Agar sebuah sistem operasi (OS) dapat bekerja, salah satu mekanisme yang diperlukan adalah adanya proses service/program yang mendukung running nya sebuah OS yang disimpan di memori. Data/informasi yang ada di memori dalam istilah forensik termasuk data volatile, yang berarti informasi tersebut tidak akan permanen berada di memori, tidak seperti data yang disimpan di HDD dan USB drive. Yang termasuk data volatil misalnya process yang sedang running, koneksi yang sedang berlangsung, jumlah memori yang digunakan saat ini, file yang sedang diakses oleh sebuah program saat itu, DLL yang diload oleh sebuah process, dsb. Data-data yang saya sebutkan ini akan hilang & tidak valid lagi jika komputer saya restart dan memori di flush ulang saat proses boot (listrik mati/tidak ada arus listrik sementara).
Persis dengan analogi rumah yang kemalingan biasanya dipasang garis polisi agar tidak ada yang boleh masuk supaya semua informasi & barang bukti yang ada di rumah korban kemalingan tsb tidak diubah/direkayasa/diganggu, begitu pula data volatil di memori. Untuk melakukan forensik, sangat disarankan tidak dilakukan reboot pada komputer sampai data volatil didapatkan terlebih dahulu (a.k.a image memory di dump ke sebuah file terlebih dahulu)
Tools untuk dump data yang ada di physical memory ke file salah satunya pada contoh posting kali ini pada sistem Windows, saya menggunakan tools mdd. Ada banyak tools serupa untuk OS yang berbeda-beda. Tinggal googling aja. 🙂
Dump Memory
Untuk dump memory di PC Windows korban simply dilakukan dengan cara sebagai berikut (harus dengan privileged user):
mdd.exe -o memory.dump
Outputnya adalah 1 file dengan besar file = besar RAM. Jika dump memory di komputer yang RAM nya 16GB, yaa.. mohon bersabar menunggu output dump file nya hehehe
Analyze Dump Memory dengan menggunakan Volatility
Volatility adalah salah satu aplikasi yang dapat membaca & mengekstrak informasi dari memori dump yang dihasilkan oleh mdd tersebut. Volatility memiliki banyak fitur untuk mengekstrak informasi proses yang berlangsung di host korban, koneksi data yang sedang terjadi, dlsb.
D:\tool\volatility2.5>volatility.exe -h
Volatility Foundation Volatility Framework 2.5
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (semi-colon
separated)
--info Print information about all registered objects
--cache-directory=C:\Users\adeism046909/.cache\volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the (Olson) timezone for displaying timestamps
using pytz (if installed) or tzset
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load (use --info to see a list
of supported profiles)
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--output=text Output in this format (support is module specific, see
the Module Output Options below)
--output-file=OUTPUT_FILE
Write output in this file
-v, --verbose Verbose information
--shift=SHIFT Mac KASLR shift address
-g KDBG, --kdbg=KDBG Specify a KDBG virtual address (Note: for 64-bit
Windows 8 and above this is the address of
KdCopyDataBlock)
--force Force utilization of suspect profile
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
--cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
Windows 10 only)
Supported Plugin Commands:
amcache Print AmCache information
apihooks Detect API hooks in process and kernel memory
atoms Print session and window station atom tables
atomscan Pool scanner for atom tables
auditpol Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools Dump the big page pools using BigPagePoolScanner
bioskbd Reads the keyboard buffer from Real Mode memory
cachedump Dumps cached domain hashes from memory
callbacks Print system-wide notification routines
clipboard Extract the contents of the windows clipboard
cmdline Display process command-line arguments
cmdscan Extract command history by scanning for _COMMAND_HISTORY
connections Print list of open connections [Windows XP and 2003 Only]
connscan Pool scanner for tcp connections
consoles Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo Dump crash-dump information
deskscan Poolscaner for tagDESKTOP (desktops)
devicetree Show device tree
dlldump Dump DLLs from a process address space
dlllist Print list of loaded dlls for each process
driverirp Driver IRP hook detection
drivermodule Associate driver objects to kernel modules
driverscan Pool scanner for driver objects
dumpcerts Dump RSA private and public SSL keys
dumpfiles Extract memory mapped and cached files
dumpregistry Dumps registry files out to disk
editbox Dumps various data from ComCtl Edit controls (experimental: ListBox, ComboBox)
envars Display process environment variables
eventhooks Print details on windows event hooks
evtlogs Extract Windows Event Logs (XP/2003 only)
filescan Pool scanner for file objects
gahti Dump the USER handle type information
gditimers Print installed GDI timers and callbacks
gdt Display Global Descriptor Table
getservicesids Get the names of services in the Registry and return Calculated SID
getsids Print the SIDs owning each process
handles Print list of open handles for each process
hashdump Dumps passwords hashes (LM/NTLM) from memory
hibinfo Dump hibernation file information
hivedump Prints out a hive
hivelist Print list of registry hives.
