Day 3 (FOR508.3)
Day 3 Memory Forensics in Incident Response and Threat Hunting
Step | ||
1.Acquire | Capture Raw Memory | i.e. Hibernation File |
2.Context | Establish Context | Find Key Memory Offsets |
3.Analyze | Analyse Data for Significant Elements | Recover Evidence |
Acquiring a forensic image from a live machine within a large Enterprise
https://github.com/google/grr-doc/blob/master/faq.md
https://holdmybeersecurity.com/2016/06/25/google-grr-incident-response-tool/
Attach a forensic image to your forensic workstation
cmd | result/remarks |
mkdir /home/sansforensics/fresponsemounts | Create a folder to hang in the later images |
mount -o ro,show_sys_files,streams_interface=windows /dev/loop1p2 /home/sansforensics/fresponsemounts | mount the image as RO |
Acquiring Memory
powercfg -H <ON|OFF> | |||||||
Tool | live/dead | XP/Win2003 | Windows7/8/10 | Windows 2008/2012 | Windows 2016 | remarks | |
WinPMEM | live | YES | YES | YES | NO | 2016 requires WHQL signed driver to accquire RAM | |
Dumpit | live | YES | YES | YES | NO | ||
F-Response | live | YES | YES | YES | NO | ||
SIFT | live | YES | YES | YES | NO | ||
Belkasoft Live RAM Capturer | live | YES | YES | YES | NO | ||
MagnetForensics Ram Capturer | live | YES | YES | YES | NO | ||
Hibernation File | dead | YES | YES | YES | YES | Use imagecopy (volatility), hibd2bin.exe, hibernation recon to decompress | |
Page and Swap files | dead | YES | YES | YES | YES | ||
Memory/Crash dump | dead | YES | YES | YES | YES | ||
Product | MEM location | remarks |
2008 Hyper-V | <Drive letter>\XXX\<VM Name>\Virtual Machines\GUID\ | |
VM Workstation | <Drive letter>\XXX\My Virtual Machines\<VM name>\ | |
VM Fusion | /Users/<username>/Documents/VirtualMachines.localized/ | |
VM ESX | <DataCenterName>\DatastoreName\<VirtualMachineName>\ | |
VirtualBox | .VirtualBox/Machines/>VM Name>/Snapshots/ | VB only holds the memory that is actively in use, |
Parallels | /Users/<username>/Documents/Parallels/<VM Name>/Snapshots |
Relative Security Identifier (RID)
RID | Reserved for |
---|---|
500 | Administrator |
501 | Guest |
512 | Domain Admin Group |
>1000 | "normal" users |
vol.py malfind
Lists process with PAGE_EXECUTE_READWRITE privileges NOT mapped to a file on disk.
Windows Portable Execution signature (PE): 4d 5a 90 00 or MZ-Flag
Assembly Code equivalent to "MZ":
PUSH EBP
MOV EPB, ESP