Digital Forensic, Menggali Informasi yang Ada di Memory dengan Volatility

Agar sebuah sistem operasi (OS) dapat bekerja, salah satu mekanisme yang diperlukan adalah adanya proses service/program yang mendukung running nya sebuah OS yang disimpan di memori. Data/informasi yang ada di memori dalam istilah forensik termasuk data volatile, yang berarti informasi tersebut tidak akan permanen berada di memori, tidak seperti data yang disimpan di HDD dan USB drive. Yang termasuk data volatil misalnya process yang sedang running, koneksi yang sedang berlangsung, jumlah memori yang digunakan saat ini, file yang sedang diakses oleh sebuah program saat itu, DLL yang diload oleh sebuah process, dsb. Data-data yang saya sebutkan ini akan hilang & tidak valid lagi jika komputer saya restart dan memori di flush ulang saat proses boot (listrik mati/tidak ada arus listrik sementara).

Persis dengan analogi rumah yang kemalingan biasanya dipasang garis polisi agar tidak ada yang boleh masuk supaya semua informasi & barang bukti yang ada di rumah korban kemalingan tsb tidak diubah/direkayasa/diganggu, begitu pula data volatil di memori. Untuk melakukan forensik, sangat disarankan tidak dilakukan reboot pada komputer sampai data volatil didapatkan terlebih dahulu (a.k.a image memory di dump ke sebuah file terlebih dahulu)

Tools untuk dump data yang ada di physical memory ke file salah satunya pada contoh posting kali ini pada sistem Windows, saya menggunakan tools mdd. Ada banyak tools serupa untuk OS yang berbeda-beda. Tinggal googling aja. 🙂

Memory Forensic dengan Volatility
Memory Forensic dengan Volatility

Dump Memory

Untuk dump memory di PC Windows korban simply dilakukan dengan cara sebagai berikut (harus dengan privileged user):

mdd.exe -o memory.dump

Outputnya adalah 1 file dengan besar file = besar RAM. Jika dump memory di komputer yang RAM nya 16GB, yaa.. mohon bersabar menunggu output dump file nya hehehe

Analyze Dump Memory dengan menggunakan Volatility

Volatility adalah salah satu aplikasi yang dapat membaca & mengekstrak informasi dari memori dump yang dihasilkan oleh mdd tersebut. Volatility memiliki banyak fitur untuk mengekstrak informasi proses yang berlangsung di host korban, koneksi data yang sedang terjadi, dlsb.

D:\tool\volatility2.5>volatility.exe -h
Volatility Foundation Volatility Framework 2.5
Usage: Volatility - A memory forensics analysis platform.

Options:
  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  --conf-file=.volatilityrc
                        User based configuration file
  -d, --debug           Debug volatility
  --plugins=PLUGINS     Additional plugin directories to use (semi-colon
                        separated)
  --info                Print information about all registered objects
  --cache-directory=C:\Users\adeism046909/.cache\volatility
                        Directory where cache files are stored
  --cache               Use caching
  --tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
  --profile=WinXPSP2x86
                        Name of the profile to load (use --info to see a list
                        of supported profiles)
  -l LOCATION, --location=LOCATION
                        A URN location from which to load an address space
  -w, --write           Enable write support
  --dtb=DTB             DTB Address
  --output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
  --output-file=OUTPUT_FILE
                        Write output in this file
  -v, --verbose         Verbose information
  --shift=SHIFT         Mac KASLR shift address
  -g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
                        KdCopyDataBlock)
  --force               Force utilization of suspect profile
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address
  --cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)

        Supported Plugin Commands:

