securimag - 2011-11 - live computer forensics - virtual...
TRANSCRIPT
![Page 1: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/1.jpg)
SecurIMAG - 2011-11 - Live computer forensics -Virtual memory acquisition and exploitation on
Windows NT6+
Fabien Duchene 1,2
Guillaume Touron2
1Laboratoire d’Informatique de Grenoble, VASCO [email protected]
2 Grenoble Institute of Technology - Grenoble INP - [email protected]
2011-11Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 1/51 2011-11 1 / 51
![Page 2: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/2.jpg)
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 2/51 2011-11 2 / 51
![Page 3: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/3.jpg)
Computer forensics
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 3/51 2011-11 3 / 51
![Page 4: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/4.jpg)
Computer forensics Introduction
Computer Forensics?
What?Forensic Science: answer questions of interest to a legal system.Digital forensics: digital devicesComputer forensics: “identifying, preserving, recovering, analyzing,presenting facts and opinions” about the digital information
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 4/51 2011-11 4 / 51
![Page 5: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/5.jpg)
Computer forensics Introduction
Computer Forensics?
What?Forensic Science: answer questions of interest to a legal system.Digital forensics: digital devicesComputer forensics: “identifying, preserving, recovering, analyzing,presenting facts and opinions” about the digital information
Basically answer to the question: “What happened?”
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 4/51 2011-11 4 / 51
![Page 6: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/6.jpg)
Computer forensics Introduction
Computer Forensics?
Types of computer forensicsstatic / dead: system dump image analysis (eg: “unplug the powercord then analyze”)live: analysis of a running systemin-between: analyze memory image of a running system
Write-blocking readerFabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 5/51 2011-11 5 / 51
![Page 7: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/7.jpg)
Computer forensics Introduction
Forensics ... why?
Why? (forensics, live forensics?)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 6/51 2011-11 6 / 51
![Page 8: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/8.jpg)
Computer forensics Introduction
Forensics ... why?
Why? (forensics, live forensics?)in search of the truth!because they might still be in memory:
cryptographic keyscredentials
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 6/51 2011-11 6 / 51
![Page 9: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/9.jpg)
Computer forensics Introduction
Live forensics
Live acquisition: acquiring data and modifying it the less possible,and being aware of the IMPACT!
the Ultimate live forensics goalGet a “complete picture shot” of the system
CPU flags, registers, cache ..storage: RAM, HDD, ..motherboard stateperipherals: NIC (buffers, own CPU andmemory state..)
→ Can we do it?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 7/51 2011-11 7 / 51
![Page 10: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/10.jpg)
Computer forensics Introduction
Live forensics
Live acquisition: acquiring data and modifying it the less possible,and being aware of the IMPACT!
Only he can!
the Ultimate live forensics goalGet a “complete picture shot” of the system
CPU flags, registers, cache ..storage: RAM, HDD, ..motherboard stateperipherals: NIC (buffers, own CPU andmemory state..)
→ Can we do it?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 7/51 2011-11 7 / 51
![Page 11: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/11.jpg)
Computer forensics Talk focus
Talk topic
Live memory acquisitionPost-mortem analysis
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 8/51 2011-11 8 / 51
![Page 12: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/12.jpg)
Acquiring Windows x86 virtual memory
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 9/51 2011-11 9 / 51
![Page 13: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/13.jpg)
Acquiring Windows x86 virtual memory Some methods
cold boot attacks
Works on: any computer using DRAMRequires: physical accessDRAM retain their content for severalseconds after powered off
AttackFreeze themPlug them into a DRAM readerDump the content .. and enjoy!
