digital investigation
play

Digital Investigation Full System Memory Dump Acquisition of - PowerPoint PPT Presentation

Feb 13, 2024 •22 likes •352 views

When Hardware Meets Software: A Bulletproof Solution to Forensic Memory Acquisition 1 Universit` 2 Royal Holloway, a degli Studi di Milano University of London Alessandro Reina 1 Aristide Fattori 1 Fabio Pagani 1 Lorenzo Cavallaro 2 Danilo Mauro

  1. When Hardware Meets Software: A Bulletproof Solution to Forensic Memory Acquisition 1 Universit` 2 Royal Holloway, a degli Studi di Milano University of London Alessandro Reina 1 Aristide Fattori 1 Fabio Pagani 1 Lorenzo Cavallaro 2 Danilo Mauro Bruschi 1 28 th Annual Computer Security Applications Conference Alessandro Reina ACSAC 2012 1 / 20

  2. Digital Investigation Full System Memory Dump Acquisition of volatile memory is an essential procedure in digital forensic analysis and incident response. Run-Time Information processes; network connections; open files; unencrypted data; passwords; malware; . . . Alessandro Reina ACSAC 2012 2 / 20

  3. Full System Memory Dump Challenge Tampering of the volatile memory during a dump invalidates the collected evidence. Alessandro Reina ACSAC 2012 3 / 20

  4. Full System Memory Dump Challenge Tampering of the volatile memory during a dump invalidates the collected evidence. Requirements atomicity : dump must represent the content of the memory at a single instant in time reliability : must be able to detect tampering or corruption of the dump availability : solutions must be OS and device independent Alessandro Reina ACSAC 2012 3 / 20

  5. Limitations of Current Solutions: Hardware PCI : prior-installation requirement implies reduced usability FireWire : resolves the usability problem Neither approach satisfies: ✗ atomicity the CPU is not frozen ✗ reliability bus scanning; subjects to DMA attack ✗ availability driver required Alessandro Reina ACSAC 2012 4 / 20

  6. Limitations of Current Solutions: Software virtual device (e.g., /dev/mem ): ✗ atomicity the CPU is not frozen tool loaded in memory to be run ✗ reliability ✗ availability OS dependent hypervisor : ✓ atomicity can freeze the guest and perform the dump changes in memory due to hypervisor loading ✗ reliability ✗ availability SW/HW support required Alessandro Reina ACSAC 2012 5 / 20

  7. State-of-Art Solutions SoA techniques leverage System Management Mode to address forensic requirements. Alessandro Reina ACSAC 2012 6 / 20

  8. State-of-Art Solutions SoA techniques leverage System Management Mode to address forensic requirements. Issues CPU is frozen ✓ atomicity ✗ reliability integrity guarantee not provided prior-installation hardware required (i.e., PCI) ✗ availability no attempt to read more than 4GB Alessandro Reina ACSAC 2012 6 / 20

  9. State-of-Art Solutions SoA techniques leverage System Management Mode to address forensic requirements. Issues CPU is frozen ✓ atomicity ✗ reliability integrity guarantee not provided prior-installation hardware required (i.e., PCI) ✗ availability no attempt to read more than 4GB We can do better! Alessandro Reina ACSAC 2012 6 / 20

  10. A step back What’s SMM? System Management Mode is a mode of operation (similar to real mode) of Intel CPUs designed to handle system-wide functionality (e.g., power management and hardware control). code executed in an isolated processor environment transparent to the OS mode of operation with the greatest level of privilege (ring -2 ) address and operand size override prefixes allow 32bit data access Alessandro Reina ACSAC 2012 7 / 20

  11. A step back What’s SMM? System Management Mode is a mode of operation (similar to real mode) of Intel CPUs designed to handle system-wide functionality (e.g., power management and hardware control). code executed in an isolated processor environment transparent to the OS mode of operation with the greatest level of privilege (ring -2 ) address and operand size override prefixes allow 32bit data access Critical Issue SMM can access at most 4GB of physical memory! Alessandro Reina ACSAC 2012 7 / 20

