Useful Guide to Retrieving and Analyzing Memory Content Paula Januszkiewicz MVP Enterprise Security MCT CQURE CEO Penetration Tester Security Expert CQURE Academy Trainer ID: 381542
Download Presentation The PPT/PDF document "Recalling Windows Memories:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Recalling Windows Memories: Useful Guide to Retrieving and Analyzing Memory Content
Paula JanuszkiewiczMVP: Enterprise Security, MCTCQURE: CEO, Penetration Tester / Security ExpertCQURE Academy: TrainerContact: paula@cqure.us | http://cqure.us
DCIM-B350Slide3
Deeper research never hurt
s!Slide4
Agenda
Dumping Techniques
1
Live Memory Analysis
3
2
Memory Dump Analysis
4
Summary Slide5
Tools!
Check out the following links:Our
tools
:
http://cqure.pl Tools
http
://www.gentilkiwi.com/ - Benjamin
Delpy
http://
code.google.com/p/volatilitySlide6
Hidden Process, Crouching Handle
The curtain perspectiveSlide7Slide8
Memory Dumps: The Purpose
Whatever runs – it is in the memoryWhatever sensitive was used – it is in the memory
Done automatically
Used for detect suspicious
behavior
of processes
Saved in %
windir
%
Sharing is caring
Published carelessly on the public forums
Memory
dumps
contain
personal information
, but… how
personal? Slide9
How to make a memory dump?
Process dumps:Process Explorer, Process hacker
Task Manager
Procdump
System
memory
dumps
:
Windbg
(.dump
)
MemDD
,
WinDD
Dumpit
System
Recovery
Settings
Memory Forensics grabs the data
at the lowest level:(most) malware cannot hide
!Slide10
Memory Dump Techniques
Step By StepSlide11
Agenda
Dumping Techniques
1
Live Memory Analysis
3
2
Memory Dump Analysis
4
Summary Slide12
What to search for?
ProcessesThreadsModules
Handles
Registry
Apihooks
Services
UserAssist
Shellbags
ShimCache
Event Logs
Registry (again)
TimelineSlide13
Handles: More Than
FilesCan be to processes, threads, registry, files,
mutexes
Also
to
drives
,
dlls
etc.
Csrss.exe – manages
processes
so
it
maintains handles
Hidden processes
also have handles
Handles
are used by
every process
This is a good way of finding malware or narrowing down places to lookSlide14
Memory Dump Analysis
Searching, Searching, Searching…Slide15
Registry
can hide a lot of goodies…Use volatility printkey to look at registry keysWinlogon & run are common persistence keysSlide16
BitLocker Offline
Combining memory dump and disk dumpSlide17
YARA and Other toolsSlide18
YARA and Other Tools
YARA: Malware identification and classification tool
Even default rules can be very useful, and new rules are easy to write!
MemGator
:
Automates
Extraction
of
data
L
ists
processes, network connections, malware detection, passwords & encryption keys and the registry
Memoryze
: Live analysis
Used by professional forensic investigatorsSlide19
Agenda
Dumping Techniques
1
Live Memory Analysis
3
2
Memory Dump Analysis
4
Summary Slide20
CertificatesProcedures not to be certifiedSlide21
Remote Powershell
Procedures not to be certifiedSlide22Slide23
Kerberos tickets vs. DumpsSlide24
Agenda
Dumping Techniques
1
Live Memory Analysis
3
2
Memory Dump Analysis
4
Summary Slide25
Memory Memories: Summary
Whatever works will be in
memory
One
more
dump
=
more
experience
Pay
attention
to
the ’strange
looking’ objects
Do not
share
dumps
with
others
Use
them for troubleshootingSlide26
Tools!
Check out the following links:Our
tools
:
http://cqure.pl Tools
http
://www.gentilkiwi.com/ - Benjamin
Delpy
http://
code.google.com/p/volatilitySlide27
Come Visit Us in the Microsoft Solutions Experience!
Look for Datacenter and Infrastructure ManagementTechExpo Level 1 Hall CD
For More Information
Windows Server 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azure
http://azure.microsoft.com/en-us/
System Center
System Center 2012 R2
http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack
Azure Pack
http://www.microsoft.com/en-us/server-cloud/products/windows-azure-packSlide28
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide29
Complete an evaluation
and enter to win!Slide30
Evaluate this session
Scan this
QR
code
to evaluate
this
session.Slide31
©
2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.