Praise for
The Art of
MeMory Forensics
“The best, most complete technical book I have
read in years”
—Jack crook, Incident Handler
“The authoritative guide to memory forensics”
—Bruce Dang, Microsoft
“An in-depth guide to memory forensics from
the pioneers of the field”
—Brian carrier, Basis Technology
The Art of
Memory
Forensics
Detecting Malware and
Threats in Windows, Linux,
and Mac Memory
Michael Hale Ligh
Andrew Case
Jamie Levy
AAron Walters
The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
Published by John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-82509-9
ISBN: 978-1-118-82504-4 (ebk)
ISBN: 978-1-118-82499-3 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.
Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley
& Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://
www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim
all warranties, including without limitation warranties of fitness for a particular purpose. No warranty
may be created or extended by sales or promotional materials. The advice and strategies contained herein
may not be suitable for every situation. This work is sold with the understanding that the publisher is not
engaged in rendering legal, accounting, or other professional services. If professional assistance is required,
the services of a competent professional person should be sought. Neither the publisher nor the author shall
be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work
as a citation and/or a potential source of further information does not mean that the author or the publisher
endorses the information the organization or website may provide or recommendations it may make. Further,
readers should be aware that Internet websites listed in this work may have changed or disappeared between
when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department
within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this
book refers to media such as a CD or DVD that is not included in the version you purchased, you may
download this material at . For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2014935751
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not
associated with any product or vendor mentioned in this book.
To my three best friends: Suzanne, Ellis, and Miki. If I could take back the time it took to
write this book, I’d spend every minute with you. Looking forward to our new house!
—Michael Hale Ligh
I would like to thank my wife, Jennifer, for her patience during my many sleepless nights and
long road trips. I would also like to thank my friends and family, both in the physical and digital
world, who have helped me get to where I am today.
—Andrew Case
To my family, who made me the person I am today, and especially to my husband, Tomer, the
love of my life, without whose support I wouldn’t be here.
—Jamie Levy
To my family for their unconditional support; to my wife, Robyn, for her love and
understanding; and to Addisyn and Declan for reminding me what is truly important and
creating the only memories that matter.
—AAron Walters
Credits
Executive Editor
Vice President and Executive Group Publisher
Carol Long
Richard Swadley
Project Editor
Associate Publisher
T-Squared Document Services
Jim Minatel
Technical Editors
Project Coordinator, Cover
Golden G. Richard III
Nick L. Petroni, Jr.
Patrick Redmond
Production Editor
Compositor
Maureen Forys, Happenstance Type-O-Rama
Christine Mugnolo
Copy Editor
Proofreaders
Nancy Sixsmith
Jennifer Bennett
Josh Chase
Manager of Content Development and Assembly
Indexer
Mary Beth Wakefield
Johnna VanHoose Dinse
Director of Community Marketing
Cover Designer
David Mayhew
© iStock.com/Raycat
Marketing Manager
Cover Image
Dave Allen
Wiley
Business Manager
Amy Knies
About the Authors
Michael Hale Ligh (@iMHLv2) is author of Malware Analyst’s Cookbook and secretarytreasurer of the Volatility Foundation. As both a developer and reverse engineer, his
focus is malware cryptography, memory forensics, and automated analysis. He has taught
advanced malware and memory forensics courses to students around the world.
Andrew Case (@attrc) is digital forensics researcher for the Volatility Project responsible
for projects related to memory, disk, and network forensics. He is the co-developer of
Registry Decoder (a National Institute of Justice–funded forensics application) and was
voted Digital Forensics Examiner of the Year in 2013. He has presented original memory
forensics research at Black Hat, RSA, and many others.
Jamie Levy (@gleeda) is senior researcher and developer with the Volatility Project. Jamie
has taught classes in computer forensics at Queens College and John Jay College. She is
an avid contributor to the open-source computer forensics community, and has authored
peer-reviewed conference publications and presented at numerous conferences on the
topics of memory, network, and malware forensics analysis.
AAron Walters (@4tphi) is founder and lead developer of the Volatility Project, president of the Volatility Foundation, and chair of the Open Memory Forensics Workshop.
AAron’s research led to groundbreaking developments that helped shape how digital
investigators analyze RAM. He has published peer-reviewed papers in IEEE and Digital
Investigation journals, and presented at Black Hat, DoD Cyber Crime Conference, and
American Academy of Forensic Sciences.
