Introduction to Memory Analysis

00:00

Hello. My name's David. Welcome to analyzing attacks.

00:05

Good to see you and hear from you again. Even if it's only virtually one of the things that we don't talk about is

00:14

a part of analyzing the attack. We're gonna focus for this episode One memory now, sis. Now, this is merely

00:23

huh?

00:24

One way that you could analyze in attack. Um,

00:30

it's true with almost anything else, even out. Invisible world as it is, cyber world are multitude of ways or digital forensics

00:41

network forensics. There's Mauer analysis from source intelligence that you could turn Thio and water. They analyzed hack. However, because of our time here, we're going to be looking at memory now. Says so Let me give you a scenario.

00:59

Local company contact you regarding some suspicious Snepp traffic that they observed on their regular routine network connections. The I P addresses that they saw traversing their network appeared to the Russians

01:15

and is this has no contacts in Russia.

01:21

Soup coursing Russian I p addresses peak there

01:26

warning bells and because of the suspicious network activity, they asked you to investigate. So has few seconds here. And think about what you might do next.

01:41

Drawn over prior modules.

01:45

I think about all the different kinds of attacks that you've seen in Qin's courses. Think about the incident response process that you saw in my courses.

01:57

What would you do?

02:00

It's an important thing to be able to ask yourself, because you need to start pulling in some information from your clients on even if say, this isn't a good party. But it's a company that you're actually working towards the same process. Hopefully, you've already been due process. If you're having,

02:20

it's a good time to do submit some tabletop exercises

02:23

and he's a preparatory work. Remember, back to the steps of incident Response. Preparation is key. Now when you're looking at an attack like that, Uh, something T keep in mind is that a lot of attacks aren't just now where there's a lot of steps involved in. This is pulled for

02:43

ah, and in game report,

02:45

just like there is at the bottom of the screen. Uh, the boxes air actually underscores. So if you want to go look that up, please put underscores in there instead of the boxes. I don't know why Power Point did that time changing, but it wouldn't

03:00

So you've got your initial exploited Could come in here. Fish email,

03:06

malicious thumb drive. Remember the vectors that you saw in some of the prior module? So

03:14

craft around that and power shelve its initiated. And you see that a lot Ambition. So but a malicious attachment in it that has power shell code written into it Power show gets initiated, which then injects malicious code into memory

03:30

and in memory, it creates this hidden persistence they call it s. So this is what you may call by the little catch for these file this malware, which is floating around a lot out there now, and I say catch word because that's what this fire will smile Where has been around for a long time?

03:46

Why it was never really named to talk about. I'm not sure, But there you go on and then remote access is set up the and maintained by this. Now we're now the key here is that all of the evidence is removed and stuff I've, except for the in memory Palin

04:06

and the hidden persistence

04:09

so that you're coming in to investigate something. This is probably a great way to thank your way through the process

04:17

in order to do memory analysis. Now, I'll put a little caviar in here when you're going through your incident response process. If you went through those modules with us, you saw this graph before we've got preparation and identification in school. Now we jump back here

04:38

to our scenario.

04:39

You're stooping days. You've got questions to ask your right. You want to know you have never traveled. They have packed it captures. Do you have, uh, I d s I P s Do you have, um,

04:54

dropped something in there that you think may be important? One of my first questions would be heavy identified. The end points that this communication is coming from, and if so, have you done memory, captors? Because there you go. Unfortunately, in the identification scoping phase,

05:12

you'll see memory Forensics is up there at the top of our drop down over there in the real world.

05:20

Sad to say, most of the time, memory forensics is per night. Yeah, I think here in cyber security, we need some Deco bill well or something to jog your memories. Because memory forensics is almost an afterthought when it comes to going through the i R. Process with forensics,

05:40

Data recovery, bio system analysis you Can we get an image of the hard drive? Always a good question to ask Heinlein Analysis comes into play a lot of times,

05:49

but memory forensics is oftentimes forgot. So what I want is to try to glean here is if you're coming in your as an internal cybersecurity, professional or even an external consultant, memory forensics is important. You need to grab that memory even if it's not. File a small where

06:08

there can be a lot of evidence that's

06:11

stored in memory, that you could recover, that they're not going to get from saying disc examination so you can see

06:18

forensics comes into play. Now back to our scenario. We're information for you.

06:24

Yeah, Reviewing the network lot activity, you begin to see signs of exploration of data going out to these Russian I P addresses. It's encrypted eso you can't determine what was expatriated. What is your next steps? Now

06:42

allow you think about that here for Mr Couple Seconds again in the video, pause it here and jot down some ideas,

06:50

interact with this stuff, just breeze through it and they got doesn't matter. That's because this will hopefully help you

06:59

cross over into the world and apply some of the lessons that you've learned these courses to your own personal experience and professional experience. Moving on you. D'oh! Forensic preview the registry and other files from the rub server. You don't see any suspicious activity or information there. So what now?

07:19

Ooh, memory houses. If you've done it,

07:24

I've got a back us up here again. Because here

07:29

our memory forensics is often times you looked. It's something for some reason that a lot of systematic mean Is that what the time is? I help this people that even really think about when it comes to this entire I our process

07:47

if you watch the incident handling

07:49

courses. I talked about the importance for the preparation phase and getting all this set out on doing some training for your people so that they know

08:01

bad memory. Forensics is important, and it is a vital step in this entire process in order to be able to determine what happened.

08:11

You do your memory forensics. You pop out something for memory, and it looks like this your own your way so you can see This is actually from on actual investigation where our shell was running in memory.

08:26

See the little hidden up there? That means it's running. It's not easily observable, and you've got your power shall script there that you could be. Obviously, Onda were more about what this is supposed to do. You can see it's been to start, so

08:43

you've got a little better idea of some basic start looking forward

08:48

and you've also got some prove it needs the obvious skated and maybe I can get more clues until what you're looking for

08:56

were memory now Sister terms First Queen back in 2004. Yes, a long time ago by someone in my report who was writing about you kid activity. Since then, it has grown back in the day. I was a relatively new and unknown step

09:13

in. The forensic process is still today. It's primarily the domain of investigators, forensic investigators, an incident response analyst.

09:22

It does provide a whole lot of inside on system activity and should be included in everything.

09:28

Back in the day. It was strange, and grap on memory captures. Ah, lot of advances have been made in. There are a lot of tools out there available to you to assist and enhance your memory hunting and memory analysis capability. So as we go through this module, we're gonna take a look at incorporating it

09:48

more fully