                amcache         Print AmCache information
                apihooks        Detect API hooks in process and kernel memory
                atoms           Print session and window station atom tables
                atomscan        Pool scanner for atom tables
                auditpol        Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
                bigpools        Dump the big page pools using BigPagePoolScanner
                bioskbd         Reads the keyboard buffer from Real Mode memory
                cachedump       Dumps cached domain hashes from memory
                callbacks       Print system-wide notification routines
                clipboard       Extract the contents of the windows clipboard
                cmdline         Display process command-line arguments
                cmdscan         Extract command history by scanning for _COMMAND_HISTORY
                connections     Print list of open connections [Windows XP and 2003 Only]
                connscan        Pool scanner for tcp connections
                consoles        Extract command history by scanning for _CONSOLE_INFORMATION
                crashinfo       Dump crash-dump information
                deskscan        Poolscaner for tagDESKTOP (desktops)
                devicetree      Show device tree
                dlldump         Dump DLLs from a process address space
                dlllist         Print list of loaded dlls for each process
                driverirp       Driver IRP hook detection
                drivermodule    Associate driver objects to kernel modules
                driverscan      Pool scanner for driver objects
                dumpcerts       Dump RSA private and public SSL keys
                dumpfiles       Extract memory mapped and cached files
                dumpregistry    Dumps registry files out to disk
                editbox         Dumps various data from ComCtl Edit controls (experimental: ListBox, ComboBox)
                envars          Display process environment variables
                eventhooks      Print details on windows event hooks
                evtlogs         Extract Windows Event Logs (XP/2003 only)
                filescan        Pool scanner for file objects
                gahti           Dump the USER handle type information
                gditimers       Print installed GDI timers and callbacks
                gdt             Display Global Descriptor Table
                getservicesids  Get the names of services in the Registry and return Calculated SID
                getsids         Print the SIDs owning each process
                handles         Print list of open handles for each process
                hashdump        Dumps passwords hashes (LM/NTLM) from memory
                hibinfo         Dump hibernation file information
                hivedump        Prints out a hive
                hivelist        Print list of registry hives.
                hivescan        Pool scanner for registry hives
                hpakextract     Extract physical memory from an HPAK file
                hpakinfo        Info on an HPAK file
                idt             Display Interrupt Descriptor Table
                iehistory       Reconstruct Internet Explorer cache / history
                imagecopy       Copies a physical address space out as a raw DD image
                imageinfo       Identify information for the image
                impscan         Scan for calls to imported functions
                joblinks        Print process job link information
                kdbgscan        Search for and dump potential KDBG values
                kpcrscan        Search for and dump potential KPCR values
                ldrmodules      Detect unlinked DLLs
                lsadump         Dump (decrypted) LSA secrets from the registry
                machoinfo       Dump Mach-O file format information
                malfind         Find hidden and injected code
                mbrparser       Scans for and parses potential Master Boot Records (MBRs)
                memdump         Dump the addressable memory for a process
                memmap          Print the memory map
                messagehooks    List desktop and thread window message hooks
                mftparser       Scans for and parses potential MFT entries
                moddump         Dump a kernel driver to an executable file sample
                modscan         Pool scanner for kernel modules
                modules         Print list of loaded modules
                multiscan       Scan for various objects at once
                mutantscan      Pool scanner for mutex objects
                notepad         List currently displayed notepad text
                objtypescan     Scan for Windows object type objects
                patcher         Patches memory based on page scans
                poolpeek        Configurable pool scanner plugin
                printkey        Print a registry key, and its subkeys and values
                privs           Display process privileges
                procdump        Dump a process to an executable file sample
                pslist          Print all running processes by following the EPROCESS lists
                psscan          Pool scanner for process objects
                pstree          Print process list as a tree
                psxview         Find hidden processes with various process listings
                qemuinfo        Dump Qemu information
                raw2dmp         Converts a physical memory sample to a windbg crash dump
                screenshot      Save a pseudo-screenshot based on GDI windows
                servicediff     List Windows services (ala Plugx)
                sessions        List details on _MM_SESSION_SPACE (user logon sessions)
                shellbags       Prints ShellBags info
                shimcache       Parses the Application Compatibility Shim Cache registry key
                shutdowntime    Print ShutdownTime of machine from registry
                sockets         Print list of open sockets
                sockscan        Pool scanner for tcp socket objects
                ssdt            Display SSDT entries
                strings         Match physical offsets to virtual addresses (may take a while, VERY verbose)
                svcscan         Scan for Windows services
                symlinkscan     Pool scanner for symlink objects
                thrdscan        Pool scanner for thread objects
                threads         Investigate _ETHREAD and _KTHREADs
                timeliner       Creates a timeline from various artifacts in memory
                timers          Print kernel timers and associated module DPCs
                truecryptmaster Recover TrueCrypt 7.1a Master Keys
                truecryptpassphrase     TrueCrypt Cached Passphrase Finder
                truecryptsummary        TrueCrypt Summary
                unloadedmodules Print list of unloaded modules
                userassist      Print userassist registry keys and information
                userhandles     Dump the USER handle tables
                vaddump         Dumps out the vad sections to a file
                vadinfo         Dump the VAD info
                vadtree         Walk the VAD tree and display in tree format
                vadwalk         Walk the VAD tree
                vboxinfo        Dump virtualbox information
                verinfo         Prints out the version information from PE images
                vmwareinfo      Dump VMware VMSS/VMSN information
                volshell        Shell in the memory image
                windows         Print Desktop Windows (verbose details)
                wintree         Print Z-Order Desktop Windows Tree
                wndscan         Pool scanner for window stations
                yarascan        Scan process or kernel memory with Yara signatures

