RE: [Vol-users] Windows Server 2008

Aaron, As a matter of policy, I don't discuss what I actually do, per se, but rather some of the things that can be done with respect to Windows forensics. I have a variety of tools that I can use for memory imaging and analysis. Unfortunately, I don't have access to Mr. Garner's tools, as I moved teams. The Microsoft debugging tools can be used for both imaging and analysis. My environment is primarily x64, Windows 7, with a large and growing base of Windows 8. We have to be flexible in our tools and procedures due to the fact that external tools usually lag our environment by several months to a year or more. For imaging memory, one can use LiveKD, a SysInternals tool, which uses kd.exe to do the memory imaging. It is not necessary to install the debugging tools on the system you are going to image. One just needs to provide a folder with LiveKD and the debugging tools appropriate to the processor environment (x86/x64). You may need no more in the folder than a few of the executables and dlls from the Windows debugging tools, but I haven't extensively tested which files are absolutely necessary. To use LiveKD to image, you must first set the symbol path. This can be done at the command line by the following: Set _NT_SYMBOL_PATH=srv*[drive letter]:\[local path] \Symbols *http://msdl.microsoft.com/download/symbols The actual command to dump memory is as follows: Livekd.exe -o memory.dmp To capture a consistent kernel dump, one can add the -m switch: Livekd.exe -m -o memory.dmp (See: http://technet.microsoft.com/en-us/sysinternals/bb897415) One of the potential drawbacks to LiveKD imaging is that the process requires access to the Microsoft symbol servers to pull the kernel symbols for the system you are imaging. This process can be controlled by providing the correct symbols file for the kernel in location specified by Set _NT_SYMBOL_PATH=srv*[drive letter]:\[local path] \Symbols. To obtain the correct symbol file for the kernel, copy off the kernel file (Ntoskrnl.exe), and run symchk: symchk /if [local path]\ Ntoskrnl.exe /s srv*[local path]:\DebugSymbols*http://msdl.microsoft.com/download/symbols See: Windows Sysinternals Administrator's Reference LiveKD can also be used to image the memory of a Hyper-V guest VM from the root OS. Livekd -hvl will list the VMs. Livekd -o [local path]\dumpfilename.dmp -hv [VM GUID] Will create a dump of the VM memory of the specified VM from the root OS. Process memory can be imaged by using the SysInternals tool Procdump with the -ma switch. (See: http://technet.microsoft.com/en-us/sysinternals/dd996900 ) To capture a memory dump for all process, one can use a for loop to pipe the output of PSList (SysInternals) to Procdump iteratively. As for analysis, a good deal of malware shows itself when the modules are listed in the debugger. For example, Stuxnet: 8d793000 8d79d000   nsiproxy   (private pdb symbols)  C:\Debuggers\sym\nsiproxy.pdb\C05F47CD56124B77BD71E3DFB669D4FF1\nsiproxy.pdb 8d79d000 8d79e680   msvmmouf   (private pdb symbols)  C:\Debuggers\sym\msvmmouf.pdb\1234775836E14C2B869818BF740FE8DE1\msvmmouf.pdb 8d79f000 8d7a9000   mssmbios   (private pdb symbols)  C:\Debuggers\sym\mssmbios.pdb\B9453B9B745D45DE974BA45D910B78481\mssmbios.pdb 8d7a9000 8d7ab980   mrxnet     (no symbols)                               8d7ac000 8d7b0d80   mrxcls     (no symbols)                               8d7b1000 8d7bd000   discache   (private pdb symbols)  C:\Debuggers\sym\discache.pdb\1F3066C30EA34CC381D3006454C11BD11\discache.pdb 8d7bd000 8d7ca000   CompositeBus (private pdb symbols)  C:\Debuggers\sym\CompositeBus.pdb\F0E80E78F49541FDB4CF0AEB667653381\CompositeBus.pdb 8d7ca000 8d7dc000   AgileVpn   (private pdb symbols)  C:\Debuggers\sym\AgileVpn.pdb\F9ABC733237047E898B7404203D52EDE1\AgileVpn.pdb 8d7dc000 8d7f4000   rasl2tp    (private pdb symbols)  C:\Debuggers\sym\rasl2tp.pdb\6F6760EF4A3149DC9C430CE8A37585B12\rasl2tp.pdb For more examples of analysis, see: http://blogs.msdn.com/b/ntdebugging/archive/2012/05/23/debugging-a-crash-fo… http://www.reconstructer.org/ or search for windbg and malware. I would be interested in any drawbacks or inadequacies people might see with any of these approaches. Thanks. Troy Larson -----Original Message----- From: AAron Walters [mailto:awalters@4tphi.net] Sent: Monday, July 02, 2012 2:57 PM To: Troy Larson (NETSEC) Cc: George M. Garner Jr.; vol-users(a)volatilityfoundation.org Subject: RE: [Vol-users] Windows Server 2008 Troy, Would you care to share what type of analysis you are performing with windbg? How frequently are you doing this type of analysis? I'm sure people would be interested in the types of things you look for and the steps you typically take to find them. While I use windbg for a number of things, I don't typically use it during investigations. As for acquisition, have you ever measured the impact of using livekd as your acquisition mechanism? Have you found any limitations associated with this approach? Have you ever run into instances where it conflicted with installed security software? Do you install livekd as a part of your IR process? Thanks, AW On Mon, 2 Jul 2012, Troy Larson (NETSEC) wrote: