FOR526: An In-Depth Memory Forensics Training Course
Malware Can Hide, But It Must Run
Digital Forensics and Incident Response (DFIR) professionals need Windows memory forensics training to be at the top of their game. Investigators who do not look at volatile memory are leaving evidence at the crime scene. RAM content holds evidence of user actions, as well as evil processes and furtive behaviors implemented by malicious code. It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.
FOR526: Memory Forensics In-Depth provides the critical skills necessary for digital forensics examiners and incident responders to successfully perform live system memory triage and analyze captured memory images. The course uses the most effective freeware and open-source tools in the industry today and provides an in-depth understanding of how these tools work. FOR526 is a critical course for any serious DFIR investigator who wants to tackle advanced forensics, trusted insider, and incident response cases.
In today's forensics cases, it is just as critical to understand memory structures as it is to understand disk and registry structures. Having in-depth knowledge of Windows memory internals allows the examiner to access target data specific to the needs of the case at hand. For those investigating platforms other than Windows, this course also introduces OSX and Linux memory forensics acquisition and analysis using hands-on lab exercises.
There is an arms race between analysts and attackers. Modern malware and post-exploitation modules increasingly employ self-defense techniques that include more sophisticated rootkit and anti-memory analysis mechanisms that destroy or subvert volatile data. Examiners must have a deeper understanding of memory internals in order to discern the intentions of attackers or rogue trusted insiders. FOR526 draws on best practices and recommendations from experts in the field to guide DFIR professionals through acquisition, validation, and memory analysis with real-world and malware-laden memory images.
FOR526.1: Foundations in Memory Analysis and Acquisition
Simply put, memory analysis has become a required skill for all incident responders and digital forensics examiners. Regardless of the type of investigation, system memory and its contents often expose the "first hit" - the evidential thread that we pull to unravel the whole story of what happened on the target system. Where is the malware? How did the machine get infected? Where did the attacker laterally move? Or what did the disgruntled employee do on the system? What lies in physical memory can provide answers to all of these questions and more.
This section emphasizes the relevance and widening application of memory forensics. It is an easy sell in today's world of increasing encryption, burgeoning media storage capacity, and sophisticated backdoor rootkits. The section provides a six-step investigative methodology for both user and malware investigations that will guide an examiner through the exploration of a memory capture.
Memory forensics is the study of operating systems, which in turn work extensively with the processor and its architecture. Therefore, before we can begin a meaningful analysis of the operating system, we must understand how the underlying components work and fit together. This section explains a number of technologies that are used in modern computers and how they have evolved to where they are today.
In the beginning, there is acquisition. So on day one of FOR526, we will acquire a full capture of physical memory from a compromised virtual machine using two different methods. In comparing live memory triage and full memory capture off-line analysis, we discuss the applications of both methods and when to use each technique in an investigation. Acquisition tools are easy to use, but few understand the underlying mechanisms behind the process.
CPE/CMU Credits: 8
Why Memory Forensics?
The Ubuntu SIFT and Windows 10 Workstations
The Volatility Framework
Triage vs. Full Memory Acquisition
Physical Memory Acquisition
FOR526.2: Unstructured Analysis and Process Exploration
Structured memory analysis using tools that identify and interpret operating system structures is certainly powerful. However, many remnants of previously allocated memory remain available for analysis that cannot be parsed through structure identification. What tools are best for processing fragmented data? Unstructured analysis tools! They neither know nor care about operating system structures. Instead, they examine data, extracting useful findings using pattern matching. In this section you will learn how to use bulk extractor to parse memory images and extract investigative leads such as e-mail addresses, network packets, and more.
Many forensics investigators perform physical memory analysis - that is why you are taking this course. But how often do you make use of page file analysis to assist in memory investigations? Carving the page file using traditional file system carving tools is usually a recipe for failure and false positives. In this section you will see why typical file carving tools fail and learn how to parse the page file using YARA for signature matching. You will also learn how to create custom YARA signatures to detect downloaded executable files and extract them from the page file.
Most users are familiar with processes on a Windows system, but not necessarily with how they work under the hood. In this section, we will talk about the operating system components that make up a process, how they fit together, and how they can be exploited by malicious software. We will start with the basics of each process, how it was started, where the executable lives, and what command line options were used. Next we will look at the Dynamic Link Libraries (DLLs) used by a program and how they are found and loaded by the operating system.
Many examiners have used some Volatility plugins, and by now so have you. But what happens when there are no plugins written to perform the investigative task required? Do you throw your hands up and walk away? Not if you are a lethal forensicator! In this module, you will learn to use volshell to examine operating system structures in memory, directly applying this knowledge to solve a real-world problem. You need to extract an executable module from memory for analysis, but the header of the module is paged to disk, concealing critical file alignment data. What do you do? You will learn here how to examine the memory that makes up the module and extract the portions in memory to disk. Intractable problem solved!
CPE/CMU Credits: 8
Unstructured Memory Analysis
Page File Analysis
Exploring Process Structures
List Walking and Scanning
Exploring Process Relationships
Exploring Dynamic Link Libraries
FOR526.3: Investigating the User via Memory Artifacts
Incident responders are often asked to triage a system because of a network intrusion detection system alert. The Security Operation Center (SOC) makes the call and requires more information due to outbound network traffic from an endpoint. The incidence response team is asked to respond. This section covers how to enumerate active and terminated TCP connections, selecting the right plugin for the job based on the operating system version.
As we move into the internal structures of a process, virtual address descriptors hold the key to what is contained in the user space memory section. Spotting injected code depends on your ability to analyze what is supposed to be in these sections versus what actually is. This section will make you familiar with dance moves like VADWalk and VADdump, and spotting some DLL injection along the way.