  12. SMMDumper Contributions 1 firmware-based technique to atomically perform a reliable memory dump (IA32) 2 dump physical memory exceeding 4GB (PAE) 3 integrity guarantee provided by signing the whole memory dump 4 QEMU-based prototype implemented Alessandro Reina ACSAC 2012 8 / 20

  13. SMMDumper Contributions 1 firmware-based technique to atomically perform a reliable memory dump (IA32) 2 dump physical memory exceeding 4GB (PAE) 3 integrity guarantee provided by signing the whole memory dump 4 QEMU-based prototype implemented Threat Model the attacker has root access to the compromised system the attacker has compromised other machines in the same LAN the attacker can perform network attacks the attacker can NOT install an HW hypervisor Alessandro Reina ACSAC 2012 8 / 20

  14. Overview of SMMDumper [ md5 (pkt) | pkt] (3) C = md 5( mem ) (1) SMM (4) sign ( C ) (2) [0x00... -- 0xff...] Alessandro Reina ACSAC 2012 9 / 20

  15. Overview of SMMDumper [ md5 (pkt) | pkt] (3) (3) C = md 5( mem ) (1) (1) SMM (4) (4) sign ( C ) (2) (2) [0x00... -- 0xff...] Alessandro Reina ACSAC 2012 9 / 20

  16. Overview of SMMDumper [ md5 (pkt) | pkt] (3) (3) C = md 5( mem ) (1) (1) SMM (4) (4) sign ( C ) (2) (2) [0x00... -- 0xff...] Alessandro Reina ACSAC 2012 9 / 20

  17. Overview of SMMDumper [ md5 (pkt) | pkt] (3) (3) C = md 5( mem ) (1) (1) SMM (4) (4) sign ( C ) (2) (2) [0x00... -- 0xff...] Alessandro Reina ACSAC 2012 9 / 20

  18. Overview of SMMDumper [ md5 (pkt) | pkt] (3) (3) C = md 5( mem ) (1) (1) (4) SMM (4) sign ( C ) (2) (2) [0x00... -- 0xff...] Alessandro Reina ACSAC 2012 9 / 20

  19. SMMDumper Challenges 1 trigger SMI to switch to SMM 2 guarantee the integrity of the collected data on the host as well as while in transit to a generic device 3 access all physical memory (even if it is greater than 4GB in size) Alessandro Reina ACSAC 2012 10 / 20

  20. SMMDumper: Triggering System Management Interrupt System Management Interrupt external SMM interrupt pin ( SMI# ) Advanced Programmable Interrupt Controller ( APIC ) Bulletproof Triggering Implementation hardware-based activation mechanisms: i.e., specific keystroke connected to the SMI pin (i.e. events specified by the I/O Controller Hub) isolate the SW component from user- and kernel-space Alessandro Reina ACSAC 2012 11 / 20

  21. SMMDumper: Triggering System Management Interrupt Software Triggering Implementation SMM keylogger: I/O APIC contains a Redirection Table which routes EXTINT s to the CPUs Redirection Table is set to deliver SMI when IRQ1 is asserted the keyboard scancode is read from the keyboard controller buffer an IPI message is sent to delivery the IRQ1 to the CPU as soon as rsm is executed Alessandro Reina ACSAC 2012 12 / 20

  22. SMMDumper: Data Integrity and Transmission Network Transmission/Retransmission simple network SMM driver (polling mode) UDP protocol retransmission of lost or corrupted data supported Alessandro Reina ACSAC 2012 13 / 20

  23. SMMDumper: Data Integrity and Transmission Network Transmission/Retransmission simple network SMM driver (polling mode) UDP protocol retransmission of lost or corrupted data supported 0 checksum(pkt[x:n]) Communication Protocol x data divided in chunks of fixed phy addr size phy addr used by the receiver to handle out-of-order or missing chunks chunk checksum over the packet payload n Alessandro Reina ACSAC 2012 13 / 20