[“Lest We Remember: Cold Boot Attacks onEncryption Keys” 2008] article findings
Bit decay increase over timePulse decay time is longer whentemperature is lower
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 10/51 2011-11 10 / 51
![Page 14: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/14.jpg)
Acquiring Windows x86 virtual memory Some methods
virtual machine snapshots
Hypervisor examplesMicrosoft Hyper-V,Virtual-PCVMWare ESXOracle VirtualBoxParallels Desktop
VM snapshotWhat is a VM snapshot?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 11/51 2011-11 11 / 51
![Page 15: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/15.jpg)
Acquiring Windows x86 virtual memory Some methods
virtual machine snapshots
Hypervisor examplesMicrosoft Hyper-V,Virtual-PCVMWare ESXOracle VirtualBoxParallels Desktop
VM snapshotWhat is a VM snapshot?“photo” of the state and data of a VMat a given timebasically, the ultimate live forensics goal+ the VM power state (powered-on,off, suspended)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 11/51 2011-11 11 / 51
![Page 16: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/16.jpg)
Acquiring Windows x86 virtual memory Some methods
VM snapshot attack
Works on: any hypervisor having at least one virtualized computerRequires:
online:hypervisor snapshot privilege (take, apply).. or a way to subvert the hypervisor (eg: VM peripheral drivers), do itthe teach way!
offline: take snapshot and read access to the vhd file
Attacktake a snapshot
export the virtual machine on a storage medium
import it
apply the snapshot (also restores virtual DRAM content)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 12/51 2011-11 12 / 51
![Page 17: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/17.jpg)
Acquiring Windows x86 virtual memory Some methods
Virtual Hard Disk
[lucd 2010]
[Savill 2008]
Virtualized Hard DiskTypes:
dynamic-sized file:dynamically evolving size (sectorson which data is written)VHD file size ≤ virtual disk capacity
fixed-sized file:VHD file size ' virtual disk capacitybetter performance
differential: dynamic that only storesmodification from the parent
Snapshot operations:take onedelete onemerge several onesapply one
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 13/51 2011-11 13 / 51
![Page 18: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/18.jpg)
Acquiring Windows x86 virtual memory Some methods
random crap about the Hyper-V and VirtualPC VHD
2010-04-17
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 14/51 2011-11 14 / 51
![Page 19: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/19.jpg)
Acquiring Windows x86 virtual memory Some methods
DMA attacks
[“Subverting Windows 7 x64 Kernel with DMA attacks”]
Direct Memory AccessPCI specifications, for performanceany device can issue a read/write DMA requestdo you spot the problem?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 15/51 2011-11 15 / 51
![Page 20: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/20.jpg)
Acquiring Windows x86 virtual memory Some methods
DMA attacks[“Subverting Windows 7 x64 Kernel with DMA attacks”]
Direct Memory AccessPCI specifications, for performanceany device can issue a read/write DMA requestdo you spot the problem?bypassing CPU, thus OS
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 15/51 2011-11 15 / 51
![Page 21: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/21.jpg)
Acquiring Windows x86 virtual memory Some methods
DMA attacks implementations
Attacks implementations (public ones..)Firewire
2004 Maximilian Dornseif (Mac OS X)2006 Adam Boileau (Windows XP)2008 Damien Aumaitre (virtual memory reconstruction)
PCI2009 - Christophe Devine and Guillaume Vissian, custom DMA engineimplemented on a FPGA card
PCMCIA / CardBus / ExpressCard:2010 Damien Aumaitre, Christophe Devigne
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 16/51 2011-11 16 / 51
![Page 22: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/22.jpg)
Acquiring Windows x86 virtual memory Some methods
DMA attack - the PCMCIA case
PCMCIA 32-bit port thus only the 4 GB physical memory areaddressableneed to identify the structures: not working on virtual memory, butdirectly on physical one!for more good beef: [“Subverting Windows 7 x64 Kernel with DMAattacks”]
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 17/51 2011-11 17 / 51
![Page 23: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/23.jpg)
Acquiring Windows x86 virtual memory Some methods
Hibernate file
hiberfil.sys: Hibernation fileSince Windows 2000 (NT5)Undocumented formatFile stored on the disk driveContent:
physical memory dumprelated to pagefile.sys (virtual memory control)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 18/51 2011-11 18 / 51
![Page 24: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/24.jpg)
Acquiring Windows x86 virtual memory Some methods
Sandman: from hibernation to physical memory dump
Convert hibernation file hiberfil.sys into a regular memory dump[Matthieu Suiche 2008]
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 19/51 2011-11 19 / 51
![Page 25: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/25.jpg)
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump
What is a crash dump?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 20/51 2011-11 20 / 51
![Page 26: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/26.jpg)
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump
What is a crash dump?yep that’s it!capture of the state of an application (broad sense, includingoperating system) when a crash event does occurhandled by Kernel “emergency” functions
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 20/51 2011-11 20 / 51
![Page 27: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/27.jpg)
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump I
[Hameed 2008]
Complete memory dump1MB headercomplete physical memory dump
Kernel memory dump1MB headerkernel R/W pageskernel non paged memory: listof running processes, loadeddevice drivers
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 21/51 2011-11 21 / 51
![Page 28: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/28.jpg)
Acquiring Windows x86 virtual memory Some methods
Windows Crash Dump II
Small memory dump MiniDump
64KB dump (128 KB → 64-bit)stop code, parameters, list of loaded device drivers, kernel stack forthe thread that crashed, information about the current process andthreat
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 22/51 2011-11 22 / 51
![Page 29: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/29.jpg)
Acquiring Windows x86 virtual memory Some methods
automatic execution
.. : fake ipod USB token loaded, then automatic mounter and commandsrunning in the background. demo? teensy?