The central theme of section three is user artifact analysis, which makes it a great section to cover the registry. In file system forensics, the registry is a wealth of information on system, software, and user activity. With copies of the registry hives loaded into physical memory, we can undertake the same detailed analysis, including of the volatile hive and keys not found on the file system. Volatility plugins designed specifically for targeting user behavior and evidence of execution are included in our practical application of registry parsing via memory.
This section will also show you how to use the Windows debugger (Windbg ) to perform memory analysis. Using the debugger, you will be able to dump plaintext passwords from memory for logged-on users. Windows stores plaintext passwords in memory for logged-on users. Now you will not need a GPU farm to crack passwords from dumped hashes. Why would a forensic examiner want the suspect's passwords? Because just like everyone else, suspects reuse them! Remember that Truecrypt volume you found on the suspect's machine? Or the encrypted zip file? What do you think the odds are that they used the same password (or an easy permutation) for both?
CPE/CMU Credits: 8
Virtual Address Descriptors
Detecting Injected Code
Analyzing the Registry via Memory Analysis
User Artifacts in Memory
FOR526.4: Internal Memory Structures
Section four focuses on introducing internal memory structures such as drivers, Windows memory table structures, and extraction techniques for portable executables. As we come to the final steps in our investigative methodology - steps that include spotting rootkit behaviors and extracting suspicious binaries - it is important to emphasize again the rootkit paradox, which is that the more malicious code attempts to hide itself, the more abnormal and seemingly suspicious it appears. We will use this concept to evaluate some of the most common structures in Windows memory for hooking, IDTs, and SSDTs.
Once we have deemed something suspicious, it warrants further detailed analysis. Extraction techniques for portable executable (PE) files have already been introduced for drivers (moddump) and dlls (dlldump). In this section, we introduce two methods for extracting an executable. Both of them make use of the PE header in order to reconstruct the extract PE file as close as it can be to that of the original on-disk file. Obstacles such as PE corruption are discussed here along with some advanced work-around techniques, including dumping memory sections via volshell.
The final focus in section four is on sources of memory captures other than a real-time acquisition. Sometimes investigators' luck runs out and they do not complete a memory acquisition before the target system is taken offline or shut down. In these cases, where else can system memory captures be found? Hibernation files and Windows Crash Dump files can be valuable sources of information, regardless of whether you find yourself without a current memory capture. This section covers the structure of the hibernation and Crash Dump file and how to convert both into raw memory images that can easily be parsed using Volatility and other tools in our memory forensics weapons arsenal. In addition, we will analyze a Crash Dump file, and in so doing discover just how Windows responds and what information is captured when a system crashes.
CPE/CMU Credits: 8
Interrupt Descriptor Tables
System Service Descriptor Tables
Direct Kernel Object Manipulation
Crash Dump Files
FOR526.5: Memory Analysis on Platforms Other than Windows
Windows systems may be the most prevalent platform encountered by forensic examiners today, but most enterprises are not homogeneous. Forensic examiners and incident responders are best served by having the skills to analyze the memory of multiple platforms, including Linux and Mac - that is, platforms other than Windows.
This section starts with a deep dive on Linux memory acquisition and analysis, using the Rekall memory analysis framework. Linux memory analysis has posed serious challenges to investigators in the past, requiring labor-intensive construction of an analysis profile that matches the Linux target system for use with memory analysis tools. Rekall offers the ability to analyze Linux memory images with greater ease, since the profile of the system is recorded in the memory image itself upon acquisition. Students will be introduced to Linux kernel data structures and how to enumerate processes, process mapped memory, and open files and network connections.
Later in the section we cover the collection and analysis of Mac OSX memory. In a 2014 survey, 45 percent of companies reported that they now offer their employees the choice to use a Mac. Mac systems are clearly becoming more common across all environments, including business, academia, and personal use. Subsequently, investigators can expect to find, if they have not already, a Mac system as the subject of a future investigation. In this section, we discuss Mac memory acquisition, making use of a variety of third-party tools such as Rekall's pmem, Mac Memoryze, and Mac Memory Reader. We will use open-source memory analysis frameworks to analyze Mac memory images to recover processes, memory maps, open files, loaded modules, and network connections.
CPE/CMU Credits: 8
Linux Memory Acquisition and Analysis
Mac Memory Acquisition and Analysis
FOR526.6: Memory Analysis Challenges
This final section provides students with a direct memory forensics challenge that makes use of the SANS NetWars Tournament platform. Your memory analysis skills are put to the test with a variety of hands-on scenarios involving hibernation files, Crash Dump files, and raw memory images, reinforcing techniques covered in the first five sections of the course. These challenges strengthen the student's ability to respond to typical and atypical memory forensics challenges in all types of cases, from investigating the user to isolating the malware. By applying the techniques learned throughout in the course, students consolidate their knowledge and can shore up skill areas where they feel they need additional practice.
CPE/CMU Credits: 5
The students who score the highest on the multi-platform memory forensics challenge will be awarded the coveted SANS Digital Forensics Lethal Forensicator Coin. Game on!
Who Should Attend
Students will benefit from having some experience with Windows forensics, either by attending FOR408 or through forensic casework or incident investigations.
What You Will Receive
SIFT Workstation 3
Windows 8.1 Workstation with license
32 GB Course USB 3.0
SANS Memory Forensics Exercise Workbook
SANS DFIR Cheat sheets to Help Use the Tools
MP3 audio files of the complete course lecture