Mariusz Burdach: Physical Memory Forensics




Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference show

Summary: "Historically, only file systems were considered as locations where evidence could be found. But what about the volatile memory which contains a huge amount of useful information such as the content of clipboards or the SAM database? How long can volatile data stay in the main memory? What about anti-forensic methods of defeating disk forensic and incident response tools? Why is the content of the memory not dumped during the process of data collection from a suspicious computer? What is the best way to analyze the physical memory from Windows® and Linux® machines? Is it possible? I will answer these questions during my Black Hat presentation which is focused on methods of finding digital evidence in the physical memory of Windows and Linux machines. During the presentation, methods of investigations of the physical memory from a compromised machine will be discussed. Through these methods, it is possible to extract useful information from the memory such as the full content of .dll and .exe files, various caches like clipboards, detailed information about each process (e.g. owner, MAC times, content) and information about processes that were being executed and were terminated in the past. Also, methods of correlating page frames even from swap areas will be discussed. The techniques covered during the presentation will lead you through the process of analyzing important structures and recovering the content of files from the physical memory. As an integral part of the presentation, new ways of detecting hidden objects and methods of detecting kernel modification will be presented. These methods can be used to identify compromised machines and to detect malicious code such memory-resident rootkits or worms. Finally, toolkits will be presented to help an investigator to extract information from an image of the physical memory or from the memory object on a live system. Mariusz Burdach is a security researcher specializing in forensics, reverse engineering, intrusion detection, advanced intrusion protection and security management. He has published several articles on these topics in online and in hardcover magazines. Mariusz is currently working on methods of forensic analysis of physical memory and methods of detecting kernel mode rootkits. In addition, he is also an expert witness and a SANS Local Mentor. As an independent instructor, he has been teaching incident response and forensic analysis and hardening of Unix/Linux systems for over 4 years. Mariusz has served as a consultant, auditor and incident handler to many government and financial institutions in Poland. He lives in Warsaw, Poland."