SlideShare a Scribd company logo

Memory Analysis Tools and Techniques

Francisco Ribeiro
Francisco Ribeiro

From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.

Technology
1 of 116
Download to read offline
You suck at Memory Analysis give it up, it’s not worth it
Disclaimer • Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers. • You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place. • Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
Who? • Francisco da Gama Tabanez Ribeiro • Penetration Testing @ Portugal Telecom • Certificates that I don’t have: MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
Agenda • Intro: • Java: • Who? Why? How? • JMX • 1) Memory Acquisition • Web • 2) Memory Analysis • Breaking safes (Truecrypt) • Windows: • Hardware: • memory acquisition • printers • process reconstitution • cold boot attack • malware analysis • Conclusion: where next?
Some of the real experts here. • Michael Cohen • Mike Auty • Brendan Dolan-Gavitt • Michael L. Hale • Jesse Kornblum • Harlan Carvey • Mark Russinovich • Dmitry Vostokov
Dinner @ RIT’s meet-up
Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring • plays well with Social Engineering • supports the Cloud, VM’s & mobile’s
Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring suggested reading: Exploiting the Rootkit • plays well with Social Engineering Paradox with Windows • supports the Cloud, VM’s & mobile’s Memory Analysis Jesse D. Kornblum
1) Memory Acquisition
Memory Acquisition Techniques (Software) • Crash Dumps • Hibernation files • Virtual Machine Imaging/Suspend • Physical memory device objects: • Windows (DevicePhysicalMemory, DeviceDebugMemory) • Linux (/dev/mem, /proc/kcore, /dev/crash) • Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory) • Inferential
Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X) suggested reading: Tools: Memory Imaging Forensics WiKi
Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch)
Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch) suggested reading: Acquisition and analysis of volatile memory from android devices Digital Investigation
/3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User Space Space 0x00000000 0x00000000 Default /3GB
/3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User suggested reading: How to Set the /3GB Startup Space Space Switch in Windows 0x00000000 0x00000000 Technet, Microsoft Default /3GB
Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) • Debug ports (JTAG) • Inferential
Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) suggested reading: • Debug ports (JTAG) Tools: Memory Imaging • Inferential Forensics WiKi
Piezo-Acoustic iPod Hack
Piezo-Acoustic iPod Hack flickr photo by guanix
Piezo-Acoustic iPod Hack • iPod 4G • firmware dump by playing sounds • ARM code that can read addresses 0 through 65535 • one sound to represent a 1 bit, another for a 0 bit • 64 kb file at 5 bytes/sec • sound recognition/ error detection & correction • iPod-Linux project
2) Memory Analysis
How? • Static • Dynamic
Memory Analysis Tools • Volatility • Memoryze • Windbg • Redline • Volafox
Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python
Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python suggested reading: suggested reading: An advanced memory Volatility, forensics framework Memory Forensics Volatility Volatile Systems Google Wiki pages
Windows - things you can analyze • processes, threads, sockets, connections, modules • files & DLLs loaded for each process • the hive (registry handles) • process' addressable memory & executables extraction • OS kernel modules • mapping physical offsets to virtual addresses (strings to process) • security access tokens • more, much more...
mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service
mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service inject sekurlsa.dll 
mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem TsPkg (LSASS) Wdigest LiveSSP LSA Server Digest SSP Service LsaProtectMemory / inject sekurlsa.dll  LsaUnprotectMemory
mimikatz - getting clear text passwords from Windows • Traitement du Kiwi - injects sekurlsa.dll (LSASS) • TsPkg & Wdigest store encrypted (not hashed) passwords • used for Kerberos, NTLM/LM, HTTP Digest authentication • function LsaUnprotectMemory retrieves clear text password • pass the word > pass the hash
Windows - Process reconstitution • OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist) • pool tags (psscan) • others..
Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block • image base address • ...
Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block suggested reading: • image base address struct EPROCESS • ... NirSoft
Windows - process reconstitution PsActiveProcessHead EPROCESS EPROCESS EPROCESS
Windows - process reconstitution EPROCESS EPROCESS EPROCESS LIST_ENTRY LIST_ENTRY LIST_ENTRY Flink Flink Flink Blink Blink Blink
DKOM (Direct Kernel Object Manipulation) EPROCESS EPROCESS EPROCESS Flink Flink Flink Blink Blink Blink detectable by Volatility psscan plugin
Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading: Eternal Sunshine on the Spotless RAM SecurityStreet, Rapid7
Process hollowing Process Process (suspended) (running)
If in doubt, it's an APT. @explanoit
Java Management Extensions (JMX)
Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans • tools: Java Visual VM, JConsole, MAT (Eclipse), JmxCli
Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans suggested reading: • tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and Management Using JMX JmxCli Technology Java SE Monitoring and Management Guide
