29C3 - Version 1.9


Luka Milkovic
Tag Day 2 - 2012-12-28
Raum Saal 4
Beginn 20:30
Dauer 01:00
ID 5301
Veranstaltungstyp Vortrag
Sprache der Veranstaltung englisch

Defeating Windows memory forensics

Aside from further development of traditional forensic techniques which involve post-mortem hard disk analysis, in the last couple of years the field of computer forensics has been marked by significant development of live forensic techniques and tools.

Memory forensics is composed of two main activities: memory aquisition/capture and analysis. This presentation will give an overview of the memory acquisition and analysis techniques and tools on the Windows operating systems. The main part of the presentation will cover current exploitation techniques and methods for defeating both acquisition and analysis phase of the memory forensics, as well as present a new approach for hiding specific artifacts from forensic tools. Based on the covered exploitation techniques, some suggestions and improvements of the current tools will be given.

In the last couple of years, memory anti-forensic techniques and methods are gaining popularity in the infosec and black-hat communities. Current techniques can be grouped into the following three categories:

  • Simple and easily detectable approaches based on complete blocking of the acquisition process,
  • Thwarting the acquisition process by fooling the memory manager (Sparks/Butler BH-JP-05: Shadow Walker – Raising the bar for Rootkit Detection),
  • Thwarting the analysis by modifying the kernel structures (Haruyama/Suzuki BH-EU-12: One-byte Modification for Breaking Memory Forensic Analysis).

However, each of the previously mentioned techniques has a drawback which makes the process of hiding a particular operating system object (eg. process, thread, network connection, etc.) either difficult (Sparks/Butler) or impossible (Haruyama/Suzuki and acquisition blockers).

This research presents a new approach on defeating memory analysis on Windows operating systems by exploiting the fundamental issues in memory-acquisition tools. The developed approach is an extension of the research done on the disk anti-forensic techniques in the past (especially DDefy rootkit: Bilby BH-JP-06: Low Down and Dirty: Anti-forensic Rootkits). Since all memory acquisition tools work in a similar manner, this approach is generic and applicable to a wide class of analysis tools.

As a proof of concept, application called Dementia has been developed. Dementia successfully exploits memory acquisition tools and hides operating system objects (eg. processes, threads, etc.) from the analysis applications, such as Volatility, Memoryze and others. Because of the flaws in some of the memory acquisition tools, Dementia will additionally demonstrate how an attacker can hide operating system objects from the analysis tools completely from the user-mode.