A simple demonstration shall show how effortless memory analysis can be when starting out with a Windows target.
There are numerous approaches to acquiring a Windows PC’s memory. For RAM up to 4 GB Inception [1] is a noteworthy tool for hardware-based acquisition. It exploits PCI-based DMA. That means it can attack over any PCI/PCIe interfaces such as FireWire or Thunderbolt, etc. and has full read/write access to the lower 4 GB of RAM on the victim’s computer. In addition, Volatility itself supports acquisition and interrogation of memory over FireWire [2, pg. 79].
The Volatility project lists 10 software-based acquisition tools [2, pg. 79 et seqq.]. Most of them are commercial. We demonstrate how straightforward the process is using the freely available MoonSols DumpIt [3] on a Windows 7 computer.
DumpIt is a single executable which can be saved to a USB flash memory drive. Once inserted into the target computer’s USB port, the DumpIt executable can be run. After confirming the Windows 7 UAC security question, the program writes a memory dump to the flash drive.
DumpIt - v1.3.2.20110401 - One click memory memory dumper
Copyright (c) 2007 - 2011, Matthieu Suiche <http://www.msuiche.net>
Copyright (c) 2010 - 2011, MoonSols <http://www.moonsols.com>
Address space size: 2147418112 bytes ( 2047 Mb)
Free space size: 171407523840 bytes ( 163466 Mb)
* Destination = \??\E:\WIN7-20141225-222255.raw
--> Are you sure you want to continue? [y/n] y
+ Processing... Success.Volatility can analyze the data straightaway.
Just by using this dump Volatility can determine the Windows version and propose the correct profile.
The command python vol.py --info lists about 30 profiles for the different major versions of Windows.
$ python vol.py -f ~/tmp/WIN7-20141225-222255.raw imageinfo
Volatility Foundation Volatility Framework 2.4
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x86, Win7SP1x86
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/WIN7-20141225-222255.raw)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x8296ec30
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0x8296fc00
KUSER_SHARED_DATA : 0xffdf0000
Image date and time : 2014-12-25 22:23:03 UTC+0000
Image local date and time : 2014-12-25 23:23:03 +0100
$ python vol.py -f ~/tmp/WIN7-20141225-222255.raw --profile Win7SP1x86 pslist
Volatility Foundation Volatility Framework 2.4
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
0x84a3c630 System 4 0 88 553 -1 0 2014-12-25 20:12:19 UTC+0000
0x85ede380 smss.exe 288 4 2 29 -1 0 2014-12-25 20:12:19 UTC+0000
0x865227a0 csrss.exe 368 360 9 432 0 0 2014-12-25 20:12:20 UTC+0000
<snip>Though this demonstration was quite simple, it is important to note that several requirements had to be met:
- physical access to the computer
- access to the \ac{UI}
- administrator privileges
The examiner requires at minimum physical access to the computer. That is the USB port if a USB flash drive is used as well as an input device—usually a keyboard and/or a mouse—in order to answer the UAC question and to start the program. The latter requires an unlocked screen and a running user account with sufficient privileges.
In case the screen was locked by a password and/or privileges had to be escalated the beforementioned tool Inception will be useful. For privilege escalation on many Windows systems the “NTLM reflection attack through WebDAV” can be leveraged. Google’s security research team disclosed this vulnerability and a proof-of-concept exploit in March 2015 [4]. It is reported that Microsoft won’t fix this issue.
[1] Carsten Maartmann-Moe. Inception, October 2011. URL http://www.breaknenter.org/projects/inception/. [Online; accessed 30 Dec. 2014].
[2] Michael Hale Ligh, Andrew Case, Jamie Levy, and AAron Walters. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons, 2014.
[3] Matthieu Suiche. MoonSols DumpIt goes mainstream!, July 2011. URL http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/. [Online; accessed 29 Dec. 2014].
[4] Google Security Research. Issue 222: Windows: Local WebDAV NTLM Reflection Elevation of Privilege, March 2015. URL https://code.google.com/p/google-security-research/issues/detail?id=222. [Online; accessed 27 Mar. 2015].
more to come…
This text is from my thesis “Practical Infeasibility of Android Smartphone Live Forensics. Applicability Constraints of LiME and Volatility.”
Related publication: “Wächter, Philipp ; Gruhn, Michael: Practicability Study of Android Volatile Memory Forensic Research. In: IEEE (Veranst.): Proceedings of the 7th IEEE International Workshop on Information Forensics and Security (WIFS) (7th IEEE International Workshop on Information Forensics and Security (WIFS) Rome, Italy 16.11.2015). 2015, S. 1-6.” (Slides)