Java Management Extensions (JMX)
Java Management Extensions (JMX) • no default port but... “statistical” guessing: 3333,6161,9999 • authentication? encryption? not by default! • properties where you can fix that: com.sun.management.jmxremote.port com.sun.management.jmxremote.ssl com.sun.management.jmxremote.authenticate
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
jbossify for JBoss 2) run jbossify: wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py $ python jbossify.py jbossify.py <host> <port> <instance_name> [<properties to extract>] jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction <properties to extract> - can be 'conn','dd','sql' or 'all' (default is just conn) conn->ManagedConnectionFactoryProperties, dd->deploymentDescriptor Connection Strings! sql->SqlProperties
demo time!
So, Java uses Memory... tell me you were not aware of it?
Truecrypt
Truecrypt • Virtual Encrypted Disks • Partitions & storage devices • Parallelization & Pipelining • Automatic, Real-time & Transparent • Hardware accelerated • Plausible Deniability • Multiple platform
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Truecrypt
Meanwhile... in a memory chip close, close by...
demo time!
Truecrypt
Truecrypt 1) where? DRIVER_OBJECT address
Truecrypt 1) where? suggested reading: RAM is Key, DRIVER_OBJECT Extracting Disk Encryption address Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University 2) size? DriverStart DriverStart + DriverSize
Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@# that’s a 12 passphrase (passphrase length)
Truecrypt ..on a little endian architecture.. 3) what? {length, passphrase} tuples with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
Truecrypt ..on a little endian architecture.. suggested reading: Cryptoscan plugin Jesse Kornblum 3) what? suggested reading: TrueDecrypt plugin {length, passphrase} tuples Francisco Ribeiro with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault
Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault suggested reading: Lest we remember: Cold Boot Attacks on Encryption Keys Princeton University
MultiFunction Printers? ...stores images of all scanned, copied, printed and e-mailed documents...
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
MultiFunction Printers? 2) Analyze that   V..éSODX
MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and Printer Forensics Purdue University suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! 3) open Finder suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
does your company handles this properly?
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET
STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC • deceives monitoring, destroys centrifuge machines • ~10,000 lines of code
STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC suggested reading: • deceives monitoring, destroys centrifuge machines Stuxnet's Footprint in Memory with Volatility 2.0 • ~10,000 lines of code MNIN Security Blog, Michael Ligh MHL
demo time!
What about searching for what you don’t know?
Codetective • an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation • can be used as a volatility plugin or as a generic tool • filters (win, unix, web, win, web, db,unix or other) and level of confidence • supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
Codetective • relevant options: -a (analyze) -u (show UUIDs) -v (verbose mode) -t (filters) -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
Codetective • relevant options: -a (analyze) suggested reading: -u (show UUIDs) codetective plugin github @blackthorne -v (verbose mode) -t (filters) Francisco Ribeiro -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
demo time!
Where next?
Where next? • Networks (Remote live forensics) • Mobiles • Virtual Machines • Cloud
hostname volatility plugins GRR - remote live forensics age selector status pslist raw disk
Memory Analysis on the Cloud • with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland • Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it? • What about Dropbox and Google accounts, how complex is your password? Does it really matter? Where is it stored?
My clipboard supports: •mixed case passwords •numbers •special characters and length > 20
Special thanks to: • Michael Cohen • Brendan Dolan-Gavitt
References: • Tools: Memory Imaging, Forensics WiKi • Acquisition and analysis of volatile memory from android devices, Digital Investigation • struct EPROCESS, NirSoft • How to Set the /3GB Startup Switch in Windows - Technet, Microsoft • Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7 • Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
References: • RAM is Key, Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University • Cryptoscan plugin, Jesse Kornblum • TrueDecrypt plugin, Francisco Ribeiro • Survey of Scanner and Printer Forensics , Purdue University • Forensic analysis of digital copiers, Svein Yngvar Willassen • Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
References: • codetective plugin - github @blackthorne, Francisco Ribeiro • Volatility - Memory Forensics, Volatile Systems • Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum • An advanced memory forensics framework - Volatility, Google Wiki pages
Thank you childish wont-let-go nickname: blackthorne blackthorne (geek) bthorne_daily (social) francisco@ironik.org (PGP key: 0xBDD20CF1) http://www.digitalloft.org (homepage)

