Comprehensive Guide to Memory Analysis in Cybersecurity

Cowboy but I don't know if he's gonna do it all right all right all right so let's get this started okay so let me do

this quickly quickly let's change the subject all right uh so let's go a and get started we have the recording that's

been kicked off yes this is in fact being recording and uh in all seriousness the um the conference is

Wild West hacken Fest you do wildwest hackin fest.com it'll take you right to the website it's a conference that we're

doing here in South Dakota I'm I'm in like my small closet of an office right now because we had people talking so you

got like wires up there networking equipment over here because this is this is my life really I did play with like

nice little screens and Raspberry Pi Dropbox hot Hey

Alissa so oh Alyssa made it so this is where I spend most of my time kind of screwing around working with things um

so if it looks a little bit sparse it's because I'm hiding and we'll wait for 's audio to come through Alysa is just

going to interject as well this is great we got Alyssa and Joff on so wait for Alyssa's audio to come through testing

testing there she is I'm so happy that we have Alyssa here because we actually have an expert in memory forensics and

that makes me feel so much better um about what's going on student behind her she she's actually

teaching a class where are you teaching it looks like it's an onsite I no one's in the in the room no one's

in the picture so don't don't worry everyone I can't even tell you where I'm teaching this

week location I can't I can't even tell you there's a creepy dude that every once in a while PE around the corner of

the door looks like stalking every once in a while he been doing that all week what's been doing

that all week yeah so you need to to turn you need to get out of here yeah no I thought we we teach all kinds

it's just the way it works um so all right here we go let's go ahead and let's get started so these slides are

predominantly from Sans 504's memory section um we actually have a full class dedicated to memory analysis and Alyssa

what is the number for that class uh that is forensics 526 526 so check it out all right so

we're gonna talk about memory analysis and we'll talk first about memory dumps and I'm going to go through and do a

memory dump in two different ways and we'll talk about two different Frameworks talk about volatilities

volatility framework and Google recall and we're going to talk about the big thing about today's webcast is the

importance of having multiple different tools and that applies for taking the memory dump and also doing the analysis

as well so the two main tools that I like to use are when pm and I also really like to use um uh the fdk imager

which I'll show you guys here in a little bit but I also have a bunch of old tools up here as well and every once

in a while I have students that are like well that tool is old you shouldn't use it and I I disagree with that and the

reason why I disagree with that is you never know whenever you're doing memory analysis or you're doing instent

response what type of system you're going to have to pull the memory off of um if it's a Windows 2000 box or a

Windows Server 2003 so it's good just to keep them all in your toolbox I mean you can just have a directory on a USB stick

that's just memory dumping tools and I've in some of my assessments on assessments I've gone through and I've

dumped the memory with three different tools at the same time and open them up in different places now Alyssa you

talked a little bit about different formats um and some emails that I was shooting back and forth with you when

you're talking about wind pmm and compression and things like that um do you want to share a little bit about how

the formats can in fact change between these different tools sure um we know the volatility it

offers an incredible amount of support for different formats I mean we're looking at support for the eo1 so expert

witness format and definitely support for the compressed hibernation file so fantastic but largely people are

approaching ing the analysis of volatility with a raw memory image so when you're using win PM which is

recalls acquisition tool I think that's the one you've chosen to you as well Don I like your your choice there John um it

by default is going to Output to an aff4 which is compressed right I mean that's that's a compress we were talking about

it in class if F4 has a lot of data streams it's fantastic I don't I don't mean the steal the show with the af4

conversation but it's fantastic because you can throw in the page file into the AF for you can throw in all the drivers

which is the version we're using in class is like capturing the drivers on the system that is dumping memory for so

everything is a information Turtle like everything is indexed and you have these data runs so there is some compatibility

that exists I mean you have af4 export that you can use to pull out the raw memory data runs and throw it into say

an IMG or z z one file and then volatility is like right on we got this thing and and volatility can parse it

then that's what we doing yesterday in fact cool yep very very cool all right so let's jump in I'm going to be showing

both of these tools and I'll talk mainly about recall because that's what we use in Sans 504 um and really I don't know

we're probably going to end up changing it up by using multiple different tools but the big modules I would say if we're

going to talk for an hour of what you absolutely need to know if you're going to sit down and use these different

tools the big modules that you absolutely need to know and be able to use are here on the slide and I'm going

to focus in on quite a few of them um as I actually go through and do some demonstrations um image in

is incredibly incredibly important it may not seem like it's that important but it actually is and the reason why is

whenever you're taking a memory dump when you're dealing with Windows versions like Windows 7 Windows 8

Windows 81 Windows 10 and even between 32-bit 64-bit or you're looking at specific releases service packs um where

the memory structures reside changes and sometimes when you're especially when you're looking at volatility you have to

actually feed that image information in so it knows where to look for information such as network connections

or processes Dynamic link libraries some tools like recall does a relatively good job of automatically identifying what

that memory image is now you get into some problems whenever you try to do analysis offline um because recall likes

to reach back and actually pull from the database and then pull information direct and that keeps it up to date um

you can create an offline database just by doing a git poll and basically changing a variable within recall to

point locally and that all work just fine and we use that in 504 because it's kind of a contrived exercise of a memory

dump and I'm going to go through that exercise and kind of walk through what we actually capture so image info very

very very key uh when doing analysis and I'm going to talk more about some problems with memory dumps and some of

the utilities and what they pull and what they don't pull here a little bit later and these are some of the new

problems that we experience on Windows 10 and Alyssa knows a lot more of the inside politics and baseball on that and

we'll deal with that here in a bit uh net stat is pretty cool net that lists all the open network connections where

you have your process ID port and protocol very very simple to use very very fast PS3 is what you would expect

it's going to list out all of the processes and the hierarchy uh what is the process that begat which other

process you can see the child processes and you see a lot of this information in modern tools like uh carbon black for

example um they will graph things like this differently they'll actually say this particular process like Internet

