Re: [Vol-users] 29c3 defeating windows memory forensics

On 12/29/2012 4:09 PM, Echo6 wrote: Two problems: 1. Is hardware-based and therefore $$$; and 2. Must be pre-deployed and not on a lot of systems that you want to analyze because of $$$. Yes, interesting topic and a lot of possibilities but needs to be addressed critically because process of "suspending/freezing" guest VM may not be lossless. In principle, it should be possible to reconstruct the memory address space of the guest VM's from the memory of the root partition. In the case of VirtualBox and KVM you have the source code so I don't know why someone doesn't do it. The root partition is also a VM when hypervisor is enabled, btw. and "cold boot". Also has two problems: 1. Incident responder must be smarter than average bear to accomplish without wiping memory. This may be overly burdensome for some organizations. :-) 2. Like DMA memory acquisition, "cold boot" view of memory may not be identical to the processor's view of memory. "Cold boot" memory needs to be reconstructed. Also, some degradation is inevitable. Of course if all you are doing is scanning memory for encryption keys that doesn't take much. Ambiguous statement. Do you mean: 1. Acquire memory to the net with physical access; or 2. Acquire memory (and other evidence) from a remote networked system with which you have a trust relationship (e.g. is part of your domain)? A better question would be how to acquire memory RELIABLY within a sensible time WITHOUT CORRUPTING THE MEMORY OF YOUR MISSION CRITICAL SERVERS which will continue running for an extended period of time after you acquire memory. There are a number of memory acquisition tools which acquire memory fast. But then they will crash some systems and sometimes you get a memory dump with all zeroes in it. That's if you are lucky. The more probable result of fast memory acquisition is to corrupt some random data with no apparent consequence, until one day... Back about 10 years ago Rob Lee gave a talk at one of the first SANS conferences back when he was still auditioning to teach at SANS in which he described acquiring a hard drive a few bytes at a time from an infected system to avoid tipping off the "bad guy." Very smart guy that Rob Lee! In the typical case a computer has been infected for ~4 months before the infection is discovered (according to a Verizon threat report from a few years ago). So what is it that you hope to accomplish by being "fast." What most people need is some software to generate a nice pretty report for their boss to read while they quietly collect the real evidence. :-) Regards, George.