Recommended

Rails vs Web2py
Rails vs Web2pyRails vs Web2py
Rails vs Web2pyjonromero
 
web2py:Web development like a boss
web2py:Web development like a bossweb2py:Web development like a boss
web2py:Web development like a bossFrancisco Ribeiro
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and DjangoMichael Pirnat
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
Django in the Real World
Django in the Real WorldDjango in the Real World
Django in the Real WorldJacob Kaplan-Moss
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTTkevinvw
 
Zend Framework 2 Components
Zend Framework 2 ComponentsZend Framework 2 Components
Zend Framework 2 ComponentsShawn Stratton
 
Php on Windows
Php on WindowsPhp on Windows
Php on WindowsElizabeth Smith
 

Recommended

Rails vs Web2py
Rails vs Web2pyRails vs Web2py
Rails vs Web2pyjonromero
 
web2py:Web development like a boss
web2py:Web development like a bossweb2py:Web development like a boss
web2py:Web development like a bossFrancisco Ribeiro
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and DjangoMichael Pirnat
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
Django in the Real World
Django in the Real WorldDjango in the Real World
Django in the Real WorldJacob Kaplan-Moss
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTTkevinvw
 
Zend Framework 2 Components
Zend Framework 2 ComponentsZend Framework 2 Components
Zend Framework 2 ComponentsShawn Stratton
 
Php on Windows
Php on WindowsPhp on Windows
Php on WindowsElizabeth Smith
 
Jumpstart Django
Jumpstart DjangoJumpstart Django
Jumpstart Djangoryates
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZendCon
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015Colin O'Dell
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture IntroductionHaiqi Chen
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and DesktopElizabeth Smith
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i TutorialZendCon
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinAlexander Klimetschek
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql pptKarmatechnologies Pvt. Ltd.
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!Elizabeth Smith
 
Php simple
Php simplePhp simple
Php simplePrinceGuru MS
 
Mastering Namespaces in PHP
Mastering Namespaces in PHPMastering Namespaces in PHP
Mastering Namespaces in PHPNick Belhomme
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using DjangoNathan Eror
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf Conference
 
Performance tuning with zend framework
Performance tuning with zend frameworkPerformance tuning with zend framework
Performance tuning with zend frameworkAlan Seiden
 
Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Elizabeth Smith
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)James Titcumb
 
Django Framework and Application Structure
Django Framework and Application StructureDjango Framework and Application Structure
Django Framework and Application StructureSEONGTAEK OH
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsVibrant Technologies & Computers
 
Java presentation
Java presentationJava presentation
Java presentationKaran Sareen
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking forCláudio André
 

More Related Content

What's hot

Jumpstart Django
Jumpstart DjangoJumpstart Django
Jumpstart Djangoryates
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZendCon
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015Colin O'Dell
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture IntroductionHaiqi Chen
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and DesktopElizabeth Smith
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i TutorialZendCon
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinAlexander Klimetschek
 
Mastering Namespaces in PHP
Mastering Namespaces in PHPMastering Namespaces in PHP
Mastering Namespaces in PHPNick Belhomme
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using DjangoNathan Eror
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf Conference
 
Performance tuning with zend framework
Performance tuning with zend frameworkPerformance tuning with zend framework
Performance tuning with zend frameworkAlan Seiden
 
Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Elizabeth Smith
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)James Titcumb
 
