Re: Memory, Elephantine

[Nick Petroni <npetroni () cs umd edu>]

Sorry for the confusion, we'll be posting more details when time allows.
The tool is meant for image *analysis*, so the assumption is you have
used dd/helix/some fancy hardware/a CANVAS module to gain access to
physical (or virtual) memory. You could also use /dev/mem etc. directly.
The question we are trying to address is "What do you do once you have
all of those bits?

One of the primary features is to automate the low-level "this chunk of
memory is a struct foo" part and allow you to write higher-level
analyses. For example, our "list processes" function is 12 lines as
opposed to dozens of lines of C that other approaches to this problem
have taken. The idea is to allow for easy extension by writing routines
to, for example, search for hidden processes, decrypt/brute force
regions, etc.

As for swap files, we're working on integrating that and other features.

We'd be happy to discuss this more with those who are interested on/off
list.

thanks,
nick


On Sat, 4 Mar 2006, Dave Aitel wrote:

> So the web page is pretty but..uh...how does it work! :> The user
> pre-installs some sort of program? It remotely installs via SMB/FTP? You
> install it manually off a USB drive? It's a kernel driver? It just cats
> /dev/memory and then the server parses that? How does it handle swap
> files? Sending data over the wire can be rather slow, does it optimize
> it with a hashing algorithm?
>
> You guys should release it at Syscon...you can eat Sting-Ray in
> Singapore. And they have good beer. :>
>
> -dave
>
>
> Nick Petroni wrote:
> > While on the topic of memory forensics, the Python enthusiasts in
> > the crowd may be interested in a new extensible research framework for
> > analyzing volatile memory images that we will be releasing at an upcoming
> > (yet to be determined) venue.
> >
> > For more information, check out: http://www.4tphi.net/fatkit/
> >
> > peace,
> > nick
> >
> >
> > On Fri, 3 Mar 2006, Dave Aitel wrote:
> >
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > I think it's interesting that Maniant (aka RedCliff) released a memory
> > > forensics tool recently (http://www.mandiant.com/features.htm) - this
> > > is also something we see people doing a lot more with CANVAS these
> > > days. The main benefits of using an exploitation framework for such
> > > things is that:
> > > 1. We can use the same exploitation path an attacker would use to
> > > obtain access to the machine. This means we're completely in memory
> > > and haven't messed up the disk at all. (Or we can remotely install as
> > > a service, copy a file over, whatever.)
> > > 2. You get the power of MOSDEF for doing the hard work...i.e. you can
> > > inject into processes, grab all the memory on the system from every
> > > process, etc.
> > >
> > > Of course, the downside is that you have to use MOSDEF to do the hard
> > > work. :>
> > >
> > > The other side of the story is that as an exploitation framework, you
> > > now need to clean/encrypt memory up as you go along. And you can do
> > > "remote forensics" as you go - I can look at other processes and see
> > > if someone else is also using CANVAS or anything similar on this box...
> > >
> > > - -dave
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.1 (GNU/Linux)
> > > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> > >
> > > iD8DBQFECH9pB8JNm+PA+iURAvJpAJ48qV13TcPpRiFXXu1yWCsffoQxpQCcDOBf
> > > 37ykn9FpdVIJbVClewwiKLo=
> > > =lYqp
> > > -----END PGP SIGNATURE-----