  24. SMMDumper: Data Integrity and Transmission Signing the Whole Memory Dump 1 as soon as SMMDumper starts, a smart card device D is plugged in 2 an incremental checksum C ( MD5 ) of the whole memory is computed 3 once the memory dump is completed, C is sent to a smart card device D 4 D signs C with the private key stored inside the smart card 5 the receiver verifies the signature and compares C against the gathered memory dump Alessandro Reina ACSAC 2012 14 / 20

  25. SMMDumper: Accessing Physical Memory SMM limitations SMM similar to real mode override prefixes used to access up to 4GB paging disabled physical direct memory access Alessandro Reina ACSAC 2012 15 / 20

  26. SMMDumper: Accessing Physical Memory SMM limitations SMM similar to real mode override prefixes used to access up to 4GB paging disabled physical direct memory access . . . but, still, how can we read more than 4GB? Alessandro Reina ACSAC 2012 15 / 20

  27. SMMDumper: Accessing more than 4GB (IA32 - PAE) va = 0x00200000 1 p_pde = 0x00000008 2 0x200000 phy_addr = 0x100000000 /* 36-bit */ 3 Available while phy_addr < MAX_MEMORY 4 /* Setup PDE */ 5 p_pde->page_base_addr = phy_addr 6 p_pde->p = 1 /* Present */ Injected 7 p_pre->us = 1 /* User/Super */ Code 8 /* Now 0x00200000 points to phy_addr */ 9 offset = 0 10 while offset < PAGE_SIZE: 11 Available packet = str(phy_addr+offset) 12 0x10 packet += va[offset:offset+CHUNK_SIZE] 13 PDE ⇒ 0x???????? packet += MD5(packet[0:len(packet)]) 14 0x08 /* Send pkt */ PDE ⇒ 0x00000000 15 0x0 /* Update overall checksum */ 16 offset += CHUNK_SIZE 17 phy_addr += PAGE_SIZE 18 Alessandro Reina ACSAC 2012 16 / 20

  28. SMMDumper: Experimental Evaluation Setup prototype based on coreboot (opensource BIOS) entirely coded in assembly ( ∼ 500LoC, 47% MD5 implementation) run on QEMU 1.0.1 (Intel 3GHz, 6GB RAM, 100Mbit) Alessandro Reina ACSAC 2012 17 / 20

  29. SMMDumper: Experimental Evaluation Setup prototype based on coreboot (opensource BIOS) entirely coded in assembly ( ∼ 500LoC, 47% MD5 implementation) run on QEMU 1.0.1 (Intel 3GHz, 6GB RAM, 100Mbit) Data Transmission UDP packet = 1024( chunk ) + 16( MD5 ) + 8( phy addr ) transfer time for 6GB ≈ 13.5min ≈ 10% time overhead due to MD5 calculation 144MB of metadata Alessandro Reina ACSAC 2012 17 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An investigation into the commodification of non-pecuniary consideration in the Digital Economy

An investigation into the commodification of non-pecuniary consideration in the Digital Economy

Money from nothing, and the clicks are free: An investigation into the commodification of non-pecuniary consideration in the Digital Economy David Reynolds PhD Student, IIPSI, WMG d.j.reynolds@warwick.ac.uk @davereynolds83

495 views • 20 slides
Investigation as a member of research discourse Vasily Bunakov Science and Technology Facilities

Investigation as a member of research discourse Vasily Bunakov Science and Technology Facilities

Investigation as a member of research discourse Vasily Bunakov Science and Technology Facilities Council United Kingdom Digital Libraries: Advanced Methods and Technologies, Digital Collections. Dubna, Russia, October 16, 2014 STFC Funds and

547 views • 18 slides
COLLECTION CALL CENTER DEBT COLLECTION DIGITAL MARKETING FRAUD PRINTING INVESTIGATION &amp;

COLLECTION CALL CENTER DEBT COLLECTION DIGITAL MARKETING FRAUD PRINTING INVESTIGATION &amp;