About the Technical Editors
Golden G. Richard III (@nolaforensix) is currently Professor of Computer Science and
Director of the Greater New Orleans Center for Information Assurance at the University
of New Orleans. He also owns Arcane Alloy, LLC, a private digital forensics and computer
security company.
Nick L. Petroni, Jr., Ph.D., is a computer security researcher in the Washington, DC metro
area. He has more than a decade of experience working on problems related to low-level
systems security and memory forensics.
Acknowledgments
W
e would like to thank the memory forensics community at large: those who spend
their weekends, nights, and holidays conducting research and creating free, opensource code for practitioners. This includes developers and users, both past and present,
that have contributed unique ideas, plugins, and bug fixes to the Volatility Framework.
Specifically, for their help on this book, we want to recognize the following:
• Dr. Nick L. Petroni for his invaluable comments during the book review process
and whose innovative research inspired the creation of Volatility.
• Dr. Golden G. Richard III for his expertise and commitment as technical editor.
• Mike Auty for his endless hours helping to maintain and shepherd the Volatility
source code repository.
• Bruce Dang and Brian Carrier for taking time out of their busy schedules to review
our book.
• Brendan Dolan-Gavitt for his numerous contributions to Volatility and the memory
forensics field that were highlighted in the book.
• George M. Garner, Jr. (GMG Systems, Inc.) for his insight and guidance in the
memory acquisition realm.
• Matthieu Suiche (MoonSols) for reviewing the Windows Memory Toolkit section
and for his advancements in Mac OS X and Windows Hibernation analysis.
• Matt Shannon (Agile Risk Management) for this review of the F-Response section
of the book.
• Jack Crook for reviewing our book and for providing realistic forensics challenges
that involve memory samples and allowing people to use them to become better
analysts.
• Wyatt Roersma for providing memory samples from a range of diverse systems
and for helping us test and debug issues.
• Andreas Schuster for discussions and ideas that helped shape many of the memory
forensics topics and techniques.
• Robert Ghilduta, Lodovico Marziale, Joe Sylve, and Cris Neckar for their review
of the Linux chapters and research discussions of the Linux kernel.
• Cem Gurkok for his Volatility plugins and research into Mac OS X.
• Dionysus Blazakis, Andrew F. Hay, Alex Radocea, and Pedro Vilaça for their help
with the Mac OS X chapters, including providing memory captures, malware samples, research notes, and chapter reviews.
We also want to thank Maureen Tullis (T-Squared Document Services), Carol Long, and
the various teams at Wiley that helped us through the authoring and publishing process.
Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
I An Introduction to Memory Forensics . . . . . . . . . . . 1
1 Systems Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Digital Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
PC Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Process Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Memory Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
I/O Subsystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
2 Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Basic Data Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
3 The Volatility Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Why Volatility?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
What Volatility Is Not. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
The Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Using Volatility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
4 Memory Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Preserving the Digital Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Software Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Memory Dump Formats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Converting Memory Dumps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Volatile Memory on Disk. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
x
Contents
II Windows Memory Forensics. . . . . . . . . . . . . . . . . . 115
5 Windows Objects and Pool Allocations. . . . . . . . . . . . . . . . . . . . . . . . . . 117
Windows Executive Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Pool-Tag Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Limitations of Pool Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Big Page Pool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Pool-Scanning Alternatives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
6 Processes, Handles, and Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Process Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Process Handles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Enumerating Handles in Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
7 Process Memory Internals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
What’s in Process Memory?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Enumerating Process Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
8 Hunting Malware in Process Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Process Environment Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
PE Files in Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Packing and Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Code Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
9 Event Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Event Logs in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Real Case Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
10Registry in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Windows Registry Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Volatility’s Registry API. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Parsing Userassist Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Contents
Detecting Malware with the Shimcache . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Reconstructing Activities with Shellbags. . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Dumping Password Hashes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Obtaining LSA Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
11Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Network Artifacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Hidden Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
Raw Sockets and Sniffers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Next Generation TCP/IP Stack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Internet History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
DNS Cache Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
12Windows Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Service Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Installing Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Tricks and Stealth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Investigating Service Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366
13Kernel Forensics and Rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Kernel Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367
Modules in Memory Dumps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
Threads in Kernel Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Driver Objects and IRPs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Device Trees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Auditing the SSDT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Kernel Callbacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Kernel Timers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
14Windows GUI Subsystem, Part I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
The GUI Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
GUI Memory Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
The Session Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Window Stations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Desktops. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
xi
xii Contents
Atoms and Atom Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452
15Windows GUI Subsystem, Part II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Window Message Hooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
User Handles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Event Hooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Windows Clipboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .468
Case Study: ACCDFISA Ransomware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .476
