise caution• Understand your actions• Not a solution, an addition• Think about physical security• Have fun• Good luck!

Q&A?

More!• Google :D• Mariusz Burdach, (forensic.seccure.net) – IDETECT tool• Joanna Rutkowska, Black Hat Feb 2007– Anti-DMA Forensics Attacks• FATKit fra

What isLive Forensics?

Good…and BadGood…• Scope of information• Availability• Combats modern anti-dead forensicsBut…• No data integrity• All actions affect memory• Cannot be

In-Memory Data• Running Kernel/modules info• Running/dead processes• Network connections/configuration• Memory-mapped files• User logins• Firewall set

Live Forensics Process• Regular rules apply : ) • Dump live memory (software/hardware) • Gather volatile data (software) – Optional• Offline analysis

Memory Dumping• Hardware– Custom hardware devices– Access memory directly (DMA) – Can also be cheated : (• Software– Trusted toolkit– WILL alter memor

Hardware Dumping• DMA can subvert OS• Custom DMA device– PCI, PCMCIA, USB, Firewire– http://www.csoonline.com/read/050106/ipods_pf.html• But…can be de