Security Ripcord

In Quick Incident Response Techniques I,  II and III we talked about how to use F-Response and FTK Imager to gather hard drive and memory information from a remote system and what to do with some of that information.  Now we need to talk alittle bit about what we can do with the memory image from that system.

With a copy of the remote system’s memory and an understanding of F-Response’s impact on that system an analysis of the system’s memory can be performed. Advances in memory analysis are rapidly moving forward. A good and free tool for memory analysis is Mandiant’s Memoryze. Memoryze parses the bit-stream memory file and generates XML output associated with the contents of the memory. To review these XML files and present it as human-readable information Mandiant’s developers have released Audit Viewer. Although Memoryze can be run manually, it is much easier to utilize the functionality of Audit Viewer to Launch Memoryze to analyze the memory file.

By clicking the Launch Memoryze button the analyst is presented with the usual configuration functionality. The analyst will point the tool to the Memoryze executable, the memory file, and the information output directory where the XML files will written. The other configuration considerations pertain to the information that will be collected from the memory file.

• MemoryDD will acquire memory from the system Memoryze is run on or from a Physical Drive such as those provided through F-Response’s functionality.

• ProcessDD will collect information pertaining to the process name or identification number provided. This will actually pull copies of the process executable and drivers associated with the process and copy them to the output directory.

• Driver Walk List will parse through the memory and determine the drivers being used by the system.

• DriverDD will collect information pertaining to a single driver name or all drivers. This will actually pull copies of the driver from memory and create driver files in the output directory.

• Processes will collect information pertaining to a single process or all processes. Specific information about a process can be selected. These include:

  • Handles

  • Sections

  • Ports

  • Strings

  • Imports

  • Exports

  • Injected DLLs

• Hook Detection – actually, I have to admit that I don’t know much about hook analysis. This information is key for determining the affects of malware on a system. Memoryze can be configured to collect information pertaining to:

  • System Service Descriptor Table call table

  • System Service Descriptor Table functions

  • Interrupt Descriptor Table

  • IRP tables

Once Memoryze has completed its analysis of the memory file Audit Viewer can analyze the XML output. After pointing Audit Viewer to the output information details about the information can be reviewed. The following image shows how network connections can be identified. In this example, Audit Viewer shows the the Telnet service has an established connection with a remote system.

Of course, F-Response also has an established connection. Of course, as we know from earlier we should expect to see two network connections associated with the F-Response process. The presence of only one connection shown in the following image could be a result of Memoryze’s parsing method or the exact time that the memory image was generated.

The following image shows F-Response is connected to the log file name f-response-ent.exe.log. This is a good indicator of how Memoryze and Audit Viewer can provide information about running processes that cannot be determined from simply understanding that a process or service is running on a system.

The default analysis activity associated with each process parsed by using the the Process configuration is just to grab information about each process. Audit Viewer provides the ability to output the process executable and all for driver files associated with the selected process. These, in turn, can be analyzed individually using malware analysis or code review.

Depending on the system and the process being acquired the acquisition process could take one to five minutes. The analyst can determine when the acquisition process is complete by monitoring the Audit Viewer command window that is started for the acquisition process. Once the acquisition is completed the command window will close.

As mentioned, the acquired files will be written to the output directory for further analysis.

Well, I think this is going to mark the end of this series of posts.  Hopefully you have a better understanding of some of the techniques and tools utilized when performing quick incident responses for yourselves or your customers.

If there is something else you would like to see or that you would like me to talk about, just drop a comment and I will look into it.  For now, however, I will be moving onto some of those scripts I was talking about and one or two other ideas that I have to help advance these techniques and tools.

Go forth and do good things,

Don C. Weber

---

Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.

---

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.