Not long ago I sat down with a group of First Responders to discuss triage of security incidents. I discussed leaving the network connection up so I could remotely access the drive and physical memory. Their response is one that I expect many to have come across.
"If we leave the system up, even if we tell the user to not use the computer, the minute we walk away, the computer will be used."
That was kind of interesting to me considering what's at stake but I completely understood their point of view. Too many organizations can't trust their users. So then I thought hmmm....well memory acquisition has come so far so fast that I can simply teach tech staff at any level to collect physical memory. With targeted training and proper documentation it's a fairly straightforward process to follow on contained systems.
Here's a sample from a doc I drafted detailing use of mdd from mantech.
ManTech DD (MDD)
Limitations:
Less than 4GB memory
32 bit Windows Operating System
Installation
Download mdd from Mantech
You can download the standalone executable (recommended) or a .zip file.
Copy the file(s) to a directory on your USB key
Rename the mdd executable to mdd.exe
Usage
Log in to the compromised system
Insert USB drive
Create a directory for the incident on the USB key or SMB share
Open the trusted command prompt for the operating system
Change directories to where mdd is installed
Execute mdd
Command line
E:\IR\mdd>mdd.exe –o E:\00000\memorydump.img
Where 00000 is the case number you've been given.
Notes
Mdd creates an md5 hash of the output of the memory dump. It’s important to capture this information. You can take a screenshot of the window using Ctrl+Alt+Print Screen or copy/paste from within the command line to a text file. Both forms of output are acceptable. Save this file as memorydump.md5
Training first responders to do a memory acquisition is much easier these days.
Wednesday, June 17, 2009
Subscribe to:
Post Comments (Atom)
8 comments:
I understand doing memory dumps when the computer is already on and your able to login to the computer, but what about when you are presented with a turned off computer? Is a memory dump out of the question in that situation? I think so, because if I turn it on it will modify the evidence.
What are your thoughts on that?
Bobby,
One of the first rules of forensics is "if it's off, leave it off" for the very reason you state.
If the machine is off firstly image the hard drive then create a vmware virtual machine with Liveview. Bring up the vmware vm and then image memory from there. It's not ideal but if there was any memory resident malware on the machine it may very well load itself back into memory within vmware.
Ive read on msuiche blog that mdd has several important bugs.
Peter,
Yes it appears that many memory acquisition tools suffer from that problem. Looks like Matthieu has fixed it in his tool ahead of others.
We fixed that problem 6 years ago. :-)
- Rossetoecioccolato.
OK, so I have a dump made with MDD, could you please provide some pointers (for a beginner) which tools can I use to analyze it?
Miha,
There are countless papers online about memory analysis. You can buy windows forensic analysis second edition for a starting point.
Look at the volatility framework.
Post a Comment