pre boot ram acquisition and compression martijn bogaard
play

Pre-boot RAM acquisition and compression Martijn Bogaard Student - PowerPoint PPT Presentation

Apr 17, 2023 •110 likes •535 views

Pre-boot RAM acquisition and compression Martijn Bogaard Student of Master in System and Network Engineering University of Amsterdam 02 July 2015 Why memory forensics? What was the user doing? What applications were running? Is

  1. Pre-boot RAM acquisition and compression Martijn Bogaard Student of Master in System and Network Engineering University of Amsterdam 02 July 2015

  2. Why memory forensics? • What was the user doing? • What applications were running? • Is the system infected with malware? Pre-boot RAM acquisition and compression | 02 July 2015 | 2

  3. Why memory forensics? • What was the user doing? • What applications were running? • Is the system infected with malware? • Cryptokeys! Pre-boot RAM acquisition and compression | 02 July 2015 | 3

  4. (Cold) boot attack • Demonstrated in 2008 by Halderman et al. – “Lest We Remember: Cold Boot Attacks on Encryption Keys” Pre-boot RAM acquisition and compression | 02 July 2015 | 4

  5. (Cold) boot attack • msramdmp • {bios, efi}_memimage • Boot minimal OS? Pre-boot RAM acquisition and compression | 02 July 2015 | 5

  6. Open challenges • What if we want to acquire evidence from: – Many systems? – Both memory and disk? – Over the network? – Systems with 4G+ RAM? Pre-boot RAM acquisition and compression | 02 July 2015 | 6

  7. Related work • Bootable Linux CD / PXE for remote acquisition of multiple computers. (Cortjens 2014) • Remote data acquisition on block devices in large environments. (van den Haak 2014) Pre-boot RAM acquisition and compression | 02 July 2015 | 7

  8. Research question “Is pre-boot compression a useful technique to reduce the destruction of data when an operating system is loaded?” Pre-boot RAM acquisition and compression | 02 July 2015 | 8

  9. Goals • Overwrite as little as possible • Support >4G • PXE & USB • In a reasonable timeframe Pre-boot RAM acquisition and compression | 02 July 2015 | 9

  10. Proposed solution • Compress RAM content before starting OS • Start Linux based OS • Extract compressed data from RAM Pre-boot RAM acquisition and compression | 02 July 2015 | 10

  11. Steps • Analysis of RAM content (Shannon Entropy) • Selection of data compression algorithm • Development of acquisition algorithm • Development of Proof of Concept Pre-boot RAM acquisition and compression | 02 July 2015 | 11

  12. RAM entropy 12 Dump from VMs • – 256 MiB – 8 GiB – Windows & Linux – Several roles (desktop, server, live CD) Shannon Entropy ( H ) • – In bits / byte of data Measured over whole RAM and in blocks • – 4 & 16 kilobyte Average H 5.36 ( σ 1.46) • Pre-boot RAM acquisition and compression | 02 July 2015 | 12

  13. RAM entropy Windows 7 x86 (Office usage) 0 2G Tails 1.4 with encrypted folder (photos) 0 2G Pre-boot RAM acquisition and compression | 02 July 2015 | 13

  14. Data compression algorithms Tested 13 algorithms • – Some with multiple presets – 19 tests in total Focused on memory usage • – Every byte used is written over original data – Measured using Valgrind with Massif But also duration, compression factor, theoretical worst- • case scenario… – Tested against the RAM dumps of prev. step Pre-boot RAM acquisition and compression | 02 July 2015 | 14

  15. Data compression algorithms • Selected LZW for Proof of Concept – 3,6 seconds / GiB (compression) – 60% avg. space saved – 7.7k mem usage (4.5k code, 3.2k stack, 0 heap) – Worst case output up to 104% of input length Pre-boot RAM acquisition and compression | 02 July 2015 | 15

  16. Acquisition algorithm • Work in non-contiguous address space • Don’t destroy more than absolutely necessary • Make enough space to boot OS • Protect compressed data from OS • Provable forensic integrity Pre-boot RAM acquisition and compression | 02 July 2015 | 16