Explorer was invoked by Outlook and then Internet Explorer inv invoked another executable through explorer.exe and you

can see how all of these different processes tie together and being able to tie that process all the way back can

help you better understand exactly how things were executed on the system and why they were executed in a certain way

uh DST list all the dynamic link Library libraries loaded by a process and one of my favorite features is the command line

invocation of how that process was actually kicked out how did it actually start and that's really cool because if

you see something like SVC host with weird parameters it'll allow you to say you know that's not normally the way

that scvc host actually runs um under any s under normal circumstances um now I got a couple of questions that just

popped in somebody said has the slides already been posted they have been posted the slides have been posted

here and I'll send it to everybody and you guys can pull them down they're in a PDF format so you guys can see that

people can see me that's great all right so getting those Dynamic link librar is important because you can actually look

at command line of vocation and see how things were run once again that can differentiate what a real program is and

what something might be malware now net scan is different um and whenever it runs it tends to take a little bit

longer it tends to be a little bit more exhaustive so Alyssa when we're looking at net stat which seems to be very very

quick net scan tends to take a little bit more time in what situations would you use net scan over netstat with

something like recall I think she's on mute perhap perhaps you can hear me now

yes we can absolutely normally I I just default to net scan uh I guess we all have our preferences but uh I I always

kick back to net scan because it does offer that comprehensive um you know sometimes I'll

get historical view of network connections or in the past maybe they're in a closed weight state so this that's

that's normally what I would run rarely do I use net stat but I can see the use case it's just a real fast enumeration

of of current connections and currently bound sockets because it depends those those previously open connections are

also really important especially whenever you're dealing with malare that's beaconing where it may make a

connection and then it drops it and then it makes a connection 10 seconds later and then it drops it so I like that too

quite a bit because we do a lot with beaconing um I like netstat and this is kind of kind of a goofy thing I like

netstat because it fits on a nice it nicely fits on a slide for S 504 for looking at network connections which I

think is pretty cool um file scan list of files that each process is open which is helpful for obvious reasons PE dump

dumps code associated with running processes and modules um a list of different modules Associated now one of

the cool things that I really didn't use very much Alysa was live forensics capability um in recall and that was

something I learned from you last week it's like recall can do analysis on Dead images but you can also run it in live

as well is that is that am I getting that right Alyssa absolutely I mean uh we got we

actually will run it right from our USB for live analysis and I think that's that's more what you're referring to as

the live analysis capability of recall and and you know live analysis like Michael Cohen says you know it's always

in beta you know regardless of what tool you're going to throw at your running machine you're going to get varying

degrees of success and we we go forth knowing that yep don't don't we know that very well what we're talking about

these tools all right so these are the instructions some kind of partially cut down instructions of what we do in Sans

504 and we use recall and we use recall in a memory image and then we work through that memory image and I'm going

to walk through some of this here's the net stat once again the reason why I like netstat is because it's very nice

and tighty kind of shows me exactly what's going on and it fits on a slide um net scan also takes a little bit

longer and I'll show you what that looks like a little bit later too um now one of the things I like to do is tie

together what we talked about in the last webcast a couple of weeks ago with today we we're talking about um live

analysis if you have a system that you think is compromised it can be very very very helpful to be able to run these

tools of course with the memory image but also running it live so if we do netstat it's very similar to netstat

minus Nao not quite the B possibly you know showing all the dynamic link libraries but piping it through find and

then looking for established connections now as Alyssa mentioned that's great for established connections

but what about beaconing malware what about malware that's trying to use UDP and making outbound connections that

isn't part of an established state right so that's where net scan would have a lot more value to show you some of the

command or some of the connections that are actually dead so this gets to kind of the heart of computer security

especially forensics I learn more and more and more whenever I work with people like Rob Lee and Phil and um and

Alyssa is it's not just about having one way to do things it's about having multiple different ways achieving the

exact same goal because inev inevitably you're going to run into roadblocks and you're going to run into a situation

where thing one works but thing two does not and there's some points about this let me just show you guys real quick um

so whenever I was setting up this webcast I thought I was an idiot um and Alyssa confirmed that I was a on

some things but on other things not so much so whenever you're looking at some of the modules like I really like to

work with network connections and um working with network connections and kind of working my way back whenever I'm

looking for malare on a computer system so I can start with net scan or netstat with a memory image and then see what

executables are associated with that then I can look at the parentage associated with those executables and

see how those executables were invoked were they invoked from explored exe I explorer.exe where they invoked from

flash how exactly did they kick off and I can start to pull that chain together and I started kind of gearing up for

this and all of my stuff for lab and memory analysis was Windows 7 Windows 8 and I have brand new Windows 10 systems

