Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.
Csaba Barta has developed PTFinders for Windows Server 2003 SP2, Windows Server 2008 SP1 and the public beta version of Windows 7. Don't miss to check out the other parts of his website.
My objtypescan plugin for Volatility crashed when it was unable to determine an object's virtual address in kernel space. This is fixed from version 0.4 on. Thanks to Vte. Javier Garcia Mayen for reporting the bug and providing me with extensive test data!
The PC's BIOS among many other functions also provides a simple routine to read data in from the keyboard. Information about the keys pressed are stored in a ring buffer that provides space for about 16 characters. As Jonathan Brossard has shown in a paper and presented at DEFCON 16, the buffer's contents may be availlable for a while after it has been read by the BIOS. Chances are that passwords of the BIOS or disk encryption software can be recovered.
I feel somewhat sorry for posting such a creepy title in spring. But don't worry, "mutant" is just how a mutex is called in the Windows kernel. A mutex helps to serialize access to a resource. Some applications employ a mutex to ensure that only a single instance is running. And that way, a mutex may lead us directly into the dark realms of some malware. Scary, isn't it?
The concept of symbolic links is widely implemented in file systems. But there is also a symbolic link object for kernel objects. Generally, a symbolic link will make an object accessible under a different and probably much shorter name. But symbolic link objects also provide some forensic value.
Drivers extend the functionality of the kernel, e.g. by implementing a network communication protocol or an interface to a new piece of hardware. They are loadable kernel-mode modules, what allows them to modify any system behavior. Several rootkits are implemented by drivers. In this post I present a plugin for the Volatility memory analysis framework, that scans for driver objects.
I was not completely satisfied with my first file object scanner. It revealed a lot of objects, including files that were hidden through malicious activity. But it was lacking the ability to connect those files to processes. A couple of days of research later I'm excited to release an improved version.
Have you ever seen the value 0xbad0b0b0 before? If you're analyzing kernel objects, you certainly will. Here is some information about this special value.
The Microsoft Windows kernel represents opened files by an _FILE_OBJECT structure. With some help from the Microsoft Debugger, the object type information about files and the Volatility memory analysis framework it is an easy task to craft a file object scanner. This scanner may reveal files even if they are hidden by a rootkit.
This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de
Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.