  17. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 17

  18. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 18

  19. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 19

  20. Acquisition algorithm Pre-boot RAM acquisition and compression | 02 July 2015 | 20

  21. Acquisition algorithm Pre-boot RAM acquisition and compression | 02 July 2015 | 21

  22. Acquisition algorithm Pre-boot RAM acquisition and compression | 02 July 2015 | 22

  23. Acquisition algorithm Pre-boot RAM acquisition and compression | 02 July 2015 | 23

  24. Acquisition algorithm Pre-boot RAM acquisition and compression | 02 July 2015 | 24

  25. Acquisition algorithm Pre-boot RAM acquisition and compression | 02 July 2015 | 25

  26. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 26

  27. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 27

  28. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 28

  29. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 29

  30. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 30

  31. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 31

  32. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 32

  33. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 33

  34. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 34

  35. Acquisition algorithm 0 1G Pre-boot RAM acquisition and compression | 02 July 2015 | 35

  36. Proof of Concept Syslinux module to compress RAM • – Supports CD, USB stick, PXE on BIOS & UEFI – Compress 100 MiB / block – SHA256 checksum over input – Modifies firmware memory map to hide compressed data OpenWRT based OS • – Very small & low memory footprint – PXE boot needs 82 MiB free memory incl. ram disk Python script to extract compressed data • – Patched /dev/mem interface Pre-boot RAM acquisition and compression | 02 July 2015 | 36

  37. Proof of Concept • Tested with USB & PXE • Store compressed data to NFS volume • Decompress on different machine – In worst-case ~20 MiB free memory available • Modified QEMU to fill memory with pattern Pre-boot RAM acquisition and compression | 02 July 2015 | 37

  38. Proof of Concept $ ¡./decompress.py ¡dumps/03a78c78-­‑dd57-­‑436f-­‑b81e-­‑5e66d8e3dc49 ¡ … ¡ Memory ¡map: ¡ ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡0] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡9F7FF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡9F800] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡FFFFF] ¡MISSING ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡100000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡FFFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1000000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡73FFFFF] ¡Checksum ¡INVALID! ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡7400000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡D7FFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡D800000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡13BFFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡13C00000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡19FFFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1A000000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEEFFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEF0000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEFEFFF] ¡OK ¡ [ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEFF000] ¡-­‑ ¡[ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡1FEFFFFF] ¡OK ¡ Pre-boot RAM acquisition and compression | 02 July 2015 | 38

  39. Comparison with existing solutions Method Recovered Not recoverable msramdmp 1022.8 M 99.883% 1.2 M 0.117% bios_memimage 1022.7 M 99.872% 1.3 M 0.128% Proof of Concept 1019.5 M 99.556% 4.5 M 0.444% OpenWRT (ref) 878.0 M 85.700% 146.0 M 14.3% Pre-boot RAM acquisition and compression | 02 July 2015 | 39

  40. Conclusion • Concept works • Slightly increased memory usage – But can also be used for other evidence gathering – Mostly accountable to Syslinux Pre-boot RAM acquisition and compression | 02 July 2015 | 40

  41. Future work • Test with UEFI based systems • Modify Syslinux – 64-bit or PAE support – Lower memory usage? • Test more scenario’s with low amount of RAM • More samples to predict likelihood of success Pre-boot RAM acquisition and compression | 02 July 2015 | 41

  42. QUESTIONS? Martijn Bogaard martijn.bogaard@os3.nl Pre-boot RAM acquisition and compression | 02 July 2015 | 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

REMOTE ACQUISITION BOOT ENVIRONMENT (RABE) BOOTABLE LINUX CD / PXE FOR THE REMOTE ACQUISITION OF

REMOTE ACQUISITION BOOT ENVIRONMENT (RABE) BOOTABLE LINUX CD / PXE FOR THE REMOTE ACQUISITION OF

REMOTE ACQUISITION BOOT ENVIRONMENT (RABE) BOOTABLE LINUX CD / PXE FOR THE REMOTE ACQUISITION OF MULTIPLE COMPUTERS DENNIS CORTJENS UVA | SNE | RP2 NFI AGENDA Introduction Results / Conclusion Research Future research

