Week 2 - Memory Aquisition

Memory Acquisition

• Copying the computer's active memory (RAM) to another storage device.

• This copied data is called a memory dump.

• Must be done while the computer is running because RAM data disappears when turned off.

• The quality of the investigation depends on how well the memory was captured.

• The capture process itself might accidentally damage some of the memory data.

Preservation

• In the past, evidence from RAM was often questioned because it could change easily.

• People assumed evidence was trustworthy only if it hadn't changed at all.

• Protecting files on the hard drive was seen as more important, even if it meant losing data from RAM.

• Now, we understand that different types of evidence (like RAM and file systems) give a more complete picture when combined.

• It's important to cause as little damage as possible during most data capture processes.

Overview of Acquisition Decision Process

• A decision guide helps choose the best way to get memory, considering key factors.

• Source: Art of Memory Forensics by Ligh et al (2014).

Hardware vs Software Acquisition

• Hardware-based acquisition: Uses a direct way to access memory (DMA).

  • Pros: Doesn't need logins for the target system.

  • Cons: The target computer needs specific hardware (e.g., a Firewire port).

  • Limitations: Firewire typically accesses only the first $4$GB of RAM; specialized PCI devices are rare and costly.

• Software acquisition: Involves several decisions:

  • Accessing the device remotely or directly on the machine.

  • Considering the cost.

  • What format the acquisition tools use.

  • Using text commands (CLI) or a visual interface (GUI).

  • Deciding between a full memory copy or just checking current activity.

Risks of Acquisition

• Using acquisition tools incorrectly or if they're malicious could harm the target system.

• It's crucial to decide if the benefits of getting the memory outweigh the potential risks.

• Reasons why system damage might occur include:

  • Atomicity (things not happening instantly).

  • Device Memory access.

  • Cache Coherency issues.

Atomicity

• An atomic operation is supposed to happen all at once, without interruption.

• Memory acquisition isn't atomic because RAM constantly changes.

• Acquisition tools can change RAM at the same time as normal system updates.

• Best case: The captured information accurately shows the system's state at that moment.

• Worst case: Data gets corrupted during the capture.

Device Memory

• In x86/x64 systems, the BIOS tells the operating system which memory areas are reserved for input/output (I/O) devices.

• Trying to access these reserved areas can make the system freeze or crash.

• However, these areas can contain important forensic evidence.

Cache Coherency

• CPUs use multiple caches to speed things up.

• A problem can occur if the same physical memory location is mapped with different cache rules, potentially corrupting the system.

• This can happen when the system tries to use memory pages that aren't currently assigned.

Timing for Acquisition

• The best time to capture memory depends on why you're doing it.

• Things to consider:

  • Making sure the suspect is logged in.

  • Keeping system activity low to avoid tipping off an attacker.

  • Avoiding times of heavy system use (like updates, backups, or starting/stopping the computer).

  • Limiting any interaction with the system until the capture is complete.

  • How long the capture takes can affect the quality of the data.

Acquisition Methods

• Questions to Consider:

  • Can you physically access the device, or do you need to do it remotely?

  • This choice affects which tools and storage devices you can use.

• Local Acquisition:

  • Storage: Never save the memory dump to the target system's own drives; ensure the external storage device is clean (fully formatted) to prevent malware transfer.

• Remote Acquisition:

  • Usually involves sending tools over a network; concerns include exposed admin passwords and data being sent insecurely (in plain text).

Runtime Interrogation

• Options: Lets you quickly check many devices for specific suspicious signs while they are running normally.

• Hardware Acquisition: Less need for administrator access, meaning the investigator leaves fewer traces.

  • Requires specific hardware support (e.g., Firewire).

Software Tools for Acquisition

• Software memory capture tools generally follow a similar pattern.

• Process: They load a special helper program (kernel module) to link physical memory locations to the system's active processes.

• The captured data is then saved to permanent storage.

• Tools often use operating system functions to create these links (e.g., ZwMapViewOfSection).

Tools Evaluation

• Disk imaging tools have standard performance expectations, but memory tools can vary greatly based on the OS version, hardware, etc.

• Virtual machines can sometimes be more stable for acquisition than physical hardware.

• Current tools often don't log errors well:

  • Problems can happen silently and only show up later during analysis, making it hard to fix.

Tool Selection

• A list of common tools for Windows systems, both commercial and free:

  • KnTTools.

  • F-Response.

  • Moonsols Windows Memory Kit.