and uh the network connections weren't working very very well at all um with volatility or recall and I actually

opened up some issue tickets um with these memory images now why do we talk about this I think that this is

important because whenever you're dealing with these tools and this also goes for penetration testing tools and

any tool that you use in it you need to understand that there's going to be situations where these tools don't work

properly and when you're dealing with 64-bit Windows 10 profiles they may not have updated the code to adequately

represent or actually identify where in memory network connections are or maybe processes for specific versions or

dynamic link libraries and when you're doing that it's not necessarily a horrible bad thing as long as it doesn't

surprise you and what I mean by that is if you go get in front of a judge and a jury let's say you're working through a

forensics investigation and your tool isn't working properly it's incredibly important for you to document that it's

not working properly and and then also replicate that situation on multiple other systems so if you're doing a

memory analysis to say for Windows 81 image and something isn't working in volatility and isn't working on recall

document it take pictures screenshot it and then try to recreate it in a lab environment this isolated from the

investigation that you're working and then say this is a known issue issue tickets have been created or even go to

like volatility git website or go through and um go to U um uh go to recalls website and see the different

issues associated with it so like my problem is we have Windows 10 with network connections and volatility is

showing the uh the network connections uh with the established that means outbound connections um have a process

idea of negative one and there's a bunch of people that are kind of working through this together which I think is

great right so with this there's people that are working through the issue and you'd want to document this in your

forensics investigation as well um basically letting people know because if something doesn't work that's not the

end of the world but if you're caught off guard like you get in front of a judge and jury and then a

cross-examining attorney says what are those negative ones and you have no idea you look like a complete idiot and uh it

really helps to have really smart people that you could talk to like Alyssa helped me out now Alyssa what did change

like I know that whenever they were talking about uh the process ID not process IDs but network connections with

netstat and net scan and recall and involatility it was working but then in Windows 10 it kind of stopped working um

as well what what kind of happened um kind of behind the scenes I know that we had some emails going back and forth

with the people of recall and there was some uh there was some a little bit more information about what's going on here

well a little bit more information John uh largely there are unpublished things about the Windows operating system uh

undocumented not publicly available and you know tcpip.sys is is one of those these things um so a lot of engineering

has to come into play when you're dealing with understanding the pool allocations uh that are allocated by

that driver TCP I.S not not as easy as other things that we do know or have documented about the Windows operating

system so in talking with the one of the core developers recall you did State there were changes as of Windows 8 and

Beyond to these structures making it harder to par or even uh as you see in recall we're not able to run a net scan

and properly enumerate those structures that are created by TC grais so uh I guess you could say that the

underpinnings of of the very driver changed and are not publicly available so they really require a whole lot of

reverse engineering research and Analysis so constant Chang and I would say that that's one of those things

where if you want to contribute to the community this would be huge right um to be able to contribute like I know that

he was talking about he had tried to have an intern that would reverse engineer this and it was kind of a

daunting task and they couldn't quite do that but if you love memory analysis if you love memory images and you want to

dig in this is a great place for people to contribute and actually have a good impact on the community as a whole so

all right so let's move on to some other ones uh PS list giving us the processes uh this is nice because it gives us the

process ID it also gives us the parent process ID as well and that lineage becomes really important I'll show you

what that looks like here in a little bit as we kind of walk through a sample investigation that we do in Sans 504 to

try to tie through what's going on on the system because a lot of people unfortunately whenever they're looking

at uh memory images they're looking at it specifically from the perspective of where's the malware and where's the

malware talking to but there's more to that story you could have malware that's communicating out to Estonia or

Tennessee or someplace weird and uh or South Dakota and you could just focus on that malware but if you're not looking

at what that computer system is doing and so far as making connections to other computer systems you're only

really getting a partial part of the overall image of what that computer is doing so being able to see the lineage

of how programs executed is very important and PS list can give that and it's also very similar from an output

perspective to running wmic process get name uh parent process ID and process ID to dump that information out to you now

the dll list is like I said it's it's one of my favorites right so dlll list you give it a process ID and it will

dump all the dynamic link libraries associated with an executable and it will also give you the command line

invocation of that process as well and that's great because now we can see you know what if

it's something like SVC host or secm um or some type of weirdly named process like scuzzy host you can

actually look into it and say well what is the normal process with that name look like and how is it invoked and how

is my malware or my possible malware invoked because there will be a difference in those command line

invocations in some situations as well um so very very very cool cool stuff when you're dealing with memory analysis

and pulling down the command line invocations and don't worry I'm going to show you guys what the stuff looks like

more or less live now I'm going to go through and kind of show you guys a couple of VMS um we'll do a memory dump

as well so I'm using um Standalone versions of these tools uh so we're using recall and we're also using

volatility um so this is volatility and volatility you can give it a file where there's a memory dump and I created this

memory dump with ftk imager and I can run the module net scan and it'll go through through and pull down all of the

different network connections associated with the system and the process IDs as well so I wish I could make this a

little bit bigger maybe we can let's go through and make our font bigger there we go that was absolutely one of the

dumbest things I think I could have possibly have done um let's see how big I can make it where it's still useful

there we go there we go all right so with this kind of prean some of the commands that we have here so basically

using volatility 26 windows 64 Standalone and I do minus F and I give it a memory dump file and at the end