625 views • 20 slides
RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT. BOOT https://github.com/boot-clj/boot BOOT TEMPLATES boot -d seancorfield/boot-new new -t tenzing -n <name> [+a <option>]* $ cd

566 views • 22 slides
Joining in Lucene Martijn van Groningen martijn.vangroningen@searchworkings.com Lucene Committer

Joining in Lucene Martijn van Groningen martijn.vangroningen@searchworkings.com Lucene Committer

Joining in Lucene Martijn van Groningen martijn.vangroningen@searchworkings.com Lucene Committer & PMC Member Monday, June 4, 2012 Joining Introduction Data is often relational, but Lucenes document model is not. Support for

223 views • 19 slides
Targeting the Right Ventricle Harm Jan Bogaard 3/9/2019 Its the RV! Hypothesis RV

Targeting the Right Ventricle Harm Jan Bogaard 3/9/2019 Its the RV! Hypothesis RV

Disclosure Company Relationship Type Actelion Grant support UCSF Continuing Medical Education Therabel Grant support Glaxo Grant support Boehringer Ingelheim Grant support Targeting the Right Ventricle Harm Jan Bogaard 3/9/2019 Its

193 views • 8 slides
Data Compression Techniques Grzegorz Pastuszak Warsaw University of Technology Trieste

Data Compression Techniques Grzegorz Pastuszak Warsaw University of Technology Trieste

Data Compression Techniques Grzegorz Pastuszak Warsaw University of Technology Trieste 22.05.2019 Need for compression Saving disk space for the archiving Limited bandwidth between detectors and the data acquisition system (DAQ)

325 views • 20 slides
Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression

Compression Lecture 9: Compression 1 / 52 Compression Recap Bu ff er Management Recap 2 / 52 Compression Recap Bu ff er Management Thread Safety A piece of code is thread-safe if it functions correctly during simultaneous execution

784 views • 52 slides
Chain. Hans BOGAARD, Rabobank. Value Chain Finance and the importance of understanding the

Chain. Hans BOGAARD, Rabobank. Value Chain Finance and the importance of understanding the

Brussels Development Briefing n.35 Revolutionising finance for agri-value chains 5 March 2014 http://brusselsbriefings.net Value Chain Finance and the Importance of Understanding the Value Chain. Hans BOGAARD, Rabobank. Value Chain Finance

983 views • 27 slides
From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg

From Sorting to Heaps to Compression Data Compression video on demand/set top box jpeg in browsers gzip, pkzip, compress, zip, ... for files (stacker?) Lossy compression, Lossless compression Huffman coding possible to

275 views • 6 slides
Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure

Top 10 Secure Boot mistakes Jasper van Woudenberg (Job de Haas) jasper@riscure.com @jzvw 1 Secure Boot Theory Internal boot ROM 1 st stage boot loader N th stage Verify signature Optional decrypt boot loader OS / Application 2

517 views • 25 slides
Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression

Scientific Data Compression: From Stone-Age to Renaissance Factor 10,100 compression Background Focus on spatial compression Best in class lossy compressor Point wise max error bound: 10 -5 Open questions Random noise

564 views • 19 slides
I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device

I Boot when U-Boot @bernardomr (MIA) @_evict 1 / 44 Agenda 1. Introduction 2. The target device 3. The bootkit 4. Defending / Detecting 2 / 44 Introduction Vincent Works at KPN REDteam Likes Linux and low-level stu Located in Amsterdam

792 views • 44 slides
Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are

Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are

Trending Boot Technology The Most Determinate Piece of Equipment in Skiing is the Boot. Boots are the transmitters of body movement to the ski. Proper support, comfort, and performance application make the difference between a good day on the snow

431 views • 29 slides
Kodi - Open Source Home Entertainment Software (formerly known as XBMC) Ejal de Klerk Martijn

Kodi - Open Source Home Entertainment Software (formerly known as XBMC) Ejal de Klerk Martijn

Kodi - Open Source Home Entertainment Software (formerly known as XBMC) Ejal de Klerk Martijn Kaijser Who Are we? Martijn Kaijser ( Martijn ) Ejal de Klerk ( Kib ) Martijn@kodi.tv Kib@kodi.tv User since Dharma 10.1 ~2011