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 23/51 2011-11 23 / 51
![Page 30: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/30.jpg)
Acquiring Windows x86 virtual memory Some methods
x86 VMM
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 24/51 2011-11 24 / 51
![Page 31: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/31.jpg)
Acquiring Windows x86 virtual memory Some methods
x64 VMM
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 25/51 2011-11 25 / 51
![Page 32: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/32.jpg)
Acquiring Windows x86 virtual memory Some tools
Win32dd I
Win32ddMatthieu Suiche (now part of “Moonsols Memory Toolkit”)Goal: dumping physical memory using different acquisition methods
Physical memory dumping on Windows XP (NT 5)\Device \PhysicalMemory
... Windows Vista (NT6+)No longer available.Other acquisition methods:
PFN databaseMmMapIoSpace
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 26/51 2011-11 26 / 51
![Page 33: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/33.jpg)
Acquiring Windows x86 virtual memory Some tools
PFN database
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 27/51 2011-11 27 / 51
![Page 34: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/34.jpg)
Acquiring Windows x86 virtual memory Some tools
Win32dd I
We focus on MmMapIoSpace method
How does it work?Do some RE on Win32 driver
User/Kernel comm in WindowsPhysical memory access only in kernel mode
Win32 extracts its driver and registers itDriver creates a device
User-land program opens the device and sends ”commands”DeviceIoControl API, sends IRP to driver
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 28/51 2011-11 28 / 51
![Page 35: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/35.jpg)
Acquiring Windows x86 virtual memory Some tools
Physical address space layout
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 29/51 2011-11 29 / 51
![Page 36: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/36.jpg)
Acquiring Windows x86 virtual memory Some tools
Win32dd I
First:Win32dd retrieves physical memory ”runs”
”runs” are physical memory ranges actually used by the systemFor >= NT5.1:
Get MmPhysicalMemoryBlock in KDDEBUGGER DATA64Otherwise:
Use MmGetPhysicalMemoryRangesBuild MmPhysicalMemoryBlock yourself
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 30/51 2011-11 30 / 51
![Page 37: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/37.jpg)
Acquiring Windows x86 virtual memory Some tools
Win32dd II
Second: Win32dd knows every physical runs, global algo:Iterate each runMap it with MmMapIoSpaceWrite it into your memory dump file
Repeat iterations NumberOfRuns times...
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 31/51 2011-11 31 / 51
![Page 38: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/38.jpg)
Memory exploiting / analysis
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 32/51 2011-11 32 / 51
![Page 39: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/39.jpg)
Memory exploiting / analysis
Memory forensics
Kernel objects listingSee next slides
Extracting in-memory cryptographic key material
TrueCrypt caseUser can choose to cache its passphrase
Go through kernel structures
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 33/51 2011-11 33 / 51
![Page 40: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/40.jpg)
Memory exploiting / analysis The TrueCrypt example
Memory forensics - TrueCrypt example I
Hypothesis: user enabled passphrase-caching
Passphrase-cachingPasssphrase is stored by TrueCrypt kernel driver
How to find this material?1: Find DRIVER OBJECT structure
Brute-force approachLook for specific structure patterns and constants
OBJECT HEADER, DISPATCH HEADER...Kernel addresses > MmSystemRangeStart (0x80000000)
List walking approach (e.g PsLoadedModuleList)KDDEBUGGER DATA64
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 34/51 2011-11 34 / 51
![Page 41: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/41.jpg)
Memory exploiting / analysis The TrueCrypt example
Memory forensics - TrueCrypt example II
2: Find DEVICE OBJECT structureCheck DRIVER OBJECT.DeviceObject
Devices list walking: DeviceObject.NextDeviceRetrieve DeviceObject.DeviceExtension
Used by driver programmer to store device-specific dataPersistent data (non-paged pool)
DeviceExtension found, then ?Then, analyze TrueCrypt-specific structures and extract master keys
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 35/51 2011-11 35 / 51
![Page 42: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/42.jpg)
Memory exploiting / analysis Kmode exploration
Volatility I
Volatility frameworkFramework for Windows physical memory dump exploration
Useful features:List process (PSLIST, see next slides...)Dump Windows registry...