I'll talk about creating a memory dump file here in just a little bit and then we ran net scan and we give it-- profile

and we said Windows 1064 then we have a build number here 10586 and it shows us the local

connections and the ports that are listening some of the stuff you would absolutely expect to be running on a

Windows computer system but then we also have some remote connections so if we look at these foreign connections um I

really like to focus in on foreign connections we can see that we have this particular process is starting and on a

source Port 2317 and it's making a remote connection to 131 uh 253 34233 on Port 443 now the big problem

with this is we're missing some very very critical information and this is part of that issue ticket that I opened

with volatility and some other people that opened with volatility and recall also has a very similar issue as well

recalls is a little bit more acute we don't have the process ID we don't have the process name we don't have the date

associated with it now that doesn't mean that that data is not there it just means it's not where it's specifically

looking for um or it's looking for that data but we at least have those connections in some some fashion and

then we can do some research kind of tying with what we're going to do a little bit later what is this IP address

look up who is information IB uh IP info on those particular IP addresses and see what it is could be something as simple

as like Enterprise security weekly website or Black Hills information security website or could be some really

horrible malware site that has bad bad bad things going on it so that's kind of a hole right that's kind of a hole in so

far as what we uh what we have um with these uh with these memory dumps that we can do now if we look over here um I can

kind of show you recall as well here we go so this is recall and oh yeah go ahead one one

second I I know uh we need to get back to analyzing our page files now John so we want to thank you for inviting us you

so much thank you so much for coming out now it looks like you're you got everything well in hand man enjoy that

recall analysis so see you guys bye sounds good and uh maybe we can talk about it a little bit later but page

file analysis is really important um and the reason why it's it's important is a lot of times you can look at processes

that have been paged out of memory so if you have malare that is quote unquote dormant um like it's only running and

only doing things at certain amount of times it may get paged out memory and there's also some research that was done

by uh Jamie Butler back in 2008 uh it was called Shadow walking and it was malare that would wait for sequential

memory reads on a computer system and then it would page itself out so the memory read would go past and that would

page itself in it's kind of like ropa up ropa do um so the memory analysis would always be a little bit off so that's why

the page files our analysis which is very cool but I was happy Alyssa could make it all right so we've got network

connections if we look at list we have all the processes that are currently running and we can see those and recall

works just fine um with the current version of dumping out all the processes we can do PS3 and PS3 is going to list

which processes we get other processes we can look at that overall hierarchy so if we do have a process that is

interesting to us we can actually go through and uh pull down that specific process let's say red line was

interesting so I could do dll list and let me see if it's going to do it um the other thing that I like about

recall is it's got a tab autocomplete now anytime you're trying to run something and you don't know exactly

what that process or what that module was in recall you can just like type D or I can type P and hit tab or I can hit

s and hit Tab and it's going to show you all the different commands and the different things that you could run from

this particular Contex so I could do services and then just tab auto complete it and see if it works and there's all

the services that currently running and you can literally just spend hours doing this just kind of going through the

alphabet you can also go through the module list um at the at the website for recall you can see what all the

different modules do and this thing just keeps going and going and going but these are all the services that we're

running on this specific memory dump so in a little bit later I'm going to talk about kind of the order in which the

modules I like to run through the modules here um so that's very very very cool as well so let's talk a little bit

about uh dumping memory and taking a look at a at a memory dump of a system so on this particular system I've got

some malare running on it I uh created a backd door and I ran the back door and it's connecting back into one of my IP

addresses which I'm probably going to have to burn um after this webcast because I can't trust you people at all

um but it's a digital ocean instance 104 2361 12492 and uh oh I lost my connection all

right so we can just go back to my image I was hoping that that wouldn't happen but but it does so I'm just kind of

cheating and I'm running the malware directly just take this we'll just run it as administrator and reestablish the

connection there we go let's see if it works uh digital ocean does get a little bit um uh does get a little bit um funky

from time to time uh John we had a couple questions uh does do you have to know the version

of Windows to build a number to use the tool yeah you do but remember that image info is important because image info

actually gives you the capability to um to basically kick out what the version is and volatility will say my best guess

is this specific version and then you can go through and use it it'll give you like its first second and third guesses

um when it when it's when it's pulling that information sorry I got sidetracked so never mind the man behind the

curtain um other than PS list does recall have a module AKA like pcan that does not trust the linked list of the

process rather heris look for eess structure and that would be the closest thing that's why um uh net scan is so

much better because net scan tries to exhaustively go through and search for all the network connections but still it

needs to know what the right places to go look for and how to parse those as well um so yes and no I mean it's not as

cool as just scanning through the entire thing everywhere and exhaustively looking for it it still has to get some

type of a road map um to be able to do that that so hold on my VM there we go interpreter reverse TCP and then set L

Host this come on there we go okay let's see if we get a

connection there we go all right so now we got a session um so on this particular system we've got it

compromised and this is just a Windows 10 VM that I actually have and then I can dump the uh memory from it now with

um I'm going to dump it in two different ways I'm going to dump it with Access Data ftk imager which works really

really well with volatility and then I'm also going to dump it with wind PM which works really really well with recall so

two different ways is now as you as Alyssa mentioned when you're dealing with uh AFF compression you get a whole

bunch of things with uh when PM that maybe volatility doesn't care about but you can export it in the proper way but