16Disk Artifacts in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Master File Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .477
Extracting Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Defeating TrueCrypt Disk Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510
17Event Reconstruction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Strings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
Command History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
18Timelining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Finding Time in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .537
Generating Timelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
Gh0st in the Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573
III Linux Memory Forensics. . . . . . . . . . . . . . . . . . . . . 575
19Linux Memory Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Historical Methods of Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .577
Modern Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579
Volatility Linux Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
20Linux Operating System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
ELF Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .591
Contents
Linux Data Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
Linux Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .607
procfs and sysfs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .609
Compressed Swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
21Processes and Process Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Processes in Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Enumerating Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .613
Process Address Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Process Environment Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .625
Open File Handles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626
Saved Context State. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630
Bash Memory Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .630
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .635
22Networking Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Network Socket File Descriptors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .637
Network Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .640
Queued Network Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .643
Network Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646
The Route Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .650
ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .652
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
23Kernel Memory Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
Physical Memory Maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
Virtual Memory Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661
Kernel Debug Buffer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
Loaded Kernel Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .673
24File Systems in Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
Mounted File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675
Listing Files and Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .681
Extracting File Metadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .684
Recovering File Contents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .691
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .695
xiii
xiv Contents
25Userland Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
Shellcode Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .698
Process Hollowing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .703
Shared Library Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .705
LD_PRELOAD Rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .712
GOT/PLT Overwrites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .716
Inline Hooking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .718
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .719
26Kernel Mode Rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .721
Accessing Kernel Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .721
Hidden Kernel Modules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .722
Hidden Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .728
Elevating Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .730
System Call Handler Hooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .734
Keyboard Notifiers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .735
TTY Handlers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .739
Network Protocol Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .742
Netfilter Hooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .745
File Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
Inline Code Hooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .752
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .754
27Case Study: Phalanx2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Phalanx2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755
Phalanx2 Memory Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .757
Reverse Engineering Phalanx2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .763
Final Thoughts on Phalanx2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .772
IV Mac Memory Forensics. . . . . . . . . . . . . . . . . . . . . . . 773
28Mac Acquisition and Internals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775
Mac Design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .775
Memory Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .780
Mac Volatility Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .784
Mach-O Executable Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .791
Contents
29Mac Memory Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793
Mac versus Linux Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .793
Process Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .794
Address Space Mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .799
Networking Artifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804
SLAB Allocator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .808
Recovering File Systems from Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .811
Loaded Kernel Extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .815
Other Mac Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .818
Mac Live Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .819
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .821
30Malicious Code and Rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823
Userland Rootkit Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .823
Kernel Rootkit Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .828
Common Mac Malware in Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .844
31Tracking User Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 845
Keychain Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .845
Mac Application Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .858
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859
xv
Introduction
M
emory forensics is arguably the most fruitful, interesting, and provocative realm
of digital forensics. Each function performed by an operating system or application results in specific modifications to the computer’s memory (RAM), which can often
persist a long time after the action, essentially preserving them. Additionally, memory
forensics provides unprecedented visibility into the runtime state of the system, such as
which processes were running, open network connections, and recently executed commands. You can extract these artifacts in a manner that is completely independent of the
system you are investigating, reducing the chance that malware or rootkits can interfere
with your results. Critical data often exists exclusively in memory, such as disk encryption keys, memory-resident injected code fragments, off-the-record chat messages, unencrypted e‑mail messages, and non-cacheable Internet history records.
By learning how to capture computer memory and profile its contents, you’ll add an
invaluable resource to your incident response, malware analysis, and digital forensics
capabilities. Although inspection of hard disks and network packet captures can yield
compelling evidence, it is often the contents of RAM that enables the full reconstruction of
events and provides the necessary puzzle pieces for determining what happened before,
during, and after an infection by malware or an intrusion by advanced threat actors. For
example, clues you find in memory can help you correlate traditional forensic artifacts
that may appear disparate, allowing you to make associations that would otherwise go
unnoticed.