Django Framework and Application Structure
Django Framework and Application StructureDjango Framework and Application Structure
Django Framework and Application StructureSEONGTAEK OH
 

What's hot (20)

Jumpstart Django
Jumpstart DjangoJumpstart Django
Jumpstart Django
 
Zend_Tool: Practical use and Extending
Zend_Tool: Practical use and ExtendingZend_Tool: Practical use and Extending
Zend_Tool: Practical use and Extending
 
PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015PHP 7 Crash Course - php[world] 2015
PHP 7 Crash Course - php[world] 2015
 
Django Architecture Introduction
Django Architecture IntroductionDjango Architecture Introduction
Django Architecture Introduction
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
Php on the Web and Desktop
Php on the Web and DesktopPhp on the Web and Desktop
Php on the Web and Desktop
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
 
A JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 BerlinA JCR View of the World - adaptTo() 2012 Berlin
A JCR View of the World - adaptTo() 2012 Berlin
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!
 
Php simple
Php simplePhp simple
Php simple
 
Mastering Namespaces in PHP
Mastering Namespaces in PHPMastering Namespaces in PHP
Mastering Namespaces in PHP
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
 
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
ZFConf 2012: Capistrano для деплоймента PHP-приложений (Роман Лапин)
 
Performance tuning with zend framework
Performance tuning with zend frameworkPerformance tuning with zend framework
Performance tuning with zend framework
 
Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11Writing and using php streams and sockets tek11
Writing and using php streams and sockets tek11
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
 
Django Framework and Application Structure
Django Framework and Application StructureDjango Framework and Application Structure
Django Framework and Application Structure
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
 
Java presentation
Java presentationJava presentation
Java presentation
 

Viewers also liked

This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking forCláudio André
 
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUPBusiness Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUPRafael Pires
 
Digital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISGDigital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISGInês Tomás Mateus
 
Novas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PTNovas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PTTeotonio Leiras
 
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)Nuno Rosa
 
Apresentação Grão Torrado
Apresentação Grão TorradoApresentação Grão Torrado
Apresentação Grão TorradoMiguel Monteiro
 
Visions of Portugal by the.pt
Visions of Portugal by the.ptVisions of Portugal by the.pt
Visions of Portugal by the.ptPedro D Cardoso
 
Pt precisa saber sobre FI
Pt precisa saber sobre FIPt precisa saber sobre FI
Pt precisa saber sobre FIMário Valente
 
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.orgEC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.orgJindřich Mynarz
 
Pitch Like a Boss
Pitch Like a BossPitch Like a Boss
Pitch Like a BossInês Silva
 
Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)Pedro Moura
 
Meet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity ImprovementMeet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity ImprovementGeorge Evans
 

Viewers also liked (20)

Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
This is the secure droid you are looking for
This is the secure droid you are looking forThis is the secure droid you are looking for
This is the secure droid you are looking for
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUPBusiness Model Canvas at Fim de semana de empreendedorismo AEFEUP
Business Model Canvas at Fim de semana de empreendedorismo AEFEUP
 
Digital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISGDigital Marketing Journey - Lecture INP & ISG
Digital Marketing Journey - Lecture INP & ISG
 
Novas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PTNovas Regras Domínios .PT 2014 - DNS.PT
Novas Regras Domínios .PT 2014 - DNS.PT
 
Prompt en
Prompt enPrompt en
Prompt en
 
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
Barriers to the diffusion of the VSM (Nuno Rosa, 2016)
 
Apresentação Grão Torrado
Apresentação Grão TorradoApresentação Grão Torrado
Apresentação Grão Torrado
 
RéSumé
RéSuméRéSumé
RéSumé
 
Prosolvers CH
Prosolvers CHProsolvers CH
Prosolvers CH
 
Visions of Portugal by the.pt
Visions of Portugal by the.ptVisions of Portugal by the.pt
Visions of Portugal by the.pt
 
Niiiws short
Niiiws short Niiiws short
Niiiws short
 
Incubate Camp 2nd
Incubate Camp 2ndIncubate Camp 2nd
Incubate Camp 2nd
 
Set n'match
Set n'matchSet n'match
Set n'match
 
Pt precisa saber sobre FI
Pt precisa saber sobre FIPt precisa saber sobre FI
Pt precisa saber sobre FI
 
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.orgEC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
EC-WEB: Validator and Preview for the JobPosting Data Model of Schema.org
 
Pitch Like a Boss
Pitch Like a BossPitch Like a Boss
Pitch Like a Boss
 
Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)Delivering presentations - dicas de apresentação (not!)
Delivering presentations - dicas de apresentação (not!)
 