I like just using multiple different Tools in these just so people can run multiple tools to dump memory so I'm

going to do capture memory we're going to call it mem dump 2 just because I'm incredibly

uncreative um so we've got that and we'll do let's go through like this I want it

to go to this PC go to see tools there we go there we go so I'm dumping it to my tools

directory I'm calling it mem dump 2. mem and I do capture memory and now it's dumping the memory from the computer

system I only have two gigs of memory uh for this particular computer so it goes pretty fast of course more memory you

have the more time it's going to take to actually dump the memory out of the system so here it goes

R out of dis space oh my gosh all right so that's funny uh let me go through and uh let's try to clean up a little bit

here so here we go is ftk imager free yes it is you can just go to the website and you can uh

download it for free it's perfect marketing though right I mean if you have this free tool that everyone is

using um it works really well all right so I'm going to blow away my memory dumps here with my previous ones to make

more room there we go don't you always hate it when you run out of disc space Oh my gosh yeah this is like Dall says

someone didn't pray to the demo Gods today I didn't pray to the demo Gods it was well no so okay recall is

done and ah was close it there we go when in doubt shoot it through the head all

right so delete there we go all right I'm not running it right now cancel do

this there now nothing should be using that memory image at all all right there we go now it's gone now I can do it so

we'll go through and create memory image give it the path to the tools directory call it m dump there we go

capture memory and way it goes and hopefully it doesn't puke I should probably empty the recycling B Tim said

I took 504 last June and passed the GCI um I October is there a way to get the updated training material or do you have

to take 54 again um I don't think you need it quite yet that was pretty recent um but these

webcasts help it's kind of like I've been telling everyone anytime I update anything or add new new stuff just keep

coming to these webcasts and you're going to get it uh no problems so all right so there we've got a memory dump

hooray of our system with um fdk and I'm also going to do one with win PM so let me see the to tools

see to tools I'm all flustered all right so we just run whenn p and uh you could just give it an output file and uh just

call it win PM out dump and then we go like that oh I'm not running as administrator common

error so let's go ahead and fix that one so we're going to right click run as administrator CD into tools then we run

when PM without Unix syntax I'll give it an output file dump and the way it goes now I want

to show you here at the end um so you can see it's doing af4 now you're going to see that the size of the wind pmm

dump is going to be a lot smaller than what was done because it's automatically going to press it down and then recall

can parse that data no problems at all so it's going through and we're just about done

we should still have our malare session we do awesome still have an interpreter session so it's dumping the

memory off of the computer system and now I named the executable something very very obvious um but you're not

going to always see maare that's like like 4444 msf. exe it just doesn't happen all

that often at all so we got that going I'm going to open up another command prompt and we'll run it as

administrator and I'm going to show you that image in there we

go so got V volatility and we'll give it a file God swear to

God where did I hit a DOT see the problem is I was going through and prepping and I'm jumping

over to a Linux image and during memory analysis there here in a couple of seconds all right so now it's going to

try to identify what the image is for this particular uh memory dump and this is really really important because

somebody asked this question already they were talking about what's the importance of running image info and the

importance of running image info is you don't always know what the image itself actually is at all so while that's

running um we can go ahead and we can jump into recall and we can open up other memory image now once again I have

one memory image that we're anal doing analysis with volatility and we used ftk imager for that and we did another one

that we dumped with uh recall uh with the way P tool from the recall project now as Alyssa mentioned it's very very

cool because it dumps the memory you can see where it's done dumping the memory here but then it starts dumping all of

the drivers and the page file associated with this operating system as well once again that's really really important

because you might want to do some additional analysis if you do actually have a driver that is of interest

because a lot of M likes to pretend it's drivers and so on hold on a second oh God it still hurts to cough um they

say that my ribs should be pretty well healed but they still hurt a lot all right so what I'm going to do is I'm

going to CD into program files and I'll go into the recall directory and uh we'll just run

recall and then we're going to run it and we're going to open it up against a file directly so we'll run it against

tools come on there we go and we'll run it against the uh uh the win PM memory

dump that I just did and then recall is really really good at automatically identifying what the specific image is

so here in a little bit you're going to see a recall prompt that jumps down volatility is currently taking its sweet

time and the reason why is it's actually going online and it's going through and doing a full search through that memory

dump to try to identify exactly what type of Windows operating system it actually is as is vola

um right now so there we go so volatility W in that little race but remember volatility at this point

doesn't really have very good connection information so if I try to do net stat volatility is just going to puke all

over itself of course being the fact that the demo gods are currently failing me it's probably going to work but I

doubt that very strongly um but that's because they haven't actually put in uh the linkage as far as where memory

analysis exists so it's going through and I'll show you how a net scan actually looks different and actually go

through and dump that information real time so while those two are churning and burning let's go back to our slides

because we don't want to stop things and I want to talk about the overall process of doing memory analysis and how you

should start it now whenever you're working with a memory dump I really like to start by trying to identify the

remote connections first and this is where net scan comes in and is very very important because it's not just going to

show you active establish connections it'll actually show you some connections that are dead as well which is very very

very cool as well well now we did have a question Dale asked is does ftk imagery need to be installed on the system or

canot be run from a USB it actually can be run uh from a USB stick so you can actually have that as part of your

forensics analysis toolkit that you carry with you somebody asked the rib thing was real holy crap I thought it