637 views • 40 slides
Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15

Securing Secure Boot on Xen Ross Lagerwall Software Engineer, Citrix Systems 1 / 15 Presentation licensed CC-By-SA-4.0 Why Secure Boot? How can we prevent running malware at boot? With Secure Boot! What if the machine is a VM in

303 views • 15 slides
Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is

Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is

Dec 08 Backup Boot Flash Tools (BBF): Introduction Introduction The Backup Boot Flash (BBF) is an innovative SPI tool created by DediProg to force the application controller to work (read, program, update..) on the backup memory inserted in the

1.06k views • 17 slides
Beyond Admissibility : Dominance between chains of strategies Dominance between chains of

Beyond Admissibility : Dominance between chains of strategies Dominance between chains of

Beyond Admissibility : Beyond Admissibility : Dominance between chains of strategies Dominance between chains of strategies Marie van den Bogaard 1 Marie van den Bogaard Joint work with N. Basset 2 , I. Jecker 1 , A.Pauly 3 & J.-F. Raskin 1

1.05k views • 100 slides
Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing Applying empirical results to reduce the cost of testing. Example: 2.5 year study ~ 20% lower test development cost and 20% - 50% better

479 views • 13 slides
Single Letter Formulas for Quantized Compressed Sensing with Gaussian Codebooks Alon Kipnis

Single Letter Formulas for Quantized Compressed Sensing with Gaussian Codebooks Alon Kipnis

Single Letter Formulas for Quantized Compressed Sensing with Gaussian Codebooks Alon Kipnis (Stanford) Galen Reeves (Duke) Yonina Eldar (Technion) ISIT, June 2018 Table of Contents Introduction Motivation Problem Formulation Background

459 views • 45 slides
gzip, tar Purpose file archiving -compressing multiple files into one smaller file

gzip, tar Purpose file archiving -compressing multiple files into one smaller file

Unix/Linux Commands: gzip, tar Purpose file archiving -compressing multiple files into one smaller file -extracting/decompressing files from an archive -makes sharing files easier tar deals with its own format (.tar) Usage: gzip gzip

1.07k views • 9 slides
Gzip Compression Using Altera OpenCL Mohamed Abdelfattah (University of Toronto) Andrei Hagiescu

Gzip Compression Using Altera OpenCL Mohamed Abdelfattah (University of Toronto) Andrei Hagiescu

Gzip Compression Using Altera OpenCL Mohamed Abdelfattah (University of Toronto) Andrei Hagiescu Deshanand Singh Gzip Widely-used lossless compression program Gzip = LZ77 + Huffman Big data needs fast compression Gigabyte-per-second

861 views • 59 slides
I N the past few years, network traffic characterization has several consecutive transitions lead

I N the past few years, network traffic characterization has several consecutive transitions lead

Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Rafael Antonello, Stenio Fernandes, Djamel Sadok, Judith Gza Szabo Kelner Ericsson Traffic Lab Federal University of Pernambuco (UFPE)

406 views • 8 slides
Inforce Data Compression Methods for Actuarial Modeling I f D t C i M th d f A t i l M d li

Inforce Data Compression Methods for Actuarial Modeling I f D t C i M th d f A t i l M d li

Inforce Data Compression Methods for Actuarial Modeling I f D t C i M th d f A t i l M d li Presented to 46 th Actuarial Research Conference University of Connecticut August 13, 2011 Matthew Wininger, FSA, MAAA Deloitte Consulting LLP

568 views • 20 slides
FULL YEAR RESULTS 2018 Disclaimer The information contained in this presentation document (the

FULL YEAR RESULTS 2018 Disclaimer The information contained in this presentation document (the

FULL YEAR RESULTS 2018 Disclaimer The information contained in this presentation document (the presentation, which term includes any information provided verbally in connection with this presentation document) does not constitute an offer

576 views • 31 slides
SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA

SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA

Angelo Prado Neal Harris Yoel Gluck SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA Proceed with caution: Review of CRIME Introducing BREACH In the weeds Demo time! Mitigations b r e a c h SSL,

526 views • 40 slides

More recommend