Dark Reading

Researchers will release an open source tool at Black Hat USA that helps forensics investigators reconstruct attacks that use a popular Metasploit payload to covers its tracks.

Mandiant's Steve Davis and Peter Silberman have developed an "anti-" anti-forensics tool, of sorts, tentatively called the Metasploit Forensics Framework, which they'll demonstrate at the security conference later this month. The tool is aimed at unmasking what Metasploit's stealthy Meterpreter (PDF) did on a machine. Meterpreter lets developers write code in DLL files and execute everything in memory -- without writing anything to the victim machine's disk, where it could be detected and, in turn, complicate incident response.

Meterpreter can be used to download and upload files, execute code, and open its own command shell, the researchers say. Their new tool can tell if a Meterpreter packet is still in memory, and, if so, which files Meterpreter has accessed, and whether it has modified a registry key.

Some traditional antivirus tools can't detect Meterpreter-borne attacks because they never hit the disk, the researchers say.

"You wouldn't see the attacks happen if they didn't write anything to disk," says Steve Davis, one of the researchers and a consultant with Mandiant. "We are going to show how we can reconstruct a crime scene in memory."

The Metasploit Forensics Framework is a proof-of-concept tool that scans the processes in memory. "Meterpreter has unique packets...and we can identify those and reconstruct its processes," says Peter Silberman, an engineer on the product team at Mandiant. "We're going to discuss how Meterpreter looks in memory, and how it's able to circumvent traditional tools [for forensics]. We'll demonstrate how with some advanced knowledge, you can reconstruct what commands were sent to Meterpreter and perform an autopsy on an attack."

Memory analysis in forensics has only begun to catch on tool-wise in the past year or so, the researchers say. Their tool helps investigators pull useful information from memory to help in their forensics work, they say. "This is just a small research project in how freed memory can still pull out a lot of useful information on the commands [an attacker] used," for example, Silberman says.

The researchers say they fully expect the Metasploit developers to come up with a workaround for their tool in short order once it's released. They plan to make the tool available on Mandiant's Website the day of their Black Hat presentation so attendees can experiment with it during their talk, they say.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.