Regarding the title of this book, the authors believe that memory forensics is a form
of art. It takes creativity and commitment to develop this art, but anyone can enjoy and
utilize it. Like an exquisite painting, some details are immediately obvious the first time
you see them, and others may take time for you to notice as you continue to explore and
learn. Furthermore, just like art, there is rarely an absolute right or wrong way to perform
memory forensics. Along those lines, this book is not meant to be all-encompassing or
wholly authoritative. From the plethora of tools and techniques, you can choose the ones
that best suit your personal goals. This book will serve as your guide to choosing what
type of artist you want to become.
xviii Introduction
Overview of the Book and Technology
The world’s reliance on computing grows enormously every day. Companies protect
themselves with digital defenses such as firewalls, encryption, and signature/heuristic
scanning. Additionally, nations plan attacks by targeting power grids, infiltrating military data centers, and stealing trade secrets from both public and private organizations.
It is no wonder that detecting, responding, and reporting on these types of intrusions, as
well as other incidents involving computer systems, are critical for information security
professionals.
As these attack surfaces expand and the sophistication of adversaries grows, defenders must adapt in order to survive. If evidence of compromise is never written to a hard
drive, you cannot rely on disk forensics. Memory, on the other hand, has a high potential
to contain malicious code from an infection, in whole or in part, even if it’s never written to disk—because it must be loaded in memory to execute. The RAM of a victimized
system will also contain evidence that system resources were allocated by, and in support
of, the malicious code.
Likewise, if the data exfiltrated from an organization is encrypted across the network,
a packet capture is not likely to help you determine which sensitive files were stolen.
However, memory forensics can often recover encryption keys and passwords, or even
the plain-text contents of files before they were encrypted, giving you an accelerated way
to draw conclusions and understand the scope of an attack.
The most compelling reason for writing this book is that the need for memory forensics in digital investigations greatly exceeds the amount of information available on
the topic. Aside from journals, short academic papers, blog posts, and Wiki entries, the
most thorough documentation on the subject of consists of a few chapters in Malware
Analyst’s Cookbook (Wiley, 2010, Chapters 15 through 18). Nearing its fourth birthday,
much of the Cookbook’s content is now outdated, and many new capabilities have been
developed since then.
The Art of Memory Forensics, and the corresponding Volatility 2.4 Framework code,
covers the most recent Windows, Linux, and Mac OS X operating systems. In particular, Windows 8.1 and Server 2012 R2, Linux kernels up to 3.14, and Mac OS X
Mavericks, including the 64-bit editions. If your company or clients have a heterogeneous mix of laptops, desktops, and servers running different operating systems,
you’ll want to read all parts of this book to learn investigative techniques specific to
each platform.
Introduction
Who Should Read This Book
This book is written for practitioners of technical computing disciplines such as digital
forensics, malicious code analysis, network security, threat intelligence gathering, and
incident response. It is also geared toward law enforcement officers and government
agents who pursue powerful new ways to investigate digital crime scenes. Furthermore,
we know that many students of colleges and universities are interested in studying similar
topics. If you have worked, or desire to work, in any of the aforementioned fields, this
book will become a major point of reference for you.
The material we present is intended to appeal to a broad spectrum of readers interested in solving modern digital crimes and fighting advanced malware using memory
forensics. While not required, we assume that you have a basic familiarity with C and
Python programming languages. In particular, this includes a basic understanding of
data structures, functions, and control flow. This familiarity will allow you to realize the
full benefit of the code exhibits, which are also presented with detailed explanations.
For those new to the field, we suggest carefully reading the introductory material in the
first part, because it will provide the building blocks to help you through the rest of the
book. For the experienced reader, you may want to use the first part as reference material
and skip to the parts that interest you most. Regardless of the path you take, the book is
intended for the digital investigator who constantly strives to build their skills and seeks
new ideas for combating sophisticated and creative digital adversaries.
