Difference between revisions of "Windows Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
m (Windows Memory Analysis)
(Volatility Labs)
 
(31 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
 
Analysis of [[physical memory]] from [[Windows]] systems can yield significant information about the target operating system. This field is still very new, but holds great promise.
 +
 +
== Data types ==
 +
Data types typical to the WINAPI are documented by Microsoft in MS-DTYP [http://msdn.microsoft.com/en-us/library/cc230273.aspx].
  
 
== Sample Memory Images ==
 
== Sample Memory Images ==
Line 8: Line 11:
  
 
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
 
* The [http://dftt.sourceforge.net/ Digital Forensics Tool Testing] project has published a few [http://dftt.sourceforge.net/test13/index.html Windows memory images].
 +
 +
* The [[CFReDS Project]] has created some [http://www.cfreds.nist.gov/mem/memory-images.rar downloadable memory images].
 +
 +
* A number of RAM images can be downloaded from http://forensic.belkasoft.com/bfs/en/download.asp. Images include ones with Gmail emails, Skype activity, Paltalk chats, browser URLs etc.
  
 
== See Also ==
 
== See Also ==
 +
* [[Memory analysis]]
 +
* [[Tools:Memory Imaging]]
 
* [[Pagefile.sys]]
 
* [[Pagefile.sys]]
 
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
 
* [http://msdn.microsoft.com/en-us/library/aa366778%28VS.85%29.aspx Memory Limits for Windows Releases], Microsoft MSDN.
Line 22: Line 31:
  
 
==Bibliography==
 
==Bibliography==
== Memory Analysis Bibliography ==
+
; 2012
===Windows Memory Analysis===
+
* [http://events.ccc.de/congress/2012/Fahrplan/events/5301.en.html Defeating Windows memory forensics], by Luka Milkovic, 29C3: 29th Chaos Communication Congress
 
+
; 2011
 +
* [http://prezi.com/goocmfeuiqdf/tracking-stuxnets-footprint-through-memory/ Tracking Stuxnet's Footprint Through Memory], Michael Ligh, Open Memory Forensics Workshop
 +
; 2010
 +
* [http://dfrws.org/2010/proceedings/2010-307.pdf Extracting Windows Command Line Details from Physical Memory], Richard Stevens and Eoghan Casey, DFRWS
 +
; 2009
 +
* [http://www.cc.gatech.edu/~brendan/ccs09_siggen.pdf Robust Signatures for Kernel Data Structures] B. Dolan-Gavitt, et al., ACM Conference on Computer and Communications Security
 +
* [http://www.shakacon.org/talks/NFI-Shakacon-win32dd0.3.pdf Win32dd : Challenges of Windows physical memory acquisition and exploitation], Matthieu Suiche, Netherlands Forensics Institute, Shakacon - June 2009
 +
; 2008
 
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
 
* [http://citp.princeton.edu/memory/ Lest We Remember: Cold Boot Attacks on Encryption Keys] ([http://citp.princeton.edu.nyud.net/pub/coldboot.pdf PDF]), Usenix Security 2008 (Best student paper)
 
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
 
* [http://blogs.technet.com/markrussinovich/archive/2008/07/21/3092070.aspx Pushing the Limits of Windows: Physical Memory], Mark Russinovich, Technet Blogs, July 21, 2008
Line 32: Line 48:
 
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
 
* [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf Forensic Analysis of the Windows Registry in Memory], Brendan Dolan-Gavitt, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p26-dolan-gavitt_pres.pdf [slides]]
  
 
+
; 2007
 +
* [http://www.first.org/conference/2007/papers/rutkowska-joanna-slides.pdf Beyond The CPU: Defeating Hardware Based RAM Acquisition (part I: AMD case)], Joanna Rutkowska COSEINC Advanced Malware Labs
 
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
 
* [http://www.dfrws.org/2007/proceedings/p114-arasteh.pdf Forensic Memory Analysis: From Stack and Code to Execution History], Ali Reza Arasteh and Mourad Debbabi, DFRWS 2007
 
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
 
* [http://www.dfrws.org/2007/proceedings/p126-schatz.pdf BodySnatcher: Towards Reliable Volatile Memory Acquisition by Software], Bradley Schatz, DFRWS 2007
 
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
 
* [http://www.dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD Tree: A Process-Eye View of Physical Memory], Brendan F Dolan-Gavitt, DFRWS 2007
 +
* [http://www.friendsglobal.com/papers/FireWire%20Memory%20Dump%20of%20Windows%20XP.pdf FireWire Memory Dump of a Windows XP Computer: A Forensic Approach], Antonio Martin, 2007
  
 +
; 2006
 
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
 
* [http://www.dfrws.org/2006/proceedings/2-Schuster.pdf Searching for Processes and Threads in Microsoft Windows Memory Dumps], Andreas Schuster, Deutsche Telekom AG, Germany, DFRWS 2006
 +
* Using every part of the buffalo in Windows memory an, Jesse D. Kornblum, DFRWS 2006
  
