Wednesday, June 17, 2009

Memory Acquisition for First Responders

Not long ago I sat down with a group of First Responders to discuss triage of security incidents. I discussed leaving the network connection up so I could remotely access the drive and physical memory. Their response is one that I expect many to have come across.

"If we leave the system up, even if we tell the user to not use the computer, the minute we walk away, the computer will be used."

That was kind of interesting to me considering what's at stake but I completely understood their point of view. Too many organizations can't trust their users. So then I thought hmmm....well memory acquisition has come so far so fast that I can simply teach tech staff at any level to collect physical memory. With targeted training and proper documentation it's a fairly straightforward process to follow on contained systems.

Here's a sample from a doc I drafted detailing use of mdd from mantech.

ManTech DD (MDD)

Less than 4GB memory
32 bit Windows Operating System

Download mdd from Mantech
You can download the standalone executable (recommended) or a .zip file.
Copy the file(s) to a directory on your USB key
Rename the mdd executable to mdd.exe

Log in to the compromised system
Insert USB drive
Create a directory for the incident on the USB key or SMB share
Open the trusted command prompt for the operating system
Change directories to where mdd is installed
Execute mdd

Command line
E:\IR\mdd>mdd.exe –o E:\00000\memorydump.img

Where 00000 is the case number you've been given.

Mdd creates an md5 hash of the output of the memory dump. It’s important to capture this information. You can take a screenshot of the window using Ctrl+Alt+Print Screen or copy/paste from within the command line to a text file. Both forms of output are acceptable. Save this file as memorydump.md5

Training first responders to do a memory acquisition is much easier these days.


bobby1041 said...

I understand doing memory dumps when the computer is already on and your able to login to the computer, but what about when you are presented with a turned off computer? Is a memory dump out of the question in that situation? I think so, because if I turn it on it will modify the evidence.
What are your thoughts on that?

hogfly said...

One of the first rules of forensics is "if it's off, leave it off" for the very reason you state.

Anonymous said...

If the machine is off firstly image the hard drive then create a vmware virtual machine with Liveview. Bring up the vmware vm and then image memory from there. It's not ideal but if there was any memory resident malware on the machine it may very well load itself back into memory within vmware.

Peter said...

Ive read on msuiche blog that mdd has several important bugs.

hogfly said...

Yes it appears that many memory acquisition tools suffer from that problem. Looks like Matthieu has fixed it in his tool ahead of others.

Anonymous said...

We fixed that problem 6 years ago. :-)

- Rossetoecioccolato.

Miha said...

OK, so I have a dump made with MDD, could you please provide some pointers (for a beginner) which tools can I use to analyze it?

hogfly said...

There are countless papers online about memory analysis. You can buy windows forensic analysis second edition for a starting point.

Look at the volatility framework.