hivescan Pool scanner for registry hives
hpakextract Extract physical memory from an HPAK file
hpakinfo Info on an HPAK file
idt Display Interrupt Descriptor Table
iehistory Reconstruct Internet Explorer cache / history
imagecopy Copies a physical address space out as a raw DD image
imageinfo Identify information for the image
impscan Scan for calls to imported functions
joblinks Print process job link information
kdbgscan Search for and dump potential KDBG values
kpcrscan Search for and dump potential KPCR values
ldrmodules Detect unlinked DLLs
lsadump Dump (decrypted) LSA secrets from the registry
machoinfo Dump Mach-O file format information
malfind Find hidden and injected code
mbrparser Scans for and parses potential Master Boot Records (MBRs)
memdump Dump the addressable memory for a process
memmap Print the memory map
messagehooks List desktop and thread window message hooks
mftparser Scans for and parses potential MFT entries
moddump Dump a kernel driver to an executable file sample
modscan Pool scanner for kernel modules
modules Print list of loaded modules
multiscan Scan for various objects at once
mutantscan Pool scanner for mutex objects
notepad List currently displayed notepad text
objtypescan Scan for Windows object type objects
patcher Patches memory based on page scans
poolpeek Configurable pool scanner plugin
printkey Print a registry key, and its subkeys and values
privs Display process privileges
procdump Dump a process to an executable file sample
pslist Print all running processes by following the EPROCESS lists
psscan Pool scanner for process objects
pstree Print process list as a tree
psxview Find hidden processes with various process listings
qemuinfo Dump Qemu information
raw2dmp Converts a physical memory sample to a windbg crash dump
screenshot Save a pseudo-screenshot based on GDI windows
servicediff List Windows services (ala Plugx)
sessions List details on _MM_SESSION_SPACE (user logon sessions)
shellbags Prints ShellBags info
shimcache Parses the Application Compatibility Shim Cache registry key
shutdowntime Print ShutdownTime of machine from registry
sockets Print list of open sockets
sockscan Pool scanner for tcp socket objects
ssdt Display SSDT entries
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan Scan for Windows services
symlinkscan Pool scanner for symlink objects
thrdscan Pool scanner for thread objects
threads Investigate _ETHREAD and _KTHREADs
timeliner Creates a timeline from various artifacts in memory
timers Print kernel timers and associated module DPCs
truecryptmaster Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase TrueCrypt Cached Passphrase Finder
truecryptsummary TrueCrypt Summary
unloadedmodules Print list of unloaded modules
userassist Print userassist registry keys and information
userhandles Dump the USER handle tables
vaddump Dumps out the vad sections to a file
vadinfo Dump the VAD info
vadtree Walk the VAD tree and display in tree format
vadwalk Walk the VAD tree
vboxinfo Dump virtualbox information
verinfo Prints out the version information from PE images
vmwareinfo Dump VMware VMSS/VMSN information
volshell Shell in the memory image
windows Print Desktop Windows (verbose details)
wintree Print Z-Order Desktop Windows Tree
wndscan Pool scanner for window stations
yarascan Scan process or kernel memory with Yara signatures
Let’s play!
Sebagai contoh, berikut ini hasil explorasi sebuah victim OS Windows XP SP2 (IP Address: 192.168.76.131) yang dilaporkan mengalami insiden dan akan dilakukan forensik.
Warning: kisah ini hanya fiktif belaka. Jika ada kesamaan nama tokoh, tempat, dll hanya kebetulan semata. 😛
D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 psscan Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ---------- ------------------------------ ------------------------------ 0x000000000201b020 svchost.exe 888 652 0x073800e0 2016-11-15 17:39:49 UTC+0000 0x000000000201bc18 svchost.exe 820 652 0x073800c0 2016-11-15 17:39:49 UTC+0000 0x000000000202d928 winmine.exe 1232 1620 0x073801a0 2016-11-15 17:40:58 UTC+0000 0x000000000205a068 smss.exe 516 4 0x07380020 2016-11-15 17:39:45 UTC+0000 0x00000000021a8268 calc.exe 1832 1620 0x07380220 2016-11-15 17:41:06 UTC+0000 0x0000000002205da0 cmd.exe 1764 1620 0x07380160 2016-11-15 17:40:08 UTC+0000 0x0000000002248020 explorer.exe 1620 1564 0x073801c0 2016-11-15 17:39:56 UTC+0000 0x00000000022692d0 alg.exe 828 652 0x073801e0 2016-11-15 