Memory forensics and incident response
2 likes•2,890 views
This document discusses memory forensics and incident response. It notes that 46-58% of large organizational losses are due to insider threats, even though identifying offenders and recovering assets from insider incidents should be easier. However, in 40% of insider incidents, those responsible are never identified due to insufficient evidence. This is often because 61% of businesses do not have access to forensic technology or procedures. The document then outlines best practices for incident response, including collecting volatile memory data and using tools like Volatility to analyze RAM and identify intrusions. It also discusses challenges like anti-forensics programs and using direct memory access via FireWire to bypass passwords and collect passwords from memory.
Memory forensics and incident response
- 1. Memory Forensics and Incident Response Robert Reed
- 2. Frequently when we think of CyberCrime external intrusions immediately comes to mind, but we should remember that “insiders” represent a significant threat to organizations. Between 46 and 58 percent of the incidents resulting in the largest losses to organizations were “inside jobs.” This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier. Intrusions Insiders Outsiders Global Economic Crime Survey 2011, PriceWaterhouse Cooper.
- 3. 42% 40% 39% 12% 8% 6% 5% 4% 11% 20% 0% 10% 20% 30% 40% 50% Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law… Unaware crime was reportable Other Don't know Reason not Prosecuted Damage level insufficient Could not identify the individual Lack of evidence negative publicity Concerns about liability competitors use for advantage Prior negative response law enforcement Unaware crime was reportable Other In “insider” incidents, 40 percent of the time those responsible are never identified, or insufficient evidence was obtained for prosecution. This is particularly troubling because in these incidents the likely hood of identification of offenders and potential recovery of assets should be easier 2011 CyberSecuirtyWatch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
- 4. Why are so many incidents not producing sufficient information for prosecutions? To some degree this makes sense when we dig deeper into the numbers, 61 percent businesses suffering from CyberCrime indicated that “they don’t have, or are not aware of having, access to forensic technology investigators.” 61 60 46 0 20 40 60 80 Not Aware of access to forensic investigators No in-house forensics No forensic IR proceedures Business Forensic capabilities Forensic Capabilities Global Economic Crime Survey 2011, PriceWaterhouse Cooper
- 5. Objectives of incident response: • Collect as much evidence as possible • Minimize or eliminate changes made to evidentiary information • Maintain the integrity of the investigation • Minimize the disruption to business processes • Obtain a successful outcome
- 6. Striking a balance • Do we need to do a forensic examination? – Is there a statutory requirement to report? – Is there potential liability for not investigating? – Is there a broader objective in the investigation? – Is it fiscally responsible?
- 7. Typical Incident life cycle • Identify incident • Establish approach • Collect evidence • Analyze evidence • Document and report • Assess and follow-up
- 8. Traditional Computer Forensic Response • Secure location • Document the scene • Pull the plug • Collect evidence • Image the media • Analysis • Reporting
- 9. Pro’s of the Approach • Acceptable for most of the cases LE is presented with • Easy to validate the information for court purposes • Easy to establish and validate SOP’s
- 10. Con’s to Traditional Approach • Increasing drive capacities • Increased security awareness – Encryption – Passwords – “Personal Privacy” Software • Business Continuity • Misses /Destroys vital information in RAM
- 11. Better Approach • Secure location • Photograph and document scene • Collect volatile data • Isolate from network?? • Bring the machine down or live image?? • Bit stream image • Analysis • Reporting
- 12. Order of volatility 1. CPU cache and Register 2. ARP cache, Routing and Process tables 3. RAM 4. Temp file systems, Swap and page files 5. Fixed and removable media attached 6. Remotely logged data 7. Archives
- 13. Collection of volatile data Tool/s Utilities OSHardware Results
- 14. Concerns • Reliability of local tools • Root kits • Integrity of evidence – Authenticity – Integrity • Chains of custody • Security
- 15. Collection of Volatile data • cmd • tasklist • netstat • arp • Route • Net commands • etc * The problem with using native commands is that we can not trust their results*
- 16. Collection of volatile data Tool/s Utilities OSHardware Results
- 17. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
- 18. External tools • cmd ?? *are you bringing your own command console?* • Sysinternals: http://technet.microsoft.com/en-us/sysinternals/default • Nirsoft: http://www.nirsoft.net/ • Foundstone: http://www.mcafee.com/us/downloads/free-tools/index.aspx • WFT: http://www.foolmoon.net/security/wft/ • Tons of others out there
- 19. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace API
- 20. Collection of volatile data Tool/s Utilities OSHardware Results Kernel Space UserSpace
- 21. RAM / Image Analysis tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
- 22. Imaging and Analysis Tools • Win32/64 dd • Dumpit • Man dd • FTK Imager • Belkasoft • Volatility • Memoryze • Redline • HBGary Responder • Encase • Etc….
- 23. Imaging and Analysis Tools • Challenges – Varied Implementations – Anti-Forensics programs and techniques
- 24. Direct Memory Access tool OS utilities OSHardware Results ? Kernel Space UserSpace Tool
- 25. http://www.breaknenter.org/projects/inception/ “Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any powered on machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.”
- 26. “Goldfish was a project by Afrah Almansoori, Pavel Gladyshev, and Joshua James aimed at the extraction of user password and fragments of AIM instant messenger conversations directly from RAM of Apple Mac computers. Goldfish software can be used against 32 bit versions of Mac OS X up to and including Mac OS X (10.5) Leopard.” http://digitalfire.ucd.ie/?page_id=430
- 27. Direct Memory Access • Advantages – Bypass passwords to gain access – Recover passwords (keyboard buffers) – Evade current anti-forensics techniques
- 28. Direct Memory Access • Challenges – Hardware dependent! – Physical access! – Disabled drivers? – 4GB of accessible space! 0>ffffffff
- 29. Direct Memory Access • Mitigation – Windows • Block SBP-2 drivers: http://support.microsoft.com/kb/2516445 • Remove FireWire and thunderbolt drivers
- 30. Direct Memory Access • Mitigation – Macs • Filevault2 (OS X Lion) and screen locked • Firmware password
- 31. Direct Memory Access • Mitigation – Linux • Disable DMA • Remove FireWire drivers
- 32. Questions ??