 +
== External Links ==
 +
* [http://undocumented.ntinternals.net/ NTAPI Undocumented Functions]
 +
* [http://msdn.microsoft.com/en-us/library/cc230273.aspx MS-DTYP: Windows Data Types]
 +
* [http://www.codemachine.com/article_kernelstruct.html Catalog of key Windows kernel data structures]
 +
* [http://cyberspeak.libsyn.com/index.php?post_id=98104 Jesse Kornblum Memory Analysis discussion on Cyberspeak]
 +
* [http://www.4tphi.net/fatkit/#links Fatkit: Links]
 +
* [http://www.cmlab.csie.ntu.edu.tw/~cathyp/eBooks/WindowsNT/Driver/kernel_debugging_tutorial.pdf Kernel Debugging with WinDbg]
 +
* [https://www.blackhat.com/presentations/bh-usa-07/Lindsay/Whitepaper/bh-usa-07-lindsay-WP.pdf Attacking the Windows kernel], by Jonathan Lindsay, BlackHat 2007
 +
* [http://dfrws.org/2007/proceedings/p62-dolan-gavitt.pdf The VAD tree: A process-eye view of physical memory], by [[Brendan Dolan-Gavitt]], DFRWS 2007
 +
* [http://fumalwareanalysis.blogspot.ch/2011/12/malware-analysis-tutorial-7-exploring.html Malware Analysis Tutorial 7: Exploring Kernel Data Structure], by Dr. Fu, December 14, 2011
 +
* [http://rekall-forensic.blogspot.com/2014/10/windows-virtual-address-translation-and.html Windows Virtual Address Translation and the Pagefile], by [[Michael Cohen]], October 31, 2014
  
 +
=== Kernel debugging ===
 +
* [http://advancedwindowsdebugging.com/book/contents.htm Advanced Windows Debugging], by Mario Hewardt, Daniel Pravat, November 8, 2007
 +
* [http://www.informit.com/articles/article.aspx?p=1081496 Advanced Windows Debugging: Memory Corruption Part II—Heaps], by Daniel Pravat and Mario Hewardt, November 9, 2007
 +
* [http://moyix.blogspot.ch/2008/04/finding-kernel-global-variables-in.html Finding Kernel Global Variables in Windows], by Brendan Dolan-Gavitt, April 16, 2008
 +
* [http://scudette.blogspot.com/2012/11/finding-kernel-debugger-block.html Finding the Kernel Debugger Block], by Michael Cohen, November 18, 2012
 +
* [http://rekall-forensic.blogspot.ch/2014/02/do-we-need-kernel-debugging-block.html Do we need the Kernel Debugging Block?], by Michael Cohen, February 21, 2014
  
[[Category:Bibliographies]]
+
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem]
 +
* [http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html HowTo: Scan for Internet Cache/History and URLs]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti]
 +
* [http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html MoVP 4.1 Detecting Malware with GDI Timers and Callbacks]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html MoVP 4.2 Taking Screenshots from Memory Dumps]
 +
* [http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html MoVP 4.4 Cache Rules Everything Around Me(mory)]
 +
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html OMFW 2012: Malware In the Windows GUI Subsystem]
 +
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
 +
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
 +
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
  
== External Links ==
+
=== WinDBG ===
; Jesse Kornblum Memory Analysis discussion on Cyberspeak
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html Getting Started with WinDBG - Part 1], by [[Brad Antoniewicz]], December 17, 2013
: http://cyberspeak.libsyn.com/index.php?post_id=98104
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html Getting Started with WinDBG - Part 2], by [[Brad Antoniewicz]], December 24, 2013
; Memory Analysis Bibliography
+
* [http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html Getting Started with WinDBG - Part 3], by [[Brad Antoniewicz]], December 31, 2013
: http://www.4tphi.net/fatkit/#links
+
* [http://www.msuiche.net/2014/01/12/extengcpp-part-1/ Developing WinDbg ExtEngCpp Extension in C++ – Introduction – Part 1], by [[Matt Suiche]], January 12, 2014
 +
* [http://www.msuiche.net/2014/01/15/developing-windbg-extengcpp-extension-in-c-com-interface/ Developing WinDbg ExtEngCpp Extension in C++ – COM Interface – Part 2], by [[Matt Suiche]], January 15, 2014
 +
* [http://www.msuiche.net/2014/01/20/developing-windbg-extengcpp-extension-in-c-memory-debugger-markup-language-dml-part-3/ Developing WinDbg ExtEngCpp Extension in C++ – Memory & Debugger Markup Language (DML) – Part 3], by [[Matt Suiche]], January 20, 2014
 +
* [https://github.com/msuiche/SwishDbgExt SwishDbgExt - Incident Response & Digital Forensics Debugging Extension]
 +
 
 +
[[Category:Bibliographies]]
 +
[[Category:Memory Analysis]]

Latest revision as of 23:50, 12 June 2015

Analysis of physical memory from Windows systems can yield significant information about the target operating system. This field is still very new, but holds great promise.

Data types

Data types typical to the WINAPI are documented by Microsoft in MS-DTYP [1].

Sample Memory Images

Getting started with memory analysis can be difficult without some known images to practice with.

See Also

History

During the 1990s, it became a best practice to capture a memory image during incident response. At the time, the only way to analyze such memory images was using strings. Although this method could reveal interesting details about the memory image, there was no way to associate what data came from what program, let alone what user.

In the summer 2005 the Digital Forensic Research Workshop published a Memory Analysis Challenge. They distributed two memory images and asked researchers to answer a number of questions about a security incident. The challenge produced two seminal works. The first, by Chris Betz, introduced a tool called memparser. The second, by George Garner and Robert-Jan Mora produced KnTList.

At the Blackhat Federal conference in March 2007, AAron Walters and Nick Petroni released a suite called volatools. Although it only worked on Windows XP Service Pack 2 images, it was able to produce a number of useful data. volatools was updated and re-released as Volatility in August 2007, and is now maintained and distributed by Volatile Systems.

Bibliography

2012
2011
2010
2009
2008
2007
2006

External Links

Kernel debugging

Volatility Labs

WinDBG