Focus on PSLISTGoal: retrieve list of active processes when snapshot was taken
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 36/51 2011-11 36 / 51
![Page 43: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/43.jpg)
Memory exploiting / analysis Kmode exploration
Volatility II
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 37/51 2011-11 37 / 51
![Page 44: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/44.jpg)
Memory exploiting / analysis Kmode exploration
Volatility - PSLIST I
First goalRetrieve KPCR.ActiveProcessListHead
Problem: where is KPCR? (in phy space)We must find a Page Directory Table
Take EPROCESS.PageDirectoryTable[0] (== CR3 x86)
EACH PROCESS SHARES THE SAME KERNEL SPACE MAPPING(modulo session space, osef)
First stepFind a EPROCESS structure in memory
By recognizing some patterns
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 38/51 2011-11 38 / 51
![Page 45: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/45.jpg)
Memory exploiting / analysis Kmode exploration
Volatility - PSLIST II
Once CR3 is found, retrieve KPCRKPCR always mapped at FS:[0] in KMODE
At fixed virtual address: 0xffdff 000We are now able to retrieve KPCR.ActiveProcessListHeadPSLISTWe can list active process and dump them (their whole vspace)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 39/51 2011-11 39 / 51
![Page 46: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/46.jpg)
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms I
[Windows Internal 5th Ed. - Vista and 2008 Server] Windows Internal 5thEd. - Vista and 2008 ServerSecurable objects
Protected with SECURITY DESCRIPTORAccess Control Lists (SIDs ; associated allowed operations on object)eg:Peripherals, Files, Jobs, Shared memory sections, Pipes, LPC ports,Events, Mutexes, Timers, Semaphores, Access tokens, Windowstations, Desktops, SMB shares, Services, Registry keys...
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 40/51 2011-11 40 / 51
![Page 47: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/47.jpg)
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms II
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 41/51 2011-11 41 / 51
![Page 48: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/48.jpg)
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms III
Security TokenWhen accessing an object, the Security Reference Monitor checks theTOKEN of the process:
Process owner: user SID, groups SIDsPrivileges (f(process, user SIDs))Virtualization stateSession
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 42/51 2011-11 42 / 51
![Page 49: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/49.jpg)
Memory exploiting / analysis DKOM attacks
Reminders of windows security mechanisms IV
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 43/51 2011-11 43 / 51
![Page 50: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/50.jpg)
Memory exploiting / analysis DKOM attacks
DKOM attacks I
DKOMDirect Kernel Object Manipulation
Example:Hibernate file retrieved with SandmanSnapshot file (virtual machine)
Or DKOM on a living machine, with a kernel drivere.g Rootkits
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 44/51 2011-11 44 / 51
![Page 51: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/51.jpg)
Memory exploiting / analysis DKOM attacks
DKOM attacks II
FULL ACCESS to physical memory (user and kernel!)YOU CAN READ/MODIFY EVERYTHING YOU WANT
Hypothesis: you can re-inject your modifications
Get TokenTOKEN accessed from EPROCESS structure
Possible attack: privilege escalationFind approriate EPROCESS structure
e.g a process you can exploit and make exec YOUR shellcodeModify your TOKEN SID
Be r00t, take NT AUTHORITY/SYSTEM SID
Subsequent object access or process creation performed under SYSTEM
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 45/51 2011-11 45 / 51
![Page 52: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/52.jpg)
Memory exploiting / analysis DKOM attacks
DKOM attacks III
ConclusionPowerful attack but hard to use IRLSimilar escalation process used for kernel vuln exploitation
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 46/51 2011-11 46 / 51
![Page 53: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/53.jpg)
Memory exploiting / analysis DKOM attacks
DKOM application: unlocking Windows 7 x64 computer
Idea: modify the password validation functionmsv1 0.dll!MsvpPasswordValidate [Boileau 2006]That password validate function will comparehash(inputted password) and the stored hash(user password) thenjump to a location if they are not equal (cmp then jnz)How to modify the memory?
