Pre-boot RAM acquisition and compression Martijn Bogaard Student - - PowerPoint PPT Presentation

pre boot ram acquisition and compression martijn bogaard
SMART_READER_LITE
LIVE PREVIEW

Pre-boot RAM acquisition and compression Martijn Bogaard Student - - PowerPoint PPT Presentation

Apr 17, 2023 110 likes •538 views

Pre-boot RAM acquisition and compression Martijn Bogaard Student of Master in System and Network Engineering University of Amsterdam 02 July 2015 Why memory forensics? What was the user doing? What applications were running? Is

slide-1
SLIDE 1

Pre-boot RAM acquisition and compression Martijn Bogaard

Student of Master in System and Network Engineering University of Amsterdam

02 July 2015

slide-2
SLIDE 2

Pre-boot RAM acquisition and compression | 02 July 2015 | 2

Why memory forensics?

  • What was the user doing?
  • What applications were running?
  • Is the system infected with malware?
slide-3
SLIDE 3

Pre-boot RAM acquisition and compression | 02 July 2015 | 3

Why memory forensics?

  • What was the user doing?
  • What applications were running?
  • Is the system infected with malware?
  • Cryptokeys!
slide-4
SLIDE 4

Pre-boot RAM acquisition and compression | 02 July 2015 | 4

(Cold) boot attack

  • Demonstrated in 2008 by Halderman et al.

– “Lest We Remember: Cold Boot Attacks

  • n Encryption Keys”
slide-5
SLIDE 5

Pre-boot RAM acquisition and compression | 02 July 2015 | 5

(Cold) boot attack

  • msramdmp
  • {bios, efi}_memimage
  • Boot minimal OS?
slide-6
SLIDE 6

Pre-boot RAM acquisition and compression | 02 July 2015 | 6

Open challenges

  • What if we want to acquire evidence from:

– Many systems? – Both memory and disk? – Over the network? – Systems with 4G+ RAM?

slide-7
SLIDE 7

Pre-boot RAM acquisition and compression | 02 July 2015 | 7

Related work

  • Bootable Linux CD / PXE for remote acquisition
  • f multiple computers. (Cortjens 2014)
  • Remote data acquisition on block devices in

large environments. (van den Haak 2014)

slide-8
SLIDE 8

Pre-boot RAM acquisition and compression | 02 July 2015 | 8

Research question

“Is pre-boot compression a useful technique to reduce the destruction of data when an

  • perating system is loaded?”
slide-9
SLIDE 9

Pre-boot RAM acquisition and compression | 02 July 2015 | 9

Goals

  • Overwrite as little as possible
  • Support >4G
  • PXE & USB
  • In a reasonable timeframe
slide-10
SLIDE 10

Pre-boot RAM acquisition and compression | 02 July 2015 | 10

Proposed solution

  • Compress RAM content before starting OS
  • Start Linux based OS
  • Extract compressed data from RAM
slide-11
SLIDE 11

Pre-boot RAM acquisition and compression | 02 July 2015 | 11

Steps

  • Analysis of RAM content (Shannon Entropy)
  • Selection of data compression algorithm
  • Development of acquisition algorithm
  • Development of Proof of Concept
slide-12
SLIDE 12

Pre-boot RAM acquisition and compression | 02 July 2015 | 12

RAM entropy

  • 12 Dump from VMs

– 256 MiB – 8 GiB – Windows & Linux – Several roles (desktop, server, live CD)

  • Shannon Entropy (H)

– In bits / byte of data

  • Measured over whole RAM and in blocks

– 4 & 16 kilobyte

  • Average H 5.36 (σ 1.46)
slide-13
SLIDE 13

Pre-boot RAM acquisition and compression | 02 July 2015 | 13

RAM entropy

2G Windows 7 x86 (Office usage) 2G Tails 1.4 with encrypted folder (photos)

slide-14
SLIDE 14

Pre-boot RAM acquisition and compression | 02 July 2015 | 14

Data compression algorithms

  • Tested 13 algorithms

– Some with multiple presets – 19 tests in total

  • Focused on memory usage

– Every byte used is written over original data – Measured using Valgrind with Massif

  • But also duration, compression factor, theoretical worst-

case scenario… – Tested against the RAM dumps of prev. step

slide-15
SLIDE 15

Pre-boot RAM acquisition and compression | 02 July 2015 | 15

Data compression algorithms

  • Selected LZW for Proof of Concept

– 3,6 seconds / GiB (compression) – 60% avg. space saved – 7.7k mem usage (4.5k code, 3.2k stack, 0 heap) – Worst case output up to 104% of input length

slide-16
SLIDE 16

Pre-boot RAM acquisition and compression | 02 July 2015 | 16

Acquisition algorithm

  • Work in non-contiguous address space
  • Don’t destroy more than absolutely necessary
  • Make enough space to boot OS
  • Protect compressed data from OS
  • Provable forensic integrity
slide-17
SLIDE 17