17:40:18 UTC+0000 0x00000000022aab88 mdd.exe 956 1764 0x07380280 2016-11-15 17:42:40 UTC+0000 0x0000000002304550 lsass.exe 664 604 0x073800a0 2016-11-15 17:39:48 UTC+0000 0x0000000002306658 spoolsv.exe 1384 652 0x07380180 2016-11-15 17:39:52 UTC+0000 0x0000000002330020 winlogon.exe 604 516 0x07380060 2016-11-15 17:39:47 UTC+0000 0x000000000239ada0 services.exe 652 604 0x07380080 2016-11-15 17:39:48 UTC+0000 0x000000000243c980 svchost.exe 980 652 0x07380100 2016-11-15 17:39:50 UTC+0000 0x0000000002444020 csrss.exe 580 516 0x07380040 2016-11-15 17:39:47 UTC+0000 0x0000000002448268 IEXPLORE.EXE 1876 1620 0x07380240 2016-11-15 17:41:10 UTC+0000 0x00000000024879a8 ZyWzUUIWcPb.exe 564 1620 0x07380260 2016-11-15 17:42:00 UTC+0000 0x00000000024a0498 wuauclt.exe 1644 980 0x07380200 2016-11-15 17:41:02 UTC+0000 0x00000000024c56d0 svchost.exe 1068 652 0x07380140 2016-11-15 17:39:50 UTC+0000 0x00000000024f2988 svchost.exe 1024 652 0x07380120 2016-11-15 17:39:50 UTC+0000 0x00000000025c8830 System 4 0 0x00316000
Hmm.. ada proses dengan nama yang mencurigakan di Process ID (PID) 564. Mari kita cek PID tersebut melakukan koneksi kemana saja…
D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 connections Volatility Foundation Volatility Framework 2.5 Offset(V) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x8215a270 192.168.76.131:1049 31.13.78.17:80 1876 0x8203e178 192.168.76.131:1195 202.158.0.104:80 1876 0x82042398 192.168.76.131:1191 202.158.0.105:80 1876 0x8207a5a8 192.168.76.131:1208 64.74.13.22:80 1876 0x81f71cd8 192.168.76.131:1251 202.158.19.101:80 1876 0x81e2a008 192.168.76.131:1193 23.99.125.55:80 1876 0x81f74bc8 192.168.76.131:1095 103.49.221.172:80 1876 0x81fa2a50 192.168.76.131:1060 203.190.242.172:80 1876 0x82302c38 192.168.76.131:1044 202.158.0.105:80 1876 0x81fa7af0 192.168.76.131:1054 74.125.68.155:80 1876 0x81df4680 192.168.76.131:1205 64.74.13.22:80 1876 0x81f74418 192.168.76.131:1096 103.49.221.172:80 1876 0x822d2e70 192.168.76.131:1232 103.49.221.130:80 1876 0x81f71e70 192.168.76.131:1233 203.190.242.211:80 1876 0x821686f8 192.168.76.131:1197 203.190.242.211:80 1876 0x81e54bf8 192.168.76.131:1189 202.158.0.105:80 1876 0x822cf208 192.168.76.131:1199 74.125.68.155:80 1876 0x8207d008 192.168.76.131:1188 204.79.197.203:80 1876 0x8203f840 192.168.76.131:1196 23.0.162.56:80 1876 0x820a43a8 192.168.76.131:1089 74.125.200.97:80 1876 0x81f75008 192.168.76.131:1190 54.255.160.133:80 1876 0x8203f008 192.168.76.131:1192 111.221.29.30:80 1876 0x822877f8 192.168.76.131:1238 203.190.245.30:80 1876 0x822a9610 192.168.76.131:1079 23.15.149.163:80 1876 0x821e1008 192.168.76.131:1194 202.158.0.104:80 1876 0x81df54a8 192.168.76.131:1186 192.168.76.1:443 564 0x821e41f0 192.168.76.131:1050 202.158.19.101:80 1876
Ternyata PID 564 (ZyWzUUIWcPb.exe) melakukan koneksi ke sebuah host di jaringan yang sama, tepatnya melakukan koneksi ke 192.168.76.1 via port 443.
Sebenarnya ini file apa ya…Mari kita dump process di memory victim tersebut menjadi sebuah file executable dengan perintah ‘procdump’ sbb:
D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 procdump -p 564 -D dumpfile Volatility Foundation Volatility Framework 2.5 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x824879a8 0x00400000 ZyWzUUIWcPb.exe OK: executable.564.exe
Selanjutnya bisa analisa file virus tsb di dalam sandbox mungkin? Hehe. Atau kalau ingin hasil yang cepat langsung coba upload ke virustotal.com. Dari report virustotal, ternyata file executable tsb termasuk Trojan.
Iseng-iseng coba check apakah hash file SAM ada di memory:
D:\tool\volatility2.5>volatility.exe -f memory.dump --profile=WinXPSP2x86 hashdump Volatility Foundation Volatility Framework 2.5 Administrator:500:ad88b83919877b2c18adeb172ea24ea0:ea3eaf1c71240ea25265b0708a46712f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: sule:1000:85e2d9cf3bc981e2dfc8cb30bf4e5dd7:e16377216daa56f648ef4394d8391e03::: asep:1002:aad3b435b51404eeaad3b435b51404ee:06542de1422d3a7cdafbe9c620e33089::: ZyWzUUIWcPb:1003:6d19b83990847b2c19beab146ca24ea0:9a3eaf1c75b40ea2526fb0708a46995f:::
Hmm ada user yang namanya similiar dengan nama process yang lagi running. Mostly ini adalah user non-legitimate a.k.a backdoor. Sepertinya harus investigasi siapakah 192.168.76.1 yang menerima koneksi dari victim via process ZyWzUUIWcPb.exe ini.
Dan selanjutnya, dan selanjutnya…
Happy explore!
Terimakasih sudah sharing, terimakasih ilmunya. Artikelnya sangat bermanfaat.