Meet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity ImprovementMeet-Beat Your Way To Sales Growth and Productivity Improvement
Meet-Beat Your Way To Sales Growth and Productivity Improvement
 

Similar to Memory Analysis Tools and Techniques

Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
Defeating Windows memory forensics
Defeating Windows memory forensicsDefeating Windows memory forensics
Defeating Windows memory forensicslmilkovic
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)MongoDB
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization mentoresd
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupMongoDB
 
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...ITCamp
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment StrategyMongoDB
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesAliBawazeEer
 
Memory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory ArtefactMemory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory ArtefactSatria Ady Pradana
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactSatria Ady Pradana
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 

Similar to Memory Analysis Tools and Techniques (20)

淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道 淺談探索 Linux 系統設計之道
淺談探索 Linux 系統設計之道
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Defeating Windows memory forensics
Defeating Windows memory forensicsDefeating Windows memory forensics
Defeating Windows memory forensics
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
 
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
Programming on Windows 8.1: The New Stream and Storage Paradigm (Raffaele Ria...
 
Deployment Strategy
Deployment StrategyDeployment Strategy
Deployment Strategy
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privilegesLinx privx privileges-sudo misconfiguration group and docker daemon privileges
Linx privx privileges-sudo misconfiguration group and docker daemon privileges
 
Deployment
DeploymentDeployment
Deployment
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Memory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory ArtefactMemory Forensic: Investigating Memory Artefact
Memory Forensic: Investigating Memory Artefact
 
Memory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory ArtefactMemory Forensic - Investigating Memory Artefact
Memory Forensic - Investigating Memory Artefact
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 