Let’s play!

Sebagai contoh, berikut ini hasil explorasi sebuah victim OS Windows XP SP2 (IP Address: 192.168.76.131) yang dilaporkan mengalami insiden dan akan dilakukan forensik.

Warning: kisah ini hanya fiktif belaka. Jika ada kesamaan nama tokoh, tempat, dll hanya kebetulan semata. 😛

D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 psscan
Volatility Foundation Volatility Framework 2.5
Offset(P)          Name                PID   PPID PDB        Time created                   Time exited                 
------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------
0x000000000201b020 svchost.exe         888    652 0x073800e0 2016-11-15 17:39:49 UTC+0000                               
0x000000000201bc18 svchost.exe         820    652 0x073800c0 2016-11-15 17:39:49 UTC+0000                               
0x000000000202d928 winmine.exe        1232   1620 0x073801a0 2016-11-15 17:40:58 UTC+0000                               
0x000000000205a068 smss.exe            516      4 0x07380020 2016-11-15 17:39:45 UTC+0000                               
0x00000000021a8268 calc.exe           1832   1620 0x07380220 2016-11-15 17:41:06 UTC+0000                               
0x0000000002205da0 cmd.exe            1764   1620 0x07380160 2016-11-15 17:40:08 UTC+0000                               
0x0000000002248020 explorer.exe       1620   1564 0x073801c0 2016-11-15 17:39:56 UTC+0000                               
0x00000000022692d0 alg.exe             828    652 0x073801e0 2016-11-15 17:40:18 UTC+0000                               
0x00000000022aab88 mdd.exe             956   1764 0x07380280 2016-11-15 17:42:40 UTC+0000                               
0x0000000002304550 lsass.exe           664    604 0x073800a0 2016-11-15 17:39:48 UTC+0000                               
0x0000000002306658 spoolsv.exe        1384    652 0x07380180 2016-11-15 17:39:52 UTC+0000                               
0x0000000002330020 winlogon.exe        604    516 0x07380060 2016-11-15 17:39:47 UTC+0000                               
0x000000000239ada0 services.exe        652    604 0x07380080 2016-11-15 17:39:48 UTC+0000                               
0x000000000243c980 svchost.exe         980    652 0x07380100 2016-11-15 17:39:50 UTC+0000                               
0x0000000002444020 csrss.exe           580    516 0x07380040 2016-11-15 17:39:47 UTC+0000                               
0x0000000002448268 IEXPLORE.EXE       1876   1620 0x07380240 2016-11-15 17:41:10 UTC+0000                               
0x00000000024879a8 ZyWzUUIWcPb.exe     564   1620 0x07380260 2016-11-15 17:42:00 UTC+0000                               
0x00000000024a0498 wuauclt.exe        1644    980 0x07380200 2016-11-15 17:41:02 UTC+0000                               
0x00000000024c56d0 svchost.exe        1068    652 0x07380140 2016-11-15 17:39:50 UTC+0000                               
0x00000000024f2988 svchost.exe        1024    652 0x07380120 2016-11-15 17:39:50 UTC+0000                               
0x00000000025c8830 System                4      0 0x00316000

Hmm.. ada proses dengan nama yang mencurigakan di Process ID (PID) 564. Mari kita cek PID tersebut melakukan koneksi kemana saja…

