MEMORY FORENSICS: HARVESTING WINDOWS CREDENTIALS FROM VOLATILE STORAGE Haider M. al-Khateeb, Carsten Maple {haider.alkhateeb, carsten.maple}@beds.ac.uk Department of Computer Science and Technology, University of Bedfordshire, UK Abstract In forensic investigations, it is a challenge to recover objective evidence through means of research then attribute the relevant artefacts to an individual. In this series of articles and within the context of volatility memory forensic investigation, we set our scope on recovering user credentials which could be essential not only to unlock hidden and/or encrypted data but also to identify recent users and analyse their unique characteristics. These can then be used to establish a connection between digital evidence and a user of the system. That being said, the article also aims to critically discuss the significance of memory forensics, in addition to demonstrating tools and techniques used to carry out the process of memory acquisition and analysis. Keywords: Memory Forensics; Windows; Volatile; Volatility; Incident Response; Digital Investigation Introduction What artefacts can be extracted from the volatility memory in Windows? And, What makes memory a significant part of any digital forensic methodology? The best way to answer these questions is through a reasonably brief demonstration of what the computer memory is used for. Foremost, volatile storage maintains data as long as power is available and data is erased/lost when power is interrupted or the computer is switched off. It allows fast CPU read/write access to data compared to non-volatile memory such as Hard Disk Drives (HDDs) where data originally reside. Hence, data-bytes are always moved from non- volatile memory to volatile memory for processing. The Performance tab in Windows Task Manager gives an overview of what seems to be different memory space allocations measures in Mega Bytes as shown in Figure-1. In our context, another term to use is Random Access Memory (RAM) which is the traditional example of a volatile memory. However, other Windows terminology includes Physical Memory or just Memory! Figure 1: The different allocations of Memory spaces, and sizes in MB as displayed by Windows 7 Task Manager The final version of this article has been published in the Digital Forensics Magazine (https://www.digitalforensicsmagazine.com/). Full reference: al-Khateeb, H. M., Maple, C. (2014) ‘Memory Forensics: Harvesting Windows Credentials From Volatile Storage’, Digital Forensics Magazine, 2014(19): 32-36. Physical memory is what is stored on RAM chips lined up in built-in notches on the motherboard, hence the term reflects the total amount of real storage, e.g. if two 1GB memory modules are installed, then the physical memory is 2GB. Figure 1 shows 2047 MB of total physical memory usable by the Operating System, at this point, it is important to bear in mind that the value here can be different from the actual RAM installed in scenarios such as when a machine has the Redundant Memory feature or Memory Mirroring enabled in the BIOS. These options are used as a failover mechanism for the system and can reduce the total RAM available to Windows. A forensic investigator must recognise such technical detail because every memory space is a potential source of digital evidence. While some RAM spaces featured in the Task Manager such as ‘Available’ and ‘Free’ has more of a usability effect on the system, ‘Cached’ is highlighted to be of a forensic interest to us. It reports the amount of RAM used for the most recently accessed data. To boost performance, software and other data remain in the cache even after they have been closed by the user; this is because, future data access requests can be served faster from the cache! In addition to what has been discussed so far, the computer structure is designed in way that part of the RAM will be strictly reserved and dedicated for the Kernel. This space will be used to load essential system processes during start-up and then keep them running separately in what is known as a ‘Nonpaged’ area (in contrast to ‘Paged’ which is a virtual memory that will be discussed later). Such implementation maintains high availability of physical space to the core processes responsible to keep the OS running and also keeps it safe and isolated from RAM manipulated by other hosted software. Why Windows 7? The discussion and demonstration of the tools and techniques in this article were performed on Windows 7. This was not a random choice, but rather influenced by results published in early 2014 by market share statistics reporters such as netmarketshare.com showing that Windows 7 dominates around 47% of the usage share of Desktop Operating Systems followed by Windows XP at around 30%. While the accuracy of such results can be challenged and argued about, it does give a good indication on the type of Operating System a forensic investigator will most likely be dealing with. Virtual Memory What happens if the physical memory is exhausted