was part of country song or something no um it was very real um broke two ribs uh one of them in two places they actually

went floating I sneezed 3 days after breaking them and then I punctured a and spent two days in the uh in the hospital

and that sucked that was not pleasant at all and I'm still just still a little bit sore all right so I like to start

with network connections now please understand there are malware specimens that you won't really see established

connections once again net St net scan when available is important for looking at those different systems right so you

need to have that that capability but you have to start somewhere right so they might be using DNS they might be

doing some kind of weird icmp protocol but you have to start some place and this allows you to start by basically

mapping out what are the remote IP addresses the system's talking to what are the remote ports the system's

talking to what's the process name its parent process ID and its current process ID and you can fill that out

also you can populate another table once you have the information from the network connections you can then fill

out the process ID the parent process ID the name of the process and then the command line invocation so what we're

really getting is two separate things we're getting the remote connections and we're taking that table the information

that we have from this table and then we're populating another table which allows us to see the command line

invocation of the different systems uh or excuse me the different applications that are currently running and the the

reason why this is so critical and I talk about this in s 504 quite a bit is because whenever you're trying to find

something like you're doing forensics analysis it's not an issue like it is on Hollywood where people are just sitting

there and typing really really really fast clickity clickity clickity clickity clickity and the answer comes up and

bites you in the ass a lot of times it requires us to kind of create these table and be more analytical and try to

treat it more like an accountant more than you know just simply trying to be a television hacker I'll talk about why

that's important a little bit later and we'll talk about the importance of drawing things out so here we got the

processes by connection so I can go through and I can run this over here on my uh Linux computer so we got that is

completely froze up which is awesome that's great that's okay we don't need it um I have another system not net stat

net stat there we go so here's a memory image and you can see that the uh uh the memory image actually gives us out the

established connections now once again we're trying to make these established connections really really really easy to

identify um just because it is a nice little webcast and here I made the font a little bit bigger for you and you can

see of course we got netcat running and it's impossible for me to do anything without you know having netcat involved

but we got netcat we also have a program called hot. exe we have metas server. XE as well I'll talk about how those are

all different here in just a little bit but it's helpful you know you can see the local address you can see the remote

address you can see the state and you can see that it's actually established and the process IDs so if we're going

through and trying to fill that out the information that we have whenever we go through and dump it is all right here

and we can populate most of that table we have the process ID and we have the name we have the remote IP address and

we have the remote Port we can go back and run PS list and we can see um the process

hierarchy for the image as well so we can see that we have the process IDs let me go up here there you go we have the

process IDs of Interest we have 408 1744 1748 3600 and 1428 and if you see any of those that are that are interesting to

you you can then drill down you can say well the meta service was started by the process ID 496 which is services.exe and

I'll talk about what that is here in just a little bit and how that works and if you look at 3600 3600 was started by

21 uh 2516 which is explore at aexe and I'll talk about why that's important as well um but yeah there's just tons of

different things and the PS3 is helpful because we can actually see that hierarchy uh what process started which

other process so here you can see hotp pi. exe um with a process ID of 3600 started and spawned off um 408 1844

1744 uh 2124 we'll talk about what all of those are doing and that ties back to uh ties back to the network connections

as well so a number of ways that you can actually track what the processes are doing get the process hierarchy

determining command line invocations um so if we have a a process ID in this situation of

1744 um so we can do dll list P ID equals 1744 hit enter it dumps all the dynamic

link libraries associated with that specific process and it actually gives you the command line invocation once

again incredibly useful stuff when you're doing Bas forensics analysis on on systems so now if we take this like I

said kind of having that sheet and drawing that stuff out is incredibly important so you can actually pull that

we got the netstat we fill out the table with the network connections and the parent process IDs and the process IDs

and then we pull the dynamic link libraries associated with each of the processes and we actually pull the

command line invocations and we fill out the table the rest of the way and we can see if we fill this out you can see

which processes begat which other processes now we don't actually have the entire picture yet some people can see

exactly what's kind of going on here with pivots and relays but it really helps visually to start drawing this out

because you can see that we have systems that we have like 145 we have 137 that are being talked to through this

particular computer system and we can draw that map out so we have the victim's computer system we can see that

we're shoveling a shell cmd.exe we have a port forward going through the victim as well now it's not always this clean

and I need to make that very very very clear but the reason why this is key is because this more important as the

process right we can dump the memory in multiple different ways we can identify the images uh what is the uh version of

the Microsoft Windows or even Android or Mac OSX or Linux operating system that you're doing analysis on and then you

can start kind of piecing all of the processes and the network connections together so you can get to this point

where you can basically draw out what is this system communicating with remotely so you can see that this victim is

talking to 145 and it's also talking to 137 so if you're doing a forensics investigation it becomes very important

to start now looking at these other two computer systems what processes were they running um were they actually

compromised as well because if you were just looking for hot picks. exe which isn't necessarily a red herring but it's

not the only thing that matters when you're looking at the malware on this computer and so many forensics

investigators would stop at just looking at hot pick. EXA and say that's the m delete the mare reboot the computer

system and go back but they'd still be completely irrevocably hosed in this situation you found the easy thing but

there's some things that make this a little bit harder so hot. exe right we can see it appears to be the root of all

evil but we can see that it was invoked by explorer.exe and the reason why this is important is on some versions of

