M-unition -

Memory forensics on Windows 7 (x86 and x64) and Windows 2008 x64

By on September 20, 2010

Next month Memoryze will be two years old and a lot has changed over that time. There has been a lot of interesting research in the field of memory forensics, and responders are finding value in the analysis.
 
Platform Support
From a tool perspective, other than the addition of a GUI called Audit Viewer and the added usability that the Malware Rating Index (MRI) provides, the most noticeable change is the expanding platform support. Today, we are announcing the release of Memoryze 1.4.2900 which has added support for:

  • Windows 7 64-bit
  • Windows 7 32-bit*
  • Windows 2008 64-bit*
  •  
    This is in addition to the platforms Memoryze already supported:

  • Windows 2000 Service Pack 4 (32-bit)
  • Windows XP Service Pack 2 and Service Pack 3 (32-bit)
  • Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
  • Windows 2003 Service Pack 2 (32-bit)
  • Windows 2003 Service Pack 2 (64-bit)
  •  
    Attacks Against Memory Forensic Tools
    Brendan Dolan-Gavitt et. al. published a great article in the Proceedings of the ACM Conference on Computer and Communications Security (CCS) [1]. In it, they discuss an attack against memory forensic tools that would cause the tools to be blind to the existence of specially modified processes. As Brendan states in his blog, this attack has been known about for some time and requires a rootkit on the part of the intruder in order to modify the desired process(es). Memoryze has expanded upon their research by modifying the detection algorithm slightly and adding support for all the operating systems Memoryze supports. This work by Dolan-Gavitt, Srivastava, Traynor, and Griffin is sure to motivate change. If you would like to test your existing tools or validate that Memoryze is now resilient, Brendan has made a memory image available for download from his blog.
     

     
    Speed Improvements
    In addition to platform support and resilience to recent DKOM attacks, Memoryze is now as much as 40% faster depending on memory size and configuration parameters. This and some of the other improvements made should make string enumeration a lot better.
     
    Portable Installation
    Peter Villadsen fixed a bug in the way Memoryze used to install that required the user to use “-portable” at the command line when running Memoryze. Obviously, this broke Audit Viewer because of the way it invokes Memoryze. Now that has been fixed. When you are installing Memoryze to be used portably, you must use special options to msiexec.

    msiexec /a MemoryzeSetup.msi /qb TARGETDIR=portable_drive_and_folder

    The portable_drive_and_folder should be the drive letter of the USB key and the folder you want to install Memoryze into such as H:\Memoryze

    Now, the first time you run portable Memoryze it will create several files; therefore, you cannot make the media read-only yet. After that, you should be set to run Memoryze off a USB key or CD-Rom. You can have Audit Viewer invoke Memoryze or use the *.bat files that are included.
     
    It has been fun over the past two years working with our user base and our consultants as they have ran this code over literally hundreds of thousands of hosts. I am looking forward to what the next two years bring. Please keep us informed of bugs or of any feature requests on the forums.
     
    Download Memoryze NOW
     
    [1] Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J., “Robust signatures for kernel data structures,” in Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2009.
     
    The “*” means that complete regression testing on those platforms has not been completed, but we felt the feature was important enough to users to get the feature out as soon as it was available.

    Category: The Armory

    Comments

      Leave a Comment

    Get M-Unition in Your Inbox:

    Follow @mandiant

    Follow @mandiant on twitter.

    Career Opps @ Mandiant

    We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

    As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

    Click here to view available positions.