in a busy machine where many applications are running simultaneously? In this case, the OS can compensate using a simulating technique that extends RAM virtually to a utilised area in the HDD called a Paging File, this will release some RAM space for other prioritised applications, hence the name: Virtual Memory. As such, if you observe the value of the ‘Available’ physical memory shown in Figure 1, it should never be zero since some processes will always be moved to the virtual memory on the HDD. Similarly, the ‘Paged’ value subtitled within the Kernel Memory refers to the part of the virtual memory dedicated to the Kernal. By default, Windows automatically adjusts the Paging File but it also gives users the privilege to manually determine the size of their Paging File or even stop using this feature, these settings can be changed from Control Panel System and Security System Advanced System Settings Advanced Performance, Settings Advanced tab Change If a Paging File is used (which is strongly recommended), the OS will continuously swap processes between the RAM and virtual memory which implies that an investigator should consider the data in both. In Windows 7, this file is called pagefile.sys and is stored in the %SystemDrive%\ which usually happens to be the C:\ drive as shown in Figure 2. But to actually see it, make sure you - Navigate to Windows Explorer Tools Folder options View - Select ‘Show hidden files, folder, and drives’ - And, unstick ‘Hide protected operating system files (Recommended)’ - Note that pagefile.sys can not be simply copy-pasted because the OS keeps it open and therefore protected from user access. Hence, special purpose tools such as FTK Imager or Forensic Get (FGET) must be used to perform the task. Analysis of this file is beyond the scope of this article but it is important to mention that the standard page size in Paging Files is 4KB. This implies that data moved from the RAM are split into small chunks of data which might only be meaningful if mapped back correctly to the memory to reconstruct existing objects. The final version of this article has been published in the Digital Forensics Magazine (https://www.digitalforensicsmagazine.com/). Full reference: al-Khateeb, H. M., Maple, C. (2014) ‘Memory Forensics: Harvesting Windows Credentials From Volatile Storage’, Digital Forensics Magazine, 2014(19): 32-36. Figure 2: The Paging File is a hidden system file used as a virtual memory to support RAM and can be located at %SystemDrive%\pagefile.sys Memory dump A memory dump is an acquired copy of the volatility memory data-bytes, those were originally moved from the Hard Drive for processing. Hence, this image must be taken from a running machine which is why memory forensics is also referred to as ‘Live Forensics’. Memory dumps can be taken for various reasons, for instance a windows user might be facing a Blue Screen error and require technical support to solve this issue, a memory dump in this case can be sent to a service provider such as McAfee for analysis. Although, in our work we are more interested in extracting evidence from the captured memory. There are different file formats for the memory dump used to distinguish between the outputs of different tools. For instance: - Windows creates a .dmp file - DumpIt creates a .raw file - In a virtual machine, VMware tools creates a .vmem file. Further, the snapshot method creates a .vmsn file in the virtual machine directory and a suspended VM saves .vmss file. And since some analysis tools were designed to support specific files, tools such as the vmss2core utility can be used to accomplish that. However, conversion might not always be needed especially when a tool such as Bulk extractor is used. This is because it scans and extracts information without parsing the file system in a given image, which makes it compatible to work with various artefacts from memory dumps to Solid State Drives (SSDs) and HDDs. The output of Bulk extractor includes credit Card numbers, email addresses and wordlists that can be imported into a password- cracking software, which is why it is reverent to this series of articles and will be covered in further detail later. Nevertheless, we discussed that the RAM is split into a space reserved and secured for the Kernel and a larger space for the hosted applications. Now if the acquisition considers both then it is a complete memory dump, otherwise there can be different types of smaller memory dumps as shown below: - Complete: contains the fill physical memory. - Kernel memory dump: limited to the memory in use by the Kernel - Small and mini memory dumps: includes selected parts of memory associated with one or more processes; this is clearly not very sufficient for analysis unless the forensic investigation is intestinally scoped on a particular process Significance of the Volatile Memory Well-trained criminals attempt to eliminate their footprints on the hard drive which increases the importance of the data stored on the volatile memory.