Windows if you doubleclick on something it doesn't say that John strand strand was the process that double clicked on

that executable or ran that executable it actually is invoked by Explorer which is in fact your windows gooey so in this

situation very clearly Bob went through and double clicked and ran on an executable called hotp pi. exe full

story of what actually happened is it was a PDF that dropped an executable and then automatically tried to execute the

executable um so we have we have that particular executable but there's more to it if we dig in some additional

processes if you remember our connection table if we go back here um with our connection table we have meta serve .exe

as well now once again these names can be changed and most likely they will be but metas serve. exe is interesting

because it's running metas serve. dll it's the meterpreter now the reason why this is important is because newer

versions of Metasploit whenever you exploit a system it doesn't actually drop a dynamic link library on the

system um what it's actually doing is it actually injects into an existing process Escape JT memory injection

however this is a persistence mechanism whenever you run a metas sploit shells as Joff will tell you one of the first

things you do is you run persistence to get another shell back out of that computer system and on some versions of

metas will actually drop a dynamic link library on the computer system so that it can load the data that it needs now I

think it does a VBA file does something a little bit different on newer versions of metas but it's going to leave an

artifact behind so we have here is two separate shells that are basically connecting back to the bad guy we have

the meta service which is a dynamic link Library as part of assistance and we also have the initial attack and

exploitation I'll show you what that looks like as well and we can actually drill in so you can see DLS PID equals

920 we can pull that as well so I can go through the ls 920 there we go and you can see that I'm

doing a little ping sweep from the command line to find additional systems uh to be compromised but yeah you can go

through and pull all that and then fill out your tables which is just cool now the final thing I kind of want to leave

you with is this is kind of process map of everything that happened in this memory dump that we just ran through on

my Linux computer explorer.exe invokes hotpicsex and then hotpix exe kind of sets up that pivot it connects to the

additional computer system shovel shells and sets up the port forward it also started up the metas service.exe by

invoking services.exe and then services.exe started up The Met meter service and then you have the server

running on the computer system so we really have two separate things going on we have the initial attack and pivot and

we also have persistence as well so let's go back to my VMS um as I said they're a little bit under power for

these things and it looks like they're both completely froze or actually um recall is frozen but I want you to look

at what uh volatility did uh this goes back to that image info being important with image info I gave it the memory

dump that we just created and image info says that this is a Windows 10 um could be 1058 uh 10 586 or it could be a 143

393 could be just Windows 1064 so it's giving us a number of options so now whenever we try to run something with

this file um we can go like let's say uh PS list that and then we could do equals and we can actually put in one

of these profiles and now volatility has a good idea of where it actually needs to go to actually pull that information

um so that's why that image info is so key because now it knows where to go so there's a tool that automatically tries

to identify what the specific image itself actually is and then you would use that to specify and fill out the

profile um to be be able to run the different uh commands so if we go through see if net scan's going to work

with the memory dump that I just created take it run with it Go volatility

go so just kind of trying to tie things up let's go through the beginning all the way through the end the first thing

is you have to acquire the memory now in this example I used two separate utilities to do that we used win pm and

one of the nice things about win PM is it actually dumped all of the drivers and the page file uh from the computer

system and we also used fdk imager one of the nice things about fdk imager is it's very compatible with volatility

once you have those memory images you would then use a tool like image info which would go through and identify

specifically what is the uh version of Windows that the memory dump came from and you can use that in a number of

different memory dumps as well so there we go we're actually getting it awesome and then once you have the image

information you would actually start going through and doing analysis now the analysis um like I said I like to start

with network connections look at the different network connections that are being made for remote computer systems

here we go and then based on the network connections that are being made or if you're looking at net scan the historic

connections that were made you would then start filling out what are these executables how are these executables

actually invoked and what possibly was the root cause how did these executables get ran so that's kind of a quick

overview of memory analysis I'm going to go ahead and I'm going to open up the panel and we got a bunch of questions

that are in here which are very very very cool I think um most of them got I think most of them got answered Joff was

cool enough to try and help me answer them so if you still have questions that haven't been answered go ahead and ask

them um it looks like Keith says will slingshot become publicly available or just a SS

conferences yes um we're trying desperately to get it to be something that is publicly available like the uh

the sift workstation and uh we actually have a meeting not next week but the week after we're getting all of the gpen

instructors together and we're going to talk about what slingshot should be and I I love the guys at at at uh at collie

I love what they're actually doing um just really really a lot of respect but we kind of need to have an image that's

dedicated to our classes um while collie is absolutely awesome we don't have control over it and whenever we write

Labs things may not always be consistent so we're hoping to release slingshot not necessarily directly to compete against

collie although you know let's be honest yeah that would be kind of cool but there's no way I mean it's just an

absolute Juggernaut but it's more in line whenever we do these webcasts than you guys could play around and follow me

um so we have a consistent image that we can all work from so hopefully that'll be coming here soon do you use moons

sols dumping um no usually I just kind of stick with ftk imager and wiim P probably more

heavily on the wiim P side um than even ftk imager as well a lot of the volatility stuff can be learned using

the art of memory forensics and uh brought up and that's an outstanding book absolutely check that out also we

have the Sans class with memory forensics and I I actually recommend people do uh like before you come to a