Recently uploaded

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 

Recently uploaded (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 

Memory Analysis Tools and Techniques

  • 1. You suck at Memory Analysis give it up, it’s not worth it
  • 2. Disclaimer • Contents displayed such as thoughts and opinions are exclusively those of Francisco Gama Tabanez Ribeiro, the author, and do not reflect the viewpoint or policy of any of my employers. • You are free to use these contents for your works as well as make derived works from it as long as you keep visible and explicit references to this website in proper place. • Images and references to other works within this production remain the property of their respective holders. All licenses explicitly applied to individual resources shall override this one.
  • 3. Who? • Francisco da Gama Tabanez Ribeiro • Penetration Testing @ Portugal Telecom • Certificates that I don’t have: MCITP, MCTS, MCPD, MCA, SSCP, CAP, CSSLP, RHCE, ISO27001, CISA, ITIL, CMIIB, CMIIC, CMIIS, CMIIA, CMIIP, JBCAA, CEH, CHFI, ECSA, CNDA, LPT, ECVP, ECSP, CCNA, CCDA, OSCE, CCNP and CCDP
  • 4. Agenda • Intro: • Java: • Who? Why? How? • JMX • 1) Memory Acquisition • Web • 2) Memory Analysis • Breaking safes (Truecrypt) • Windows: • Hardware: • memory acquisition • printers • process reconstitution • cold boot attack • malware analysis • Conclusion: where next?
  • 5. Some of the real experts here. • Michael Cohen • Mike Auty • Brendan Dolan-Gavitt • Michael L. Hale • Jesse Kornblum • Harlan Carvey • Mark Russinovich • Dmitry Vostokov
  • 7. Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring • plays well with Social Engineering • supports the Cloud, VM’s & mobile’s
  • 8. Why? • OS & process behavioral tracing • app debugging & profiling • malware analysis (Rootkit Paradox) • mining raw data artifacts • low level monitoring suggested reading: Exploiting the Rootkit • plays well with Social Engineering Paradox with Windows • supports the Cloud, VM’s & mobile’s Memory Analysis Jesse D. Kornblum
  • 10. Memory Acquisition Techniques (Software) • Crash Dumps • Hibernation files • Virtual Machine Imaging/Suspend • Physical memory device objects: • Windows (DevicePhysicalMemory, DeviceDebugMemory) • Linux (/dev/mem, /proc/kcore, /dev/crash) • Live kernel debug dumps (NtSystemDebugControl, NtQueryVirtualMemory) • Inferential
  • 11. Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X)
  • 12. Memory Acquisition Tools • MoonSols tools, mdd, dd • memdump, userdump • nigilant32, KNTTools, WMFT • Idetect, Second Look, Goldfish, fmem (Linux, Mac OS X) suggested reading: Tools: Memory Imaging Forensics WiKi
  • 13. Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch)
  • 14. Memory Acquisition Gotchas • memory images taken live may come “blurred” • time required increases with memory size • for faster scans, reduce kernel space size (/3G switch) suggested reading: Acquisition and analysis of volatile memory from android devices Digital Investigation
  • 15. /3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User Space Space 0x00000000 0x00000000 Default /3GB
  • 16. /3GB Startup Switch in 32-bit Win boot.ini file 0xFFFFFFFF 0xFFFFFFFF Kernel Kernel Space Space 0xC0000000 0x80000000 User User suggested reading: How to Set the /3GB Startup Space Space Switch in Windows 0x00000000 0x00000000 Technet, Microsoft Default /3GB
  • 17. Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) • Debug ports (JTAG) • Inferential
  • 18. Memory Acquisition Techniques (Hardware) • Firewire/DMA • PCI Card (“Tribble”) suggested reading: • Debug ports (JTAG) Tools: Memory Imaging • Inferential Forensics WiKi
  • 20. Piezo-Acoustic iPod Hack flickr photo by guanix
  • 21. Piezo-Acoustic iPod Hack • iPod 4G • firmware dump by playing sounds • ARM code that can read addresses 0 through 65535 • one sound to represent a 1 bit, another for a 0 bit • 64 kb file at 5 bytes/sec • sound recognition/ error detection & correction • iPod-Linux project
  • 24. Memory Analysis Tools • Volatility • Memoryze • Windbg • Redline • Volafox
  • 25.
  • 26. Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python
  • 27. Volatility • an advanced memory forensics framework • extraction of digital artifacts from volatile memory (RAM) samples • plugin based architecture • major releases at present moment: 1.3, 2.0 & NG (Scudette’s branch) • Python suggested reading: suggested reading: An advanced memory Volatility, forensics framework Memory Forensics Volatility Volatile Systems Google Wiki pages
  • 28.
  • 29. Windows - things you can analyze • processes, threads, sockets, connections, modules • files & DLLs loaded for each process • the hive (registry handles) • process' addressable memory & executables extraction • OS kernel modules • mapping physical offsets to virtual addresses (strings to process) • security access tokens • more, much more...
  • 30. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service
