Archives For Memory Forensics

I have been using F-Response Tactical lately and wanted to share some of my thoughts.  When I first encountered the Tactical product, I had to brainstorm with Matt Shannon at F-Response to understand its use cases.  I spend a lot of my time doing incident response, and in that role I have used many of the enterprise forensic platforms.  These tools are largely agent based, meaning a small application is run on the target system allowing raw device access to system components and communication back to a central hub for analysis.  F-Response has this capability in their Consultant and Enterprise editions, and the capability has even started to filter down to some of our standard forensic suites, such as FTK 3 covered in this previous post.   F-Response Tactical takes a different approach.  It uses a paired set of dongles instead of  agents.  While limiting for some applications (such as geographically remote acquisition), it makes up for it by being dead simple to use.  To start, you plug the “Subject” dongle into your target system and execute an application to begin beaconing on the network.  The matched “Examiner” dongle plugs into your forensic workstation and is used to connect to the Subject.  Once connected, you have full access to all physical disks, volumes, and memory on the Subject system.  Since access is at the raw device level, even files traditionally locked by the filesystem can be accessed, like Exchange .edb database files, Registry hives, and System Restore Points.  These items are mounted on your forensic workstation, allowing analysis using your favorite forensic software.

Live Response Applications

Continue Reading…

Note: This post originally appeared on the SANS Forensics blog

As memory forensics has become better understood and more widely accomplished, tools have proliferated.  More importantly, the capabilities of the tools have greatly improved.  Traditionally, memory analysis has been the sole domain of Windows internals experts, but recent tools now make analysis feasible for the rank and file forensic examiner.  Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.   We are also seeing novel ways to attack the problem.  One of the more interesting developments I have been following lately is the advent of live memory analysis.

I credit the free Mandiant Memoryze tool with popularizing the idea of performing live memory analysis, and I believe it is a revolutionary change.  The idea itself could be as controversial as creating a memory image was just a few years ago.  Do you remember the naysayers questioning how our forensic analysis could possibly be valid if we were to run our imaging applications on the live system?  Shouldn’t we still be pulling the plug?  What would they say if we now told them we were going to play “Find the Hacker” on that same live system?  Luckily it turns out that the system impact of doing a live analysis versus (or in addition to) taking a memory image is minimal.  And the benefits are great:

  • Inclusion of the system pagefile, providing a more complete picture of memory
  • Digital signature checks of process and driver executables
  • More accurate heuristics matching
  • Faster triage capability

Keep in mind that live analysis occurs by accessing physical memory, and not relying upon API calls, open handles, or debuggers.  Thus it is just as effective at defeating advanced malware and rootkits as analyzing a standard memory image.  Convinced yet?  If so, here is how to perform a live memory analysis with the new free tool, Redline:

Continue Reading…

I am a big fan of Mandiant Memoryze for memory forensic analysis.  With support for Windows systems from 2000 SP4 to 2008 R2 and ever increasing features to flag potential evil, it is hands down the best free tool available for the job.  Its only downside up to this point has been the steep learning curve required by the user interface.  Enter Redline.  Redline replaces AuditViewer as the front-end to Memoryze and truly brings memory analysis capability to the masses.  What excites me most about this tool is that it dramatically lowers the bar for individuals trying to get started with memory forensics.  Chalk one up for the good guys.

Note: This post originally appeared on the SANS Forensics blog

Mandiant’s Memoryze tool is without question one of the best forensic tools available.  It is an incredibly powerful memory analysis suite that should be part of every incident responder’s toolkit.  It’s free, but requires some patience to traverse the learning curve.  Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals.  In this post I’ll cover how to get started with Memoryze, because if you haven’t added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.

Continue Reading…