Sans class it's important to like see these webcasts or go and find a book by the author of the class to kind of prep

yourself because you know Sarah was giving me a little bit of a hard time about how fast we go and this speed at

which I talk and Alyssa talks fast is how we go for six days and people's heads explode um quite a bit and it

really helps kind of pre the uh gears as well um sorry if you already answered this have you had any luck decompressing

Windows 10 highfall and using volatility on it nope I have not yet um and that's kind of getting to the problem of

Windows 10 as a whole uh Microsoft is keeping a lot of the stuff associated with Windows 10 very close to the best

so we'll see if they open it up um E I like that Nathan said learn faster because uh yeah you do talk so fast we

are trying to absorb it as fast as you talk but that will be maybe in the future a little

bit M how to teach Jon to slow down um no uh James brought up a very question mandiant Redline do everything we did

today yes and no um where you have recall and volatility have some issues with memory structures on Windows 10 Red

Line seems to be even worse um so for example with the memory image that I just did both of them that I created if

you actually try to open that up in Red Line it tends to puke all over itself and blue screen my computer um and

that's because Mandan has their own commercial tools that they're keeping up they just haven't really kept up red

line as much as I'd like them to if you're working on like a Windows 7 image or a Windows 8 image yeah that's

absolutely awesome um it'll work it should work just fine with those as well um doesn't a lot of what I discussed

today require two people typing on the keyboard at the same time thankfully no it does not um so let's see any other

answers Crow says Red Line isn't being updated anymore or developed so well that that explains a lot then why it's

not working so there you go uh Frank basically confirmed what I said and Frank's much better at the stuff than I

am um can you remember a good tool for Linux um yeah Linux OSX uh volatility and those tools actually do memory

analysis on OSX and Linux of course specific versions are kind of hit Miss and it can be somewhat difficult as well

how did I break my ribs now we get to painful topics I was walking across a parking lot at a ski area I have my

daughter's ski boots one uh was on the front and one was on the back and I was carrying a bunch of stuff and I slipped

and I fell through stoes style where I slipped out and then I came down really hard on the uh on the uh ski boots and

uh I broke them and that sucked it was kind of fun my daughter has her learner's pmit and she I got into the

car and I'm like take me home and uh she's like no I'm taking you to the hospital because I was screaming and

cussing I bet you it was really really funny to see me in the parking lot because I I immediately get up and I'm

like ready to punch anything and I start screaming at the ground I'm like a and I get into the car and um um I go into

shock and uh pretty much she took me straight to the hospital after that which I've never been in shock before

I'm like I can't stop shaking and apparently that shock which I I thought actually made the pain

lesson it it doesn't so um will you be giving out CPE

credits yeah um will he be giving CPE certificates I don't hand out CPE certificates but go ahead and put down

this webcast um and I I'm pretty sure the people with ISC Square don't mess with these webcasts if you provide the

link to the webcast um that's usually enough and also um if you get into an issue with is

square just shoot me an email and I'll for you as well um that's not a problem the people at I squared are pretty cool

which I thought I'd never say like 10 years ago um but the people at I squ are pretty awesome uh to work with they're

very very like uh nice to people uh at least you confirmed your ribb incident didn't start with hey Paul

hold my beer well yeah hey Paul hold my beer I'm gonna carry my daughter's stuff across the parking lot would be really

really lame um can you do these with Shadow copies no um however one of the things uh that is pretty cool

is with a virtual machine you can snapshot the virtual machine and then you can feed the snapshot image through

many forensics tools and that is just awesome because then malare doesn't have a chance to see that it's actually being

analyzed at all because it's being pulled the memory is being pulled in a much lower level uh which is very very

cool good question very cool all right guys that's all I got uh thank you very much and guess what's coming up our next

webcast is Rita and for the Rita webcast you guys are going to um be installing and we're going to be doing analysis on

brogs and we're going to be capturing beacons and analyzing beacons within an hour um and for that webcast go out and

download a604 um and I also have it running on Linux Mint uh but get it get your 1604

image built don't do anything to it just build your image and I'm going to go through I'm going to give you guys all

the instructions step by step on how to build out um how to build out Rita in like one command and then we're going to

import logs and we're start doing awesome things it's going to be really really cool super excited about it but

you guys can literally have uh Rita in your environment ran and if you don't know Rita is real intelligence threat

analytics and it is the uh tool that we have for beaconing analysis for going through brols and looking for beacons um

so that's our next webcast I'm stupid excited about it Hardware recommendation just it'll work inside of a VM just make

sure that you give it two cores and whenever I shoot out the email through MailChimp talking about what we're going

to do in that webcast I'll tell you guys to have a VM with at least two cores because uh goang takes advantage of

those two separate cores uh 64bit is the one that I used uh Jacob as well so and it's a yeah and Dale it's the same

install script uh it's the it's the exact same uh install script that I gave you a couple of weeks ago so we have

some really cool stuff get an intu system set up set up dual core 64-bit give it about two gigs of memory and

you're going to be ready um and so it's going to be it's going to be very very very cool all right guys I'm excited

I'll see you guys the next webcast thank you so much for coming and hanging out I've got another meeting to go to this

has been recorded we will share the recording the slides are at tiny URL um.com and uh this is we miss something

ask us on Twitter ask us on Twitter uh so thank you so much gotta go take care everybody bye