DISTRIBUTION COLLECTION CALL CENTER DEBT COLLECTION DIGITAL MARKETING FRAUD PRINTING INVESTIGATION &amp; BULK SMS ENVELOPING MESSAGING Doing business in the 21 st century isnt an easy task. As the global economy develops, the

478 views • 16 slides
Case Investigation of Avian in Southeast Asia Influenza Overview Initiating an investigation

Case Investigation of Avian in Southeast Asia Influenza Overview Initiating an investigation

Rapid Response Team Training 1 Case Investigation of Avian in Southeast Asia Influenza Overview Initiating an investigation Pre-investigation activities Investigation Recordkeeping and reporting Post-investigation activities

1.24k views • 86 slides
Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD., DTM&amp;H., MCTM. Surveillance and Investigation Section Bureau of Epidemiology, Department of Disease Control Ministry of Public Health, Thailand

1.27k views • 83 slides
Investigation into procurement of goods and services from CT Management Group Pty Ltd by

Investigation into procurement of goods and services from CT Management Group Pty Ltd by

Investigation into procurement of goods and services from CT Management Group Pty Ltd by Glenorchy City Council Report of the Auditor-General No. 1 of 2017-18 Todays presentation Basis of investigation Investigation approach

460 views • 29 slides
Laboratory Investigation of Laboratory Investigation of Laboratory Investigation of Laboratory

Laboratory Investigation of Laboratory Investigation of Laboratory Investigation of Laboratory

www.eng.chula.ac.th Laboratory Investigation of Laboratory Investigation of Laboratory Investigation of Laboratory Investigation of Laboratory Investigation of Vetiver Root Reinforcement for Slope Reinforcement for Slope Reinforcement for

513 views • 48 slides
INVESTIGATION UNIT INVESTIGATION UNIT Human interaction with backhoes and excavators

INVESTIGATION UNIT INVESTIGATION UNIT Human interaction with backhoes and excavators

MINE SAFETY MINE SAFETY INVESTIGATION UNIT INVESTIGATION UNIT Human interaction with backhoes and excavators www.dpi.nsw.gov.au/investigation-unit Industry and Investment NSW data 73 reported incidents involving backhoe and excavator type

492 views • 14 slides
Accident Investigation Basics How to conduct a workplace accident investigation What Is An

Accident Investigation Basics How to conduct a workplace accident investigation What Is An

Accident Investigation Basics How to conduct a workplace accident investigation What Is An Accident? An unplanned, unwanted, but controllable event which disrupts the work process and causes injury to people. Most everyone would agree that an

498 views • 10 slides
CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic

CSN11121/CSN11122 System Administration and Forensics Introduction to Digital Forensic 20/10/2011 r.ludwiniak@napier.ac.uk Lecture Objectives 1. History and definition of Digital Forensics 2. Context for an investigation 3. An overview of

1.04k views • 65 slides
Investigation #4 Diffusion and Osmosis www.njctl.org Slide 3 / 36 Investigation #4: Diffusion

Investigation #4 Diffusion and Osmosis www.njctl.org Slide 3 / 36 Investigation #4: Diffusion

Slide 1 / 36 Slide 2 / 36 Investigation #4 Diffusion and Osmosis www.njctl.org Slide 3 / 36 Investigation #4: Diffusion &amp; Osmosis Click on the topic to go to that section Pacing/Teacher's Notes Pre-Lab Guided Investigation -

391 views • 12 slides
Doing Good Online An Investigation into the Characteristics and Motivations of Digital Volunteers

Doing Good Online An Investigation into the Characteristics and Motivations of Digital Volunteers

Doing Good Online Doing Good Online An Investigation into the Characteristics and Motivations of Digital Volunteers Dr Eun Young (EY) OH Portsmouth Business School 30th June 2016 Dr Eun Young (EY) OH (PBS) Doing Good Online 30th June 2016

465 views • 19 slides
The NIO1 negative ion source: investigation The NIO1 negative ion source: investigation and

The NIO1 negative ion source: investigation The NIO1 negative ion source: investigation and

Oral presentation at NIBS2018, 3-7 Sept 2018, Novosibirsk The NIO1 negative ion source: investigation The NIO1 negative ion source: investigation and operation experience 1 G S M. Cavenago 1 , G. Serianni2, C. Baltador1, M. Barbisan1, A.