  • 31. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem (LSASS) LSA Server Digest SSP Service inject sekurlsa.dll 
  • 32. mimikatz - getting clear text passwords in Windows Client Application SSPI Digest SSP Server Local Security Authority SubSystem TsPkg (LSASS) Wdigest LiveSSP LSA Server Digest SSP Service LsaProtectMemory / inject sekurlsa.dll  LsaUnprotectMemory
  • 33.
  • 34. mimikatz - getting clear text passwords from Windows • Traitement du Kiwi - injects sekurlsa.dll (LSASS) • TsPkg & Wdigest store encrypted (not hashed) passwords • used for Kerberos, NTLM/LM, HTTP Digest authentication • function LsaUnprotectMemory retrieves clear text password • pass the word > pass the hash
  • 35. Windows - Process reconstitution • OS walking (KPCR > PsActiveProcessHead > _LIST_ENTRY) > EProcess... (pslist) • pool tags (psscan) • others..
  • 36. Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block • image base address • ...
  • 37. Windows - _EPROCESS structure • image filename • process id, parent process id • create/exit times • base priority • exit status • next/prev process block suggested reading: • image base address struct EPROCESS • ... NirSoft
  • 38. Windows - process reconstitution PsActiveProcessHead EPROCESS EPROCESS EPROCESS
  • 39. Windows - process reconstitution EPROCESS EPROCESS EPROCESS LIST_ENTRY LIST_ENTRY LIST_ENTRY Flink Flink Flink Blink Blink Blink
  • 40. DKOM (Direct Kernel Object Manipulation) EPROCESS EPROCESS EPROCESS Flink Flink Flink Blink Blink Blink detectable by Volatility psscan plugin
  • 41.
  • 42. Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep)
  • 43. Process hollowing • legitimate process loaded into memory to act as a code container • host process is created into a suspended mode • antivirus bypassing • meterpreter ‘-m’ flag • detectable with Volatility plugins pslist + procexecdump combined with fuzzy hashing (ssdeep) suggested reading: Eternal Sunshine on the Spotless RAM SecurityStreet, Rapid7
  • 44. Process hollowing Process Process (suspended) (running)
  • 45.
  • 46. If in doubt, it's an APT. @explanoit
  • 48. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans • tools: Java Visual VM, JConsole, MAT (Eclipse), JmxCli
  • 49. Java Management Extensions (JMX) • monitor and manage any Java based applications • automatically exposed by JMX agents • clients like Java Visual VM can connect to it locally and remotely • supports MBeans suggested reading: • tools: Java Visual VM, JConsole, MAT (Eclipse), Monitoring and Management Using JMX JmxCli Technology Java SE Monitoring and Management Guide
  • 51. Java Management Extensions (JMX) • no default port but... “statistical” guessing: 3333,6161,9999 • authentication? encryption? not by default! • properties where you can fix that: com.sun.management.jmxremote.port com.sun.management.jmxremote.ssl com.sun.management.jmxremote.authenticate
  • 52.
  • 53. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 54. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 55. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 56. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 57. 1) open browser on URL: http://somevictim.com:8080/jmx-console/HtmlAdaptor? action=displayMBeans
  • 58. jbossify for JBoss 2) run jbossify: wget https://raw.github.com/blackthorne/Pentest-utils/master/jbossify.py $ python jbossify.py jbossify.py <host> <port> <instance_name> [<properties to extract>] jbossify.py --offline <instance_folder> [<properties to extract>] for offline extraction <properties to extract> - can be 'conn','dd','sql' or 'all' (default is just conn) conn->ManagedConnectionFactoryProperties, dd->deploymentDescriptor Connection Strings! sql->SqlProperties
  • 60. So, Java uses Memory... tell me you were not aware of it?
  • 62. Truecrypt • Virtual Encrypted Disks • Partitions & storage devices • Parallelization & Pipelining • Automatic, Real-time & Transparent • Hardware accelerated • Plausible Deniability • Multiple platform
  • 69. Meanwhile... in a memory chip close, close by...
  • 72. Truecrypt 1) where? DRIVER_OBJECT address
  • 73. Truecrypt 1) where? suggested reading: RAM is Key, DRIVER_OBJECT Extracting Disk Encryption address Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University 2) size? DriverStart DriverStart + DriverSize
  • 74. Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@#
  • 75. Truecrypt ..on a little endian architecture.. 3) what? $ xxd JOHN-2CF071298B-20120512-221220.raw |grep 123asd 88f3060: 0c00 0000 3132 3361 7364 4153 4421 4023 ....123asdASD!@# that’s a 12 passphrase (passphrase length)
  • 76. Truecrypt ..on a little endian architecture.. 3) what? {length, passphrase} tuples with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
  • 77. Truecrypt ..on a little endian architecture.. suggested reading: Cryptoscan plugin Jesse Kornblum 3) what? suggested reading: TrueDecrypt plugin {length, passphrase} tuples Francisco Ribeiro with fingerprint: ????0000 ????????..length 0x00.. length passphrase NULL’s [1..64] ASCII printable [0x20..0x7E]