Pre-boot RAM acquisition and compression | 02 July 2015 | 17

Acquisition algorithm

1G

slide-18
SLIDE 18

Pre-boot RAM acquisition and compression | 02 July 2015 | 18

Acquisition algorithm

1G

slide-19
SLIDE 19

Pre-boot RAM acquisition and compression | 02 July 2015 | 19

Acquisition algorithm

1G

slide-20
SLIDE 20

Pre-boot RAM acquisition and compression | 02 July 2015 | 20

Acquisition algorithm

slide-21
SLIDE 21

Pre-boot RAM acquisition and compression | 02 July 2015 | 21

Acquisition algorithm

slide-22
SLIDE 22

Pre-boot RAM acquisition and compression | 02 July 2015 | 22

Acquisition algorithm

slide-23
SLIDE 23

Pre-boot RAM acquisition and compression | 02 July 2015 | 23

Acquisition algorithm

slide-24
SLIDE 24

Pre-boot RAM acquisition and compression | 02 July 2015 | 24

Acquisition algorithm

slide-25
SLIDE 25

Pre-boot RAM acquisition and compression | 02 July 2015 | 25

Acquisition algorithm

slide-26
SLIDE 26

Pre-boot RAM acquisition and compression | 02 July 2015 | 26

Acquisition algorithm

1G

slide-27
SLIDE 27

Pre-boot RAM acquisition and compression | 02 July 2015 | 27

Acquisition algorithm

1G

slide-28
SLIDE 28

Pre-boot RAM acquisition and compression | 02 July 2015 | 28

Acquisition algorithm

1G

slide-29
SLIDE 29

Pre-boot RAM acquisition and compression | 02 July 2015 | 29

Acquisition algorithm

1G

slide-30
SLIDE 30

Pre-boot RAM acquisition and compression | 02 July 2015 | 30

Acquisition algorithm

1G

slide-31
SLIDE 31

Pre-boot RAM acquisition and compression | 02 July 2015 | 31

Acquisition algorithm

1G

slide-32
SLIDE 32

Pre-boot RAM acquisition and compression | 02 July 2015 | 32

Acquisition algorithm

1G

slide-33
SLIDE 33

Pre-boot RAM acquisition and compression | 02 July 2015 | 33

Acquisition algorithm

1G

slide-34
SLIDE 34

Pre-boot RAM acquisition and compression | 02 July 2015 | 34

Acquisition algorithm

1G

slide-35
SLIDE 35

Pre-boot RAM acquisition and compression | 02 July 2015 | 35

Acquisition algorithm

1G

slide-36
SLIDE 36

Pre-boot RAM acquisition and compression | 02 July 2015 | 36

Proof of Concept

  • Syslinux module to compress RAM

– Supports CD, USB stick, PXE on BIOS & UEFI – Compress 100 MiB / block – SHA256 checksum over input – Modifies firmware memory map to hide compressed data

  • OpenWRT based OS

– Very small & low memory footprint – PXE boot needs 82 MiB free memory incl. ram disk

  • Python script to extract compressed data

– Patched /dev/mem interface

slide-37
SLIDE 37

Pre-boot RAM acquisition and compression | 02 July 2015 | 37

Proof of Concept

  • Tested with USB & PXE
  • Store compressed data to NFS volume
  • Decompress on different machine

– In worst-case ~20 MiB free memory available

  • Modified QEMU to fill memory with pattern
slide-38
SLIDE 38

Pre-boot RAM acquisition and compression | 02 July 2015 | 38

Proof of Concept

$ ¡./decompress.py ¡dumps/03a78c78-­‑dd57-­‑436f-­‑b81e-­‑5e66d8e3dc49 ¡ … ¡ Memory ¡map: ¡ ¡

[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡0] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡9F7FF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡9F800] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡FFFFF] ¡MISSING ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡100000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡FFFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1000000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡73FFFFF] ¡Checksum ¡INVALID! ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡7400000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡D7FFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡D800000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡13BFFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡13C00000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡19FFFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1A000000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEEFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEF0000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEFEFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEFF000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEFFFFF] ¡OK ¡

slide-39
SLIDE 39

Pre-boot RAM acquisition and compression | 02 July 2015 | 39

Comparison with existing solutions

Method Recovered Not recoverable msramdmp 1022.8 M 99.883% 1.2 M 0.117% bios_memimage 1022.7 M 99.872% 1.3 M 0.128% Proof of Concept 1019.5 M 99.556% 4.5 M 0.444% OpenWRT (ref) 878.0 M 85.700% 146.0 M 14.3%

slide-40
SLIDE 40

Pre-boot RAM acquisition and compression | 02 July 2015 | 40

Conclusion

  • Concept works
  • Slightly increased memory usage

– But can also be used for other evidence gathering – Mostly accountable to Syslinux

slide-41
SLIDE 41

Pre-boot RAM acquisition and compression | 02 July 2015 | 41

Future work

  • Test with UEFI based systems
  • Modify Syslinux

– 64-bit or PAE support – Lower memory usage?

  • Test more scenario’s with low amount of RAM
  • More samples to predict likelihood of success
slide-42
SLIDE 42

Pre-boot RAM acquisition and compression | 02 July 2015 | 42

QUESTIONS?

Martijn Bogaard martijn.bogaard@os3.nl