Amanda Stewart at the FireEye blog dissected the PlugX malware remote access tool (RAT). Of particular interest is this beautiful graphic showing the attack progression. With decoys, DLL sideloading, encrypted payloads, process injection, and new payload retrieval, this attack pretty much has it all!
Archives For Memory Forensics
One of the fun things I have been working on is the huge revision of the SANS Forensics 508: Advanced Forensics and Incident Response material. Rob Lee has spent the last ten years building and updating what has become one of the most well-known and respected digital forensics training courses. The golden age of hacking is in full swing and a whole host of new threats have emerged, including state-sponsored espionage (aka APT), hactivism, client-side attacks, and crimeware. Digital forensic investigations have never been more in demand. However, computer intrusion and malware investigations require a very different skill set than the cases seen by the average forensic examiner. Rob saw a great opportunity to update the FOR508 course to train this next generation of forensic professionals. I estimate that at least 60-70% of the course and nearly every exercise is new within the last year. My specific part in the course is writing the new memory forensics day. My forensic experience dates to the late 1990s, and I can’t remember any other advance in the field that has so fundamentally shifted the balance from the bad guys to the good guys. Memory forensics is now a mature discipline and we have a wonderful array of tools available, allowing us to analyze everything from raw memory files to hibernation files to crash dumps to live memory audits. Memory analysis is a game changing skill and we spend a significant part of the new 508 course learning and incorporating the results of that analysis into the broader forensic process.
A year after release, the Malware Analyst’s Cookbook continues to elicit uniformly high praise from the security community. It is one of those rare books that only come around once every few years. The breadth of information covered is staggering, and it makes an excellent reference to return to as your skills develop. If I could make one recommendation, I would encourage readers to not wait to read the last four chapters of the book.
The last quarter of the book covers memory forensic analysis, and it is the definitive resource currently available on the subject (either online or in print). Continue Reading…
I have been using F-Response Tactical lately and wanted to share some of my thoughts. When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases. I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms. These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis. F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post. F-Response Tactical takes a different approach. It uses a paired set of dongles instead of agents. While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use. To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network. The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject. Once connected, you have full access to all physical disks, volumes, and memory on the Subject system. Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points. These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.
Live Response Applications
Note: This post originally appeared on the SANS Forensics blog
As memory forensics has become better understood and more widely accomplished, tools have proliferated. More importantly, the capabilities of the tools have greatly improved. Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. We are also seeing novel ways to attack the problem. One of the more interesting developments I have been following lately is the advent of live memory analysis.
I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change. The idea itself could be as controversial as creating a memory image was just a few years ago. Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system? Shouldn’t we still be pulling the plug? What would they say if we now told them we were going to play “Find the Hacker” on that same live system? Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal. And the benefits are great:
- Inclusion of the system pagefile, providing a more complete picture of memory
- Digital signature checks of process and driver executables
- More accurate heuristics matching
- Faster triage capability
Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers. Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image. Convinced yet? If so, here is how to perform a live memory analysis with the new free tool, Redline:
I am a big fan of Mandiant Memoryze for memory forensic analysis. With support for Windows systems from 2000 SP4 to 2008 R2 and ever increasing features to flag potential evil, it is hands down the best free tool available for the job. Its only downside up to this point has been the steep learning curve required by the user interface. Enter Redline. Redline replaces AuditViewer as the front-end to Memoryze and truly brings memory analysis capability to the masses. What excites me most about this tool is that it dramatically lowers the bar for individuals trying to get started with memory forensics. Chalk one up for the good guys.
Note: This post originally appeared on the SANS Forensics blog
Mandiant’s Memoryze tool is without question one of the best forensic tools available. It is an incredibly powerful memory analysis suite that should be part of every incident responder’s toolkit. It’s free, but requires some patience to traverse the learning curve. Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals. In this post I’ll cover how to get started with Memoryze, because if you haven’t added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.