650 views • 27 slides
The Role of the Investigation Officer Thursday 14 th June 2018 New castle | Leeds | Manchester

The Role of the Investigation Officer Thursday 14 th June 2018 New castle | Leeds | Manchester

The Role of the Investigation Officer Thursday 14 th June 2018 New castle | Leeds | Manchester What I will cover 2 Why is an investigation process important? How much investigation is needed? Who should conduct the investigation? Is

686 views • 15 slides
Is Your Small Business Online Smart? Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE Director -

Is Your Small Business Online Smart? Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE Director -

Is Your Small Business Online Smart? Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE Director - Senator Leahy Center for Digital Investigation Associate Professor - Digital Forensics | Cyber Security Digital Forensic Examiner - Vermont Internet

302 views • 26 slides
Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor,

Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor,

Learning Disability Community Forensic Services - A Workforce Skills Framework Lisa Proctor, Regional Workforce Specialist Midlands &amp; East Health Education England Background NHSE - Building the Right Support 2015 A National Plan

296 views • 12 slides
Biometrics for Forensics: A few words with examples in Fingerprint, Face and Handwriting Prof.

Biometrics for Forensics: A few words with examples in Fingerprint, Face and Handwriting Prof.

15/01/2020 Biometrics for Forensics: A few words with examples in Fingerprint, Face and Handwriting Prof. Julian FIERREZ Universidad Autonoma de Madrid - SPAIN http://atvs.ii.uam.es/fierrez Julian Fierrez Winter School on Biometrics,

259 views • 9 slides
Linguistics. Invitation to a Dialogue GSFL Roundtable 2017 Sune Auken University of Copenhagen

Linguistics. Invitation to a Dialogue GSFL Roundtable 2017 Sune Auken University of Copenhagen

Genre Research and Forensic Linguistics. Invitation to a Dialogue GSFL Roundtable 2017 Sune Auken University of Copenhagen (Not a forensic linguist by any count, not even a linguist (but quite fascinated)) In over my head (a humilitas trope)

354 views • 23 slides
Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik Learned-Miller Brian Neil

Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik Learned-Miller Brian Neil

Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik Learned-Miller Brian Neil Levine Department of Computer Science University of Massachusetts Amherst This work was supported in part by NSF award DUE-0830876.

968 views • 79 slides
Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran

Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran

Brendan Saltaformaggio, ZhongshuGu, Xiangyu Zhang, and Dongyan Xu Presented By Sharani Sankaran ! Digital investigation based on analysis of non-volatile storage . ! Loss of live evidence stored in system RAM ! Information stored in RAM:

502 views • 23 slides
Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan

Beyond files forensic OWADE cloud based forensic Elie Bursztein Stanford University Ivan Fontarensky Cassidian Matthieu Martin Stanford University Jean Michel Picod Cassidian Wednesday, August 3, 2011 The world is moving to the cloud E.

1.84k views • 171 slides
Counseling By: Sarah Blackburn, M.A., LMHCA &amp; Ismael Concepcion Poo, MA., LMHCA Introductions

Counseling By: Sarah Blackburn, M.A., LMHCA &amp; Ismael Concepcion Poo, MA., LMHCA Introductions

Forensic Mental Health Counseling By: Sarah Blackburn, M.A., LMHCA &amp; Ismael Concepcion Poo, MA., LMHCA Introductions Sarah Blackburn, M.A., Ismael Concepcion Poo, M.A., LMHCA LMHCA Title: CMHC2 Title: CMHUS Correctional Mental Health

406 views • 36 slides
A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning

A Layered Approach to Insider Threat Detection and Proactive Forensics Phillip G. Bradford, Ning Hu University of Alabama Tuscaloosa, AL 35487 ACSAC Dec. 5-9, 2005 Insider threats Definition Menaces to computer security as a result of

131 views • 11 slides

More recommend