  • AccessData FTK Imager.

  • EnCase/WinEn.

  • Belkasoft Live RAM Capturer.

  • Winpmem.

• Investigators should know these tools and what they can do.

Dump Formats

• Raw Dump: Widely understood, but lacks identifying information (headers, metadata). Often includes blank spaces (padding) for skipped memory parts.

• Crash Dump: A Windows format mainly for debugging after a system crash (like a Blue Screen of Death).

  • Some tools, like Moonsols MWMT, can create these.

• Hibernation File: A compressed copy of memory saved in hiberfil.sys when a computer hibernates.

  • Can be decompressed using the imagecopy command.

• HPAK Format: A special format for Fastdump that includes both physical memory and page files in the output.

• Virtual Machine Memory: Captured directly from the hypervisor (the software managing VMs), which is less intrusive and less likely to alert an attacker.

  • VMWare: Automatically creates a full RAM image when a VM is paused.

  • VirtualBox: Needs specific commands to create full RAM images while the VM is running.

Historical Linux Acquisition Methods

• Historically, Linux didn't need third-party tools because the OS allowed reading/writing physical memory.

• Interfaces like /dev/mem and /dev/kmem are now restricted due to security:

  • /dev/mem: Used to access physical memory, but now mostly limited to the first $1$MB.

  • /dev/kmem: Used to access the kernel's virtual memory, but now disabled on most modern systems.

  • ptrace: Can only capture memory from active programs, not kernel memory or memory that's been released.

Modern Linux Acquisition

• fmem: A kernel module that creates /dev/fmem, extending past the limits of /dev/mem.

• /proc/kcore: Exports the kernel's memory space; capturing from it can be difficult and might be blocked by malware.

LiME – Linux Memory Extractor

• An open-source tool for getting memory from Linux and Android systems. It runs entirely within the kernel, making it very accurate.

• It automatically finds memory address ranges and can acquire memory locally or remotely, leaving minimal traces.

• Supports various output formats, with the lime format being recommended for its structured data.

Compiling LiME

• Before using LiME, you must compile its kernel module for the specific kernel version of the target system.

• Never compile LiME on the system you're investigating, as it could overwrite important data; always use a separate test system.

Dumping Memory with LiME

• Memory can be saved locally or over a network, using several formats:

  • raw: All memory ranges joined together.

  • padded: Same as raw, but any gaps in memory are filled with zeros.

  • lime: Writes in the specific LiME format.

• Commands for local acquisition:

  • $ sudo insmod lime.ko "path=/mnt/externaldrive/memdmp.lime format=lime"

• Commands for network acquisition (on target machine):

  • $ sudo insmod lime.ko "path=tcp:4444 format=lime"

  • (On forensic terminal): $ nc 192.168.1.40 4444 > memdmp.lime

Creating Volatility Profiles for Linux

• To analyze Linux memory dumps with Volatility, you first need to create the correct profile.

• Finding the exact Linux OS version can be tricky due to many kernel and sub-versions.

• Use this command to find the kernel information:

  • $> strings [dump] | grep BOOT_IMAGE

Profile Creation - Software Requirements

• Software needed to create profiles:

  • Dwarfdump: For structure definitions; install via dwarfdump package on Debian/Ubuntu.

  • Compiler tools: Needed to compile C code (e.g., gcc and make). Install by running apt-get install build-essentials.

  • Kernel Headers: Get headers for the specific kernel version you're analyzing with apt-get install linux-headers-$(uname -r).

Profile Creation Process

• Create Vtypes (type definitions) and a System.map file for the target kernel version:

  • Compile /tools/linux/module.c against the kernel being analyzed using $ make.

  • Generate the System.map file, which lists kernel symbol addresses.

  • Combine these files: Zip them into a package for Volatility using $ zip /path/to/volatility/plugins/overlays/linux/Redhat2.6.11.zip /path/to/module.dwarf /path/to/System.map.

Summary Reference

• Reference: Chapter 19 - Ligh, M.H., Case, A., Levy, J., and Walters, A., 2014. The art of memory forensics: detecting malware and threats in Windows, Linux, and Mac memory. John Wiley & Sons.

• It's challenging to capture physical memory because it's temporary (volatile).

• The chosen method for acquisition affects how much and what kind of data can be recovered; hardware-based methods are generally better.

• Evidence can also be found in files saved on the computer (like crash dumps or hibernation files).

• Analyzing Linux memory has its own difficulties, but there are effective ways to do it.