D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 connections
Volatility Foundation Volatility Framework 2.5
Offset(V)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x8215a270 192.168.76.131:1049       31.13.78.17:80            1876
0x8203e178 192.168.76.131:1195       202.158.0.104:80          1876
0x82042398 192.168.76.131:1191       202.158.0.105:80          1876
0x8207a5a8 192.168.76.131:1208       64.74.13.22:80            1876
0x81f71cd8 192.168.76.131:1251       202.158.19.101:80         1876
0x81e2a008 192.168.76.131:1193       23.99.125.55:80           1876
0x81f74bc8 192.168.76.131:1095       103.49.221.172:80         1876
0x81fa2a50 192.168.76.131:1060       203.190.242.172:80        1876
0x82302c38 192.168.76.131:1044       202.158.0.105:80          1876
0x81fa7af0 192.168.76.131:1054       74.125.68.155:80          1876
0x81df4680 192.168.76.131:1205       64.74.13.22:80            1876
0x81f74418 192.168.76.131:1096       103.49.221.172:80         1876
0x822d2e70 192.168.76.131:1232       103.49.221.130:80         1876
0x81f71e70 192.168.76.131:1233       203.190.242.211:80        1876
0x821686f8 192.168.76.131:1197       203.190.242.211:80        1876
0x81e54bf8 192.168.76.131:1189       202.158.0.105:80          1876
0x822cf208 192.168.76.131:1199       74.125.68.155:80          1876
0x8207d008 192.168.76.131:1188       204.79.197.203:80         1876
0x8203f840 192.168.76.131:1196       23.0.162.56:80            1876
0x820a43a8 192.168.76.131:1089       74.125.200.97:80          1876
0x81f75008 192.168.76.131:1190       54.255.160.133:80         1876
0x8203f008 192.168.76.131:1192       111.221.29.30:80          1876
0x822877f8 192.168.76.131:1238       203.190.245.30:80         1876
0x822a9610 192.168.76.131:1079       23.15.149.163:80          1876
0x821e1008 192.168.76.131:1194       202.158.0.104:80          1876
0x81df54a8 192.168.76.131:1186       192.168.76.1:443          564
0x821e41f0 192.168.76.131:1050       202.158.19.101:80         1876

Ternyata PID 564 (ZyWzUUIWcPb.exe) melakukan koneksi ke sebuah host di jaringan yang sama,  tepatnya melakukan koneksi ke 192.168.76.1 via port 443.

Sebenarnya ini file apa ya…Mari kita dump process di memory victim tersebut menjadi sebuah file executable dengan perintah ‘procdump’ sbb:

D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 procdump -p 564 -D dumpfile
Volatility Foundation Volatility Framework 2.5
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x824879a8 0x00400000 ZyWzUUIWcPb.exe      OK: executable.564.exe

Selanjutnya bisa analisa file virus tsb di dalam sandbox mungkin? Hehe. Atau kalau ingin hasil yang cepat langsung coba upload ke virustotal.com. Dari report virustotal, ternyata file executable tsb termasuk Trojan.

Iseng-iseng coba check apakah hash file SAM ada di memory:

D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 hashdump
Volatility Foundation Volatility Framework 2.5
Administrator:500:ad88b83919877b2c18adeb172ea24ea0:ea3eaf1c71240ea25265b0708a46712f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sule:1000:85e2d9cf3bc981e2dfc8cb30bf4e5dd7:e16377216daa56f648ef4394d8391e03:::
asep:1002:aad3b435b51404eeaad3b435b51404ee:06542de1422d3a7cdafbe9c620e33089:::
ZyWzUUIWcPb:1003:6d19b83990847b2c19beab146ca24ea0:9a3eaf1c75b40ea2526fb0708a46995f:::

Hmm ada user yang namanya similiar dengan nama process yang lagi running. Mostly ini adalah user non-legitimate a.k.a backdoor. Sepertinya harus investigasi siapakah 192.168.76.1 yang menerima koneksi dari victim  via process ZyWzUUIWcPb.exe ini.

Dan selanjutnya, dan selanjutnya…

Happy explore!

Leave a Reply

Your email address will not be published. Required fields are marked *