21-06-2012, 02:20 PM
Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis
Computer Forensics.pdf (Size: 749.56 KB / Downloads: 51)
Introduction
It is no longer sufficient when gathering digital evidence to pull the plug and take the machine
back to the lab. As technology continues to change, incident responders and digital forensic
examiners must adopt new methods and tools to keep up. This is applicable especially in
situations such as a live response scenario. For instance, with standard RAM size between two
and eight gigabytes, the migration of malware into memory, and the increasing use of encryption
by adversaries, it is no longer possible to ignore computer memory during an acquisition and
subsequent analysis.
Traditionally, the only useful approach to investigating memory was a live response. This
involved querying the system using API-style tools familiar to most network administrators. The
first responder was looking for rogue connections or mysterious running processes. It was also
possible to capture an image of the running memory, but until recently, short of a string search, it
was difficult to gather useful data from a memory dump. The past few years have seen rapid
development in tools focused exclusively on memory analysis.
Live Response
The first approach is live response. Here an investigator would first establish a trusted command
shell. In addition, they would establish a method for transmitting and storing the information on a
data collection system of some sort. One option is to redirect the output of the commands on the
compromised system to the data collection system. One popular tool is netcat, a network utility
that transmits data across network connections. Another approach would be to insert a USB drive
and write all query results to that external drive. Finally, investigators would attempt to bolster the
credibility of the tool output in court. During a live interrogation of a system, it is important to
realize that the state of the running machine is not static. This could lead to the same query
producing different results based on when it is run. Therefore, hashing the memory is not
effective. Rather, an investigator could compute a cryptographic checksum of the tool outputs and
make a note of this hash value in the log. This would help dispel any notion that the results had
been altered after the fact. In this exercise, HELIX (a live response and Linux bootable CD), was
used to establish a trusted command shell.
Volatile Memory Analysis
The second approach is volatile memory image analysis. It is similar to live response, in that an
investigator would first establish a trusted command shell. Then they would establish a data
collection system and a method for transmitting the data. However, an investigator would only
acquire a physical memory dump of the compromised system and transmit it to the data collection
system for analysis. In this case VMware allows investigators to simply suspend the virtual
machine and use the .vmem file as a memory image. As established in digital forensic practices,
an investigator would also compute the hash upon completion of the memory capture. Unlike
traditional hard drive forensics, no hash is calculated for memory before acquisition. Due to the
volatile nature of running memory, the imaging process is taking a snapshot of a “moving target.”
The primary difference between this approach and Live Response is that no additional evidence is
needed on the compromised system. Therefore, the evidence can be analyzed on the collection
system.
PTFINDER
The second memory analysis tool, PTFinder, is a Perl script that supports analysis of Windows
2000/2003/XP/XP SP2 operating system versions. PTFinder enumerates processes and threads in
a memory dump. PTFinder uses a brute force approach to enumerating the processes and uses
various rules to determine whether the information is either a legitimate process or just bytes.
Although this tool does not reveal anything new in terms of malware, it does reflect a benefit of
volatile memory analysis, which is repeatability of the results.
Analysis
Thus far, we have described two different incident response approaches to the scenario discussed
in Section 1.2. The first approach is the well-known live response where an investigator surveys
the crime scene, collects the evidence, and at the same time probes for suspicious activity. The
second approach is the relatively new field of volatile memory analysis where an investigator
collects the memory dump and performs analysis in an isolated environment. In both approaches,
we described what types of information gave an investigator insight into the scenario. Now, we
will discuss some of the issues with live response that hinder effective analysis of a digital crime
scene. We will also discuss why volatile memory analysis should be the ideal approach to
investigating cyber crime.