Advanced artifact analysis Toolset, Artifact analysis training material November 2014 European Union Agency for Network and Information Security www.enisa.europa.eu Advanced artifact analysis Toolset, Artifact analysis training material November 2014 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors This document was created by Lauri Palkmets, Cosmin Ciobanu, Yonas Leguesse, and Christos Sidiropoulos in consultation with DFN-CERT Services1 (Germany), ComCERT2 (Poland), and S-CURE3 (The Netherlands). Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected] Acknowledgements ENISA wants to thank all institutions and persons who contributed to this document. A special ‘Thank You’ goes to the following contributors: 1. Todor Dragostinov from ESMIS, Bulgaria 2. Michael Ligh from MNIN.ORG, United States 1 Klaus Möller, and Mirko Wollenberg 2 Mirosław Maj, Tomasz Chlebowski, Krystian Kochanowski, Dawid Osojca, Paweł Weżgowiec, and Adam Ziaja 3 Michael Potter, Alan Robinson, and Don Stikvoort Page ii Advanced artifact analysis Toolset, Artifact analysis training material November 2014 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2014 Reproduction is authorised provided the source is acknowledged. Page iii Advanced artifact analysis Toolset, Artifact analysis training material November 2014 Table of Contents 1 General description 2 1.1 Prerequisites 2 1.2 Tools overview 3 1.2.1 Volatility 3 1.2.2 Python for Volatility 3 1.2.3 PyCrypto 3 1.2.4 PIL 3 1.2.5 Distorm3 3 1.2.6 Yara 3 1.3 Memory acquisition tools 4 1.3.1 WinPmem, MacPmem 4 1.3.2 LiME 4 1.4 Other tools 4 1.4.1 Strings 4 1.4.2 Grep 4 1.4.3 Ncat 4 1.5 Alternatives 5 1.5.1 Kernel Debugger 5 1.5.2 Mandiant Memoryze 5 1.5.3 Second Look 5 1.6 Virtual Memory images 5 1.7 Virtual Appliances 5 2 Exercise Course 6 2.1 Introduction 6 2.2 Task 1: Acquiring memory images 6 2.2.1 Task 1.1: Acquiring memory images from Windows 7 2.2.2 Task 1.2 Acquiring memory images from Linux 9 2.3 Task 2: Basic analysis of Windows images 15 2.3.1 Task 2.1: Windows process analysis 15 2.3.2 Task 2.2: Network connection analysis 19 2.3.3 Task 2.3: Registry analysis 20 2.3.4 Task 2.4: File and other analysis 24 2.4 Task 3: Basic Linux memory analysis 26 2.4.1 Task 3.1: Linux process analysis 26 2.4.2 Task 3.2: Linux network connection analysis 29 2.4.3 Task 3.3: File and kernel analysis 32 2.5 Task 4: Finding and obtaining malware from memory images 35 2.5.1 Task 4.1 Windows malware 35 Page iv Advanced artifact analysis Toolset, Artifact analysis training material November 2014 2.5.2 Task 4.2 Linux malware 37 3 Commands used 40 4 Bibliography 42 Page v Advanced artifact analysis Toolset, Artifact analysis training material November 2014 During the course of the exercise the students will learn how to obtain Main Objective memory images from different sources and to analyse them. Both Windows and Linux systems will be covered. CERT staff involved with the technical analysis of incidents, especially Targeted Audience those dealing with forensics. In-depth knowledge of operating system concepts is a prerequisite. Python knowledge is helpful but not required. Total Duration 6 – 7.5 hours Introduction to the exercise (Memory forensics) 1.5 hours Task 1: Acquiring memory images 1 hour 1-1.5 Task 2: Basic Windows memory analysis hours Time Schedule 1-1.5 Task 3: Basic Linux memory analysis hours 1-1.5 Task 4: Obtaining and analysing malware from memory hours Summary of the exercise 0.5 hours Frequency Once per person Page 1 Advanced artifact analysis Toolset, Artifact analysis training material November 2014 1 General description During the course of this exercise, the students will learn how to acquire and analyse memory images from Windows and Linux operating systems with the Volatility toolkit4. Students that have completed the “Digital forensics”5 course may already be familiar with some of the concepts covered in this exercise. At the beginning, the trainer will introduce the basic concepts of memory forensics, such as