How This Book Is Organized
This book is broken down into four major parts. The first part introduces the fundamentals
of modern computers (hardware and software) and presents the tools and methodologies
you need for acquiring memory and getting started with the Volatility Framework. The
next three parts dive deep into the specifics of each major operating system: Windows,
Linux, and Mac. The individual chapters for each OS are organized according to the
category of artifacts (i.e., networking, rootkits) or where the artifacts are found (i.e., process memory, kernel memory). The order of the chapters is not meant to imply that your
investigations should occur in the same order. We suggest reading the entire book to learn
all the possibilities and then determine your priorities based on the specifics of each case.
xix
xx Introduction
Conventions
There are a number of conventions used throughout the book, such as the following:
• Hexadecimal addresses and names of files, API functions, variables, and other
terms related to code are shown in monofont. For example: 0x31337, user.ds,
PsCreateProcess, process_pid = 4
• Typed commands are shown in monofont and bold. If the command is preceded by
a $ sign, that means we were using a UNIX system (Linux or Mac OS X). Otherwise,
you’ll see a Windows prompt. For example:
$ echo "typing on UNIX" | grep typing
C:\Users\Mike\Desktop> echo "typing on windows" | findstr typing
• If we truncated output for the sake of brevity, we inserted “snip” to indicate the
placement of missing fields.
• Unless otherwise noted, the memory dump files used as evidence throughout the
text are not publicly available. However, the evidence package on the website (see
“What’s on the Website”) contains memory dumps you can explore.
NOTE
Tips, hints, and references related to the current discussion look like this. For example,
Francesco Picasso ported Benjamin Delpy’s Mimikatz (password recovery Windbg
plugin) to Volatility. See and https://code
.google.com/p/hotoloti.
WARNING
Common mistakes, misconceptions, and potentially threatening anti-forensics
techniques look like this. For example, Dementia ( />dementia-forensics) by Luka Milkovic is an open source anti-forensics tool.
Additionally, we typically define analysis objectives before we present the details of a
particular subject. We also make an effort to present and explain the underlying operating system or application data structures related to the evidence you’re analyzing. You’ll
see these items in the following format:
Introduction
Analysis Objectives
Your objectives are these:
• This is an objective
• This is an objective
Data Structures
This section shows data structures.
Key Points
The key points are as follows:
• This is a key point
• This is a key point
To facilitate understanding and help associate context with the artifacts, we show
practical examples of using memory forensics to detect specific behaviors exhibited by
high profile malware samples, rootkits, suspects, and threat groups.
What’s on the Website
On the book’s website () you will find the lab guide
and exemplary evidence files. These hands-on exercises are designed to simulate practical
investigations and to reinforce the concepts you learn in the text. You can also find any
necessary errata (i.e., mistakes, bug fixes) on the website.
Tools You Will Need
To complete the hands-on exercises, you will need at a minimum:
• Access to Volatility (), the open-source memory
forensics framework version 2.4 or greater.
A
• Windows, Linux, or Mac computer with Python () version
2.7 installed.
Memory
acquisition tools (see links in Chapter 4).
•
xxi
xxii Introduction
The following tools are not required for memory forensics per se, but they’re mentioned
throughout the book and can help complement your memory-related investigations.
• IDA Pro and Hex-Rays () if you plan to disassemble or
decompile code.
Sysinternals
Suite ( />•
.aspx) to analyze artifacts on running Windows systems.
• Wireshark () for capturing and analyzing network data.
• Microsoft WinDbg debugger ( />debugging/default.mspx).
• YARA ( the “pattern matching swiss army knife
for malware researchers.”
• Virtualization software such as VMware or VirtualBox, if you plan to execute
malware in a controlled environment.
Please note that some tools may require third-party libraries or dependencies.
Memory Forensics Training
The authors of this book, also the core developers of the Volatility Framework, teach an
internationally acclaimed five-day training course: Windows Malware and Memory Forensics
Training by The Volatility Project. Although books help us disseminate the information
that we feel is critical to the future of digital forensics, they only provide one-way communication. If you prefer a classroom environment with the ability to ask questions and
receive one-on-one tutorials, we invite you to bring your curiosity and enthusiasm to this
weeklong journey to the center of memory forensics.
Keep an eye on our training website () for upcoming
announcements regarding the following:
• Public course offerings in North and South America, Europe, Australia, and other
locations
• Online, self-paced training options covering Windows, Linux, and Mac OS X
• Availability for private training sessions provided on site
• Success stories from our past attendees sharing their experiences with memory
analysis
Introduction
Since launching the course in 2012, we have exposed students to bleeding-edge material
and exclusive new capabilities. This course is your opportunity to learn these invaluable
skills from the researchers and developers that pioneered the field. This is also the only
memory forensics training class authorized to teach Volatility, officially sponsored by
the Volatility Project, and taught directly by Volatility developers. For more information,
send us an e-mail at
xxiii