[Vol-users] 29c3 defeating windows memory forensics
George M. Garner Jr.
ggarner_online at gmgsystemsinc.com
Wed Jan 9 11:29:25 CST 2013
On 1/7/2013 2:52 PM, Luka Milkovic wrote:
> None of the tools I tested had such cryptographic and advanced logging
Moonsols Community Edition appears to support a "/s" option which will
generate a cryptographic checksum which may be compared to the actual
checksum of the output file. While it is true, as you say, that
cryptographic checksums will not detect tampering which occurred prior
to the checksum's creation, adding the "/s" option should detect all of
the kernel mode attacks which you document. It will force you to attack
along the read path (NtMapViewOfSection, MmMapIoSpace and
MmMapMemoryDumpMdl) or else to fake both the content and the checksum.
I am assuming that Matthieu is generating the checksum before writing
the data to disk and not from the output file after it has been written.
+1 for Matthieu (maybe).
> Once you consider the possibility that the system is owned,
> there is no point talking about forensic soundness since subversion
> is pretty much assumed. <
If a "forensic" tool is unable reliably to acquire volatile evidence
from an uncompromised system there is no reason to believe that it will
perform any better in the face of sophisticated malware. The API's
above may fail as part of the ordinary operation of the operating
system. If an acquisition tool is unaware that the API has failed or is
internally aware but fails silently the investigator will be left to
guess whether the contents of the evidence file are an accurate
reflection of the state of physical memory at a given moment in time or
a reflection of the failure on the part of the acquisition process.
Failure to implement a sound forensic process is exploitable, moreover,
because a malicious entity has only to mimic a normal read error in the
right location to "hide" from the hapless investigator. Just because
there may be some sophisticated malware out there will defeat even the
most well designed acquisition tool is no excuse for allowing yourself
to become a victim of every script kiddie that comes along!
More information about the Vol-users