  • 78. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault
  • 79. Cold Boot attacks on encryption keys • explores data remanence in volatile memory • retrieves encryption keys used to encrypt hard drivers • Truecrypt, bitlocker, Filevault suggested reading: Lest we remember: Cold Boot Attacks on Encryption Keys Princeton University
  • 80. MultiFunction Printers? ...stores images of all scanned, copied, printed and e-mailed documents...
  • 81. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 82. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 83. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 84. MultiFunction Printers? 1) Open it (google: “<your_MFP_model> hardrive replacement” )
  • 86. MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and Printer Forensics Purdue University suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  • 87. MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  • 88. MultiFunction Printers? 2) Analyze that   V..éSODX suggested reading: Survey of Scanner and flipping bytes Printer Forensics é..VXDOS Purdue University that’s BIGDOS FAT 16! 3) open Finder suggested reading: Forensic analysis of digital copiers Svein Yngvar Willassen
  • 89. does your company handles this properly?
  • 97. STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC • deceives monitoring, destroys centrifuge machines • ~10,000 lines of code
  • 98. STUXNET • source: US-Israel • target: Iran nuclear program • very sophisticated cyber warfare on SCADA • infection by USB thumb drive • exploits Siemens Simatic S7-300 PLC suggested reading: • deceives monitoring, destroys centrifuge machines Stuxnet's Footprint in Memory with Volatility 2.0 • ~10,000 lines of code MNIN Security Blog, Michael Ligh MHL
  • 100. What about searching for what you don’t know?
  • 101. Codetective • an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation • can be used as a volatility plugin or as a generic tool • filters (win, unix, web, win, web, db,unix or other) and level of confidence • supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, Java Session IDs, connection strings, Credit Cards, URLs
  • 102. Codetective • relevant options: -a (analyze) -u (show UUIDs) -v (verbose mode) -t (filters) -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
  • 103. Codetective • relevant options: -a (analyze) suggested reading: -u (show UUIDs) codetective plugin github @blackthorne -v (verbose mode) -t (filters) Francisco Ribeiro -p (search for Process ID) -n (search for process name) If neither -p or -n is defined, if will search in all processes. • git clone git://github.com/blackthorne/Codetective.git codetective
  • 106. Where next? • Networks (Remote live forensics) • Mobiles • Virtual Machines • Cloud
  • 107. hostname volatility plugins GRR - remote live forensics age selector status pslist raw disk
  • 108.
  • 109. Memory Analysis on the Cloud • with virtualization, multiple Virtual Machines share a single physical machine and expose their Volatile Memory in snapshot files (.vmem..) that is acessible on userland • Analyzing IOS iTunes memory allows you to retrieve iCloud credentials. Years ago, that wasn’t that serious but now it’s not just music is it? • What about Dropbox and Google accounts, how complex is your password? Does it really matter? Where is it stored?
  • 110. My clipboard supports: •mixed case passwords •numbers •special characters and length > 20
  • 111. Special thanks to: • Michael Cohen • Brendan Dolan-Gavitt
  • 112. References: • Tools: Memory Imaging, Forensics WiKi • Acquisition and analysis of volatile memory from android devices, Digital Investigation • struct EPROCESS, NirSoft • How to Set the /3GB Startup Switch in Windows - Technet, Microsoft • Eternal Sunshine on the Spotless RAM - SecurityStreet, Rapid7 • Monitoring and Management Using JMX Technology, Java SE Monitoring and Management Guide
  • 113. References: • RAM is Key, Extracting Disk Encryption Keys From Volatile Memory by Brian Kaplan, Carnegie Mellon University • Cryptoscan plugin, Jesse Kornblum • TrueDecrypt plugin, Francisco Ribeiro • Survey of Scanner and Printer Forensics , Purdue University • Forensic analysis of digital copiers, Svein Yngvar Willassen • Stuxnet's Footprint in Memory with Volatility 2.0, MNIN Security Blog, Michael Ligh MHL
  • 114. References: • codetective plugin - github @blackthorne, Francisco Ribeiro • Volatility - Memory Forensics, Volatile Systems • Exploiting the Rootkit Paradox with Windows - Memory Analysis, Jesse D. Kornblum • An advanced memory forensics framework - Volatility, Google Wiki pages
  • 115.
  • 116. Thank you childish wont-let-go nickname: blackthorne blackthorne (geek) bthorne_daily (social) francisco@ironik.org (PGP key: 0xBDD20CF1) http://www.digitalloft.org (homepage)