Fernández-Álvarez, Pedro; Rodríguez, Ricardo J.
Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps Journal Article
In: Forensic Science International: Digital Investigation, vol. 44, pp. 301505, 2023, ISSN: 2666-2817, (Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference).
Abstract | Links | BibTeX | Tags: digital forensics, DLL hijacking, memory forensics, Volatility, Windows
@article{FR-FSIDI-23,
title = {Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps},
author = {Pedro Fernández-Álvarez and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-23.pdf},
doi = {10.1016/j.fsidi.2023.301505},
issn = {2666-2817},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {44},
pages = {301505},
abstract = {A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.},
note = {Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference},
keywords = {digital forensics, DLL hijacking, memory forensics, Volatility, Windows},
pubstate = {published},
tppubtype = {article}
}
A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
Fernández-Álvarez, Pedro; Rodríguez, Ricardo J
Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application Journal Article
In: Forensic Science International: Digital Investigation, vol. 40, pp. 301342, 2022, ISBN: 2666-2817.
Abstract | Links | BibTeX | Tags: digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows
@article{FR-FSIDI-22,
title = {Extraction and Analysis of Retrievable Memory Artifacts from Windows Telegram Desktop Application},
author = {Pedro Fernández-Álvarez and Ricardo J Rodríguez },
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-22.pdf},
doi = {10.1016/j.fsidi.2022.301342},
isbn = {2666-2817},
year = {2022},
date = {2022-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {40},
pages = {301342},
abstract = {Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.},
keywords = {digital forensics, instant messaging, memory forensics, Telegram Desktop, Windows},
pubstate = {published},
tppubtype = {article}
}
Instant messaging applications have become a very common way of communicating, and today there are many applications of this type. The forensic analysis of these applications can help provide essential clues to solve or clarify a possible crime. This type of applications generally store their data in a secure way or transmit it through encrypted channels and thus, the forensic analysis of memory takes on special relevance to analyze them. Following a three-phase forensic analysis methodology, this work has developed a forensic analysis environment for instant messaging applications composed of two tools. One of the tools is responsible for extracting the content of a process that runs on a Windows system, while the other focuses on studying the information present in the process memory of an instant messaging application. This second tool can be easily adapted and extended to provide analysis support for any instant messaging application. As a case study, we focus on the Telegram application for Windows systems called Telegram Desktop. Adapting these tools to this application, their joint use allows obtaining forensic artifacts of interest for an investigation, such as user contacts or the content of conversations that have taken place, among others, even when the application is blocked. Obtaining these data is of great help for a forensic analyst, since the analysis of these data can be vital to clarify the events that occurred in some type of criminal act. Both tools are open source under the GNU/GPLv3 license to promote their use and extensibility to applications of other instant messaging services.
Martín-Pérez, Miguel; Rodríguez, Ricardo J; Balzarotti, Davide
Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules Journal Article
In: Computers & Security, vol. 101, pp. 102119, 2021, ISSN: 0167-4048.
Abstract | Links | BibTeX | Tags: memory forensics, relocation, similarity digest algorithms, Windows
@article{MRB-COSE-21,
title = {Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules},
author = {Miguel Martín-Pérez and Ricardo J Rodríguez and Davide Balzarotti},
url = {http://webdiis.unizar.es/~ricardo/files/papers/MRB-COSE-21.pdf},
doi = {10.1016/j.cose.2020.102119},
issn = {0167-4048},
year = {2021},
date = {2021-01-01},
journal = {Computers & Security},
volume = {101},
pages = {102119},
abstract = {Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.},
keywords = {memory forensics, relocation, similarity digest algorithms, Windows},
pubstate = {published},
tppubtype = {article}
}
Memory forensics is useful to provide a fast triage on running processes at the time of memory acquisition in order to avoid unnecessary forensic analysis. However, due to the effects of the execution of the process itself, traditional cryptographic hashes, normally used in disk forensics to identify files, are unsuitable in memory forensics. Similarity digest algorithms allow an analyst to compute a similarity score of inputs that can be slightly different. In this paper, we focus on the issues caused by relocation of Windows processes and system libraries when computing similarities between them. To overcome these issues, we introduce two methods (Guided De-relocation and Linear Sweep De-relocation) to pre-process a memory dump. The goal of both methods is to identify and undo the effect of relocation in every module contained in the dump, providing sanitized inputs to similarity digest algorithms that improve similarity scores between modules. Guided De-relocation relies on specific structures of the Windows PE format, while Linear Sweep De-relocation relies on a disassembling process to identify assembly instructions having memory operands that address to the memory range of the module. We have integrated both methods in a Volatility plugin and evaluated them in different scenarios. Our results demonstrate that pre-processing memory dumps with these methods significantly improves similarity scores between memory modules.
Martín-Pérez, Miguel; Rodríguez, Ricardo J
Quantifying Paging on Recoverable Data from Windows User-Space Modules Proceedings Article
In: Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime, Springer, 2021, (Accepted for publication. To appear).
Abstract | Links | BibTeX | Tags: digital forensics, malware, memory forensics, paging, Windows modules
@inproceedings{MR-ICDF2C-21,
title = {Quantifying Paging on Recoverable Data from Windows User-Space Modules},
author = {Miguel Martín-Pérez and Ricardo J Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/MR-ICDF2C-21.pdf},
year = {2021},
date = {2021-01-01},
booktitle = {Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime},
publisher = {Springer},
abstract = {Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed.},
note = {Accepted for publication. To appear},
keywords = {digital forensics, malware, memory forensics, paging, Windows modules},
pubstate = {published},
tppubtype = {inproceedings}
}
Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed.
Uroz, Daniel; Rodríguez, Ricardo J
On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article
In: Forensic Science International: Digital Investigation, vol. 32, pp. 300917, 2020.
Abstract | Links | BibTeX | Tags: Authenticode, code signing, digital signature verification, memory forensics, Volatility
@article{UR-FSIDI-20,
title = {On Challenges in Verifying Trusted Executable Files in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-FSIDI-20.pdf},
doi = {10.1016/j.fsidi.2020.300917},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {32},
pages = {300917},
abstract = {Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.},
keywords = {Authenticode, code signing, digital signature verification, memory forensics, Volatility},
pubstate = {published},
tppubtype = {article}
}
Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.
Uroz, Daniel; Rodríguez, Ricardo J
Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics Journal Article
In: Digital Investigation, vol. 28, pp. S95–S104, 2019, ISSN: 1742-2876.
Abstract | Links | BibTeX | Tags: Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry
@article{UR-DIIN-19,
title = {Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-DIIN-19.pdf},
doi = {10.1016/j.diin.2019.01.026},
issn = {1742-2876},
year = {2019},
date = {2019-01-01},
journal = {Digital Investigation},
volume = {28},
pages = {S95--S104},
abstract = {Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.},
keywords = {Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry},
pubstate = {published},
tppubtype = {article}
}
Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.