acquisition of memory and its analysis. Additionally, the students will be given basic information on how to use Volatility.4 In the first part, the students will learn how to acquire memory images from Windows and Linux operating systems. In the second and third part, the students will perform basic analysis tasks while working with Windows and Linux memory dumps. In the last part, the students are confronted with advanced analysis techniques, such as identifying and isolating a malware sample from a given memory image. The exercise can be held with all parts in sequence. But it is also possible to hold only the introduction, together with either the Windows or the Linux parts to focus on only one operating system or if the time frame doesn't allow for a full training, additionally there will also be an open discussion at the end of the exercise. 1.1 Prerequisites It is assumed that the students are familiar with • The general process of incident response and digital forensics.6,7,8,9 • Basic concepts from C / Assembler programming such as low level data types (char, int), arrays, structures, etc.10,11,12,13,14 • General operating system concepts such as processes, threads, stack, heap, kernel, memory management, etc.15,16,17,18 4 http://www.volatilityfoundation.org/ (last visited: 30. 9. 2014) 5 https://www.enisa.europa.eu/activities/cert/support/exercise, exercise no 24 (last visited: 30. 9. 2014) 6 https://www.enisa.europa.eu/activities/cert/background (last visited: 30. 9. 2014) 7 https://www.enisa.europa.eu/activities/cert/support (last visited: 30. 9. 2014) 8 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf (last visited: 30. 9. 2014) 9 http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf (last visited: 30. 9. 2014) 10 Mitchell: “Concepts in Programming Languages”, Cambrigde University Press, ISBN 0521780985 11 Van Roy, et al.: “Concepts, Techniques, and Models of Computer Programming”, MIT Press, ISBN: 9780262220699 12 http://www.cprogramming.com/(last visited: 30. 9. 2014) 13 http://en.wikibooks.org/wiki/C_Programming (last visited: 30. 9. 2014) 14 http://en.wikibooks.org/wiki/X86_Disassembly (last visited: 30. 9. 2014) 15 Silberschatz, et al.: “Operating System Concepts”, 9th ed., Wiley, ISBN-13: 978-1118063330 16Russinovich, et al.: “Windows Internals”, 6th ed., Microsoft Press, ISBN-13: 978-0735648739 (part1), ISBN-13: 978-0735665873 (part 2), http://technet.microsoft.com/de-de/sysinternals/bb963901.aspx (last visited: 30. 9. 2014) 17 Wolfgang Mauerer: “Professional Linux Kernel Architecture“,Wrox, ISBN-13: 978-0470343432 18 Bovet, et al.: “Understanding the Linux Kernel”, 3rd ed., O'Reilly, ISBN-13: 978-0596005658 Page 2 Advanced artifact analysis Toolset, Artifact analysis training material November 2014 • Standard Unix command line tools, such as grep, sort, etc. 1.2 Tools overview The following section gives an overview about the tools used in this exercise. 1.2.1 Volatility Volatility is an open source framework for the extraction of digital artifacts from volatile memory (RAM) samples. It is now (2014) developed and supported by The Volatility Foundation.19 1.2.2 Python for Volatility Having the Python20 interpreter and its libraries installed is a prerequisite to running Volatility. At least version 2.6 (better 2.7) is required. A Linux or Windows operating system with x86 or x64 architecture is preferred although Volatility should run on any system that supports Python. Python 3 is currently (as of version 2.3.1 and 2.4) not supported. Furthermore, several Python libraries are needed by Volatility that typically are not installed automatically when installing the main Python package. Teachers should check for the presence of these packages when assembling their own analysis system. 1.2.3 PyCrypto The Python Cryptography Toolkit21 supplies hashing and encryption algorithms as well as encryption protocols and other routines, such as random number generators.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages50 Page
-
File Size-