[“Subverting Windows 7 x64 Kernel with DMA attacks”]
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 47/51 2011-11 47 / 51
![Page 54: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/54.jpg)
Memory exploiting / analysis DKOM attacks
DKOM application: unlocking Windows 7 x64 computer
Idea: modify the password validation functionmsv1 0.dll!MsvpPasswordValidate [Boileau 2006]That password validate function will comparehash(inputted password) and the stored hash(user password) thenjump to a location if they are not equal (cmp then jnz)How to modify the memory?jnz → jmp
[“Subverting Windows 7 x64 Kernel with DMA attacks”]Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 47/51 2011-11 47 / 51
![Page 55: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/55.jpg)
Conclusion
Outline
1 Computer forensicsIntroductionTalk focus
2 Acquiring Windows x86 virtual memorySome methodsSome tools
3 Memory exploiting / analysisThe TrueCrypt exampleKmode explorationDKOM attacks
4 Conclusion
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 48/51 2011-11 48 / 51
![Page 56: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/56.jpg)
Conclusion
Conclusion
many methods for acquiring memory on a live system:OS independant: cold boot, DMA, snapshotdependent: snapshot (if hypervisor evadation), dumping tools, crash
regarding exploitation:take care of keeping the kernel structure coherent (or might have aBSOD!)watch out kernel protection such as PatchGuard (basically periodicalchecks, so the trick has not to last for too long)
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 49/51 2011-11 49 / 51
![Page 57: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/57.jpg)
Conclusion For Further Reading
Boileau, Adam (2006). “winlockpwn attack (Firewire)”. In:http://storm.net.nz/static/files/winlockpwn.Damien Aumaitre, Christophe Devine. “Subverting Windows 7 x64 Kernelwith DMA attacks”. In: Sogeti-ESEChttp://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf.Hameed, CC (2008). “Understanding Crash Dump Files”. In:https://blogs.technet.com/themes/blogs/generic/post.aspx?WeblogApp=askperf&y=2008&m=01&d=08&WeblogPostName=understanding-crash-dump-files&GroupKeys=.“Lest We Remember: Cold Boot Attacks on Encryption Keys” (2008). In:J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson,William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaumand Edward W. Feltenhttps://jhalderm.com/pub/papers/coldboot-sec08.pdf.
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 50/51 2011-11 50 / 51
![Page 58: SecurIMAG - 2011-11 - Live computer forensics - Virtual ...ensiwiki.ensimag.fr/images/4/42/SecurIMAG-2011-12... · Forensic Science: answer questions of interest to a legal system](https://reader034.vdocuments.net/reader034/viewer/2022042321/5f0ad1e77e708231d42d805a/html5/thumbnails/58.jpg)
Conclusion For Further Reading
lucd (2010). “yadr – A vdisk reporter”. In:http://www.lucd.info/2010/03/23/yadr-a-vdisk-reporter/.Mark E. Russinovich David A. Solomon, Alex Ionescu and so manymore (incl. Bernard Ourghanlian). Windows Internal 5th Ed. - Vista and2008 Server.http://technet.microsoft.com/en-us/sysinternals/bb963901.Matthieu Suiche, Nicolas Ruff (@Newsoft) (2008). “Sandman”. In:http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/.Savill, John (2008). “Q. I’m deleting a Hyper-V virtual machine (VM) thathad snapshots. Why is the VM delete taking so long?” In:http://www.windowsitpro.com/article/virtualization/q-i-m-deleting-a-hyper-v-virtual-machine-vm-that-had-snapshots-why-is-the-vm-delete-taking-so-long-.
Fabien Duchene, Guillaume Touron (SecurIMAG)Forensics-Live mem NT6 51/51 2011-11 51 / 51