Fernández-Álvarez, Pedro; Rodríguez, Ricardo J.
Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps Journal Article
In: Forensic Science International: Digital Investigation, vol. 44, pp. 301505, 2023, ISSN: 2666-2817, (Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference).
Abstract | Links | BibTeX | Tags: digital forensics, DLL hijacking, memory forensics, Volatility, Windows
@article{FR-FSIDI-23,
title = {Module Extraction and DLL Hijacking Detection via Single or Multiple Memory Dumps},
author = {Pedro Fernández-Álvarez and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/FR-FSIDI-23.pdf},
doi = {10.1016/j.fsidi.2023.301505},
issn = {2666-2817},
year = {2023},
date = {2023-01-01},
urldate = {2023-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {44},
pages = {301505},
abstract = {A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.},
note = {Accepted for publication. To appear. Selected Papers of the Tenth Annual DFRWS Europe Conference},
keywords = {digital forensics, DLL hijacking, memory forensics, Volatility, Windows},
pubstate = {published},
tppubtype = {article}
}
A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of the shared object files instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
Uroz, Daniel; Rodríguez, Ricardo J
On Challenges in Verifying Trusted Executable Files in Memory Forensics Journal Article
In: Forensic Science International: Digital Investigation, vol. 32, pp. 300917, 2020.
Abstract | Links | BibTeX | Tags: Authenticode, code signing, digital signature verification, memory forensics, Volatility
@article{UR-FSIDI-20,
title = {On Challenges in Verifying Trusted Executable Files in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-FSIDI-20.pdf},
doi = {10.1016/j.fsidi.2020.300917},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {Forensic Science International: Digital Investigation},
volume = {32},
pages = {300917},
abstract = {Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.},
keywords = {Authenticode, code signing, digital signature verification, memory forensics, Volatility},
pubstate = {published},
tppubtype = {article}
}
Memory forensics is a fundamental step in any security incident response process, especially in computer systems where malware may be present. The memory of the system is acquired and then analyzed, looking for facts about the security incident. To remain stealthy and undetected in computer systems, malware are abusing the code signing technology, which helps to establish trust in computer software. Intuitively, a memory forensic analyst can think of code signing as a preliminary step to prioritize the list of processes to analyze. However, a memory dump does not contain an exact copy of an executable file (the file as stored in disk) and thus code signing may be useless in this context. In this paper, we investigate the limitations that memory forensics imposes to the digital signature verification process of Windows PE signed files obtained from a memory dump. These limitations are data incompleteness, data changes caused by relocation, catalog-signed files, and executable file and process inconsistencies. We also discuss solutions to these limitations. Moreover, we have developed a Volatility plugin named sigcheck that recovers executable files from a memory dump and computes its digital signature (if feasible). We tested it on Windows 7 x86 and x64 memory dumps. Our experiments showed that the success rate is low, especially when the memory is acquired from a system that has been running for a long time.
Uroz, Daniel; Rodríguez, Ricardo J
Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics Journal Article
In: Digital Investigation, vol. 28, pp. S95–S104, 2019, ISSN: 1742-2876.
Abstract | Links | BibTeX | Tags: Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry
@article{UR-DIIN-19,
title = {Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-DIIN-19.pdf},
doi = {10.1016/j.diin.2019.01.026},
issn = {1742-2876},
year = {2019},
date = {2019-01-01},
journal = {Digital Investigation},
volume = {28},
pages = {S95--S104},
abstract = {Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.},
keywords = {Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry},
pubstate = {published},
tppubtype = {article}
}
Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.
Rodríguez, Ricardo J; Martín-Pérez, Miguel; Abadía, Iñaki
A Tool to Compute Approximation Matching between Windows Processes Proceedings Article
In: Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 313–318, 2018.
Abstract | Links | BibTeX | Tags: bytewise approximate matching, forensic memory analysis, Volatility, Windows
@inproceedings{RMA-ISDFS-18,
title = {A Tool to Compute Approximation Matching between Windows Processes},
author = {Ricardo J Rodríguez and Miguel Martín-Pérez and Iñaki Abadía},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RMA-ISDFS-18.pdf},
doi = {10.1109/ISDFS.2018.8355372},
year = {2018},
date = {2018-01-01},
booktitle = {Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS)},
pages = {313--318},
abstract = {Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.},
keywords = {bytewise approximate matching, forensic memory analysis, Volatility, Windows},
pubstate = {published},
tppubtype = {inproceedings}
}
Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the em avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range $[0,1]$ between similar inputs instead of a yes/no answer (in the range $0,1$). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.