Analytics
10/24/2008
07:45 AM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Digital Forensics & Incident Response Go Live

New tools, methods emerge for leveraging forensic data and memory analysis in the wake of an attack

A Special Analysis for Dark Reading

The days of performing only traditional “dead” forensics on a host after a security incident are over.

A shift to “live” forensics and incident response investigations is underway, with a round of new tools focused specifically on collecting volatile data and memory analysis, and forensics experts demonstrating new ways to leverage these tools to fight malware and cybercrime at the recent SANS WhatWorks in Forensics and Incident Response Summit.

One attendee of the SANS summit this month, which was hosted by Rob Lee, a consultant with Mandiant and faculty member of SANS, blogged that a major take away from the conference was “pulling the plug on ‘Pull the Plug.’”

“Pull the Plug” refers to the old theory that the best way to preserve digital evidence on a suspect computer system was to pull the power plug from the back of the computer. This was typically the process that law enforcement officers and others followed, and generally accepted as standard procedure, even though many forensic investigators and researchers knew that a large amount of volatile got data lost when pulling the power. Volatile data present only in physical memory could contain IP addresses, URLs, email addresses, passwords, and other information that could be important to an investigation -- but was often lost forever.

The traditional argument against performing any incident-response techniques and forensic analysis on a running system is that it could destroy evidence. Although that can happen, this mindset is shifting because more data could be lost forever if the volatile data (physical memory) is not collected from a live system. The key is that the first responder understands the impact the collection tools he or she is using have on the system in question. That way, he or she can collect the information effectively and be able to explain it in court.

Three or more years ago, even if a first responder or forensic investigator created an image (forensic copy) of memory, the best they could do to analyze the memory image was to extract the readable text from it and look for clues. In 2005, the first of several publicly available tools emerged that extracted detailed information about network connections, running processes, and even processes that had ended from physical memory images of Windows machines. Since then, more Windows memory acquisition and analysis tools have been released and upgraded to help investigators access this valuable forensic data.

In the last six months, three new Windows physical memory acquisition tools were released that enhanced the ability of investigators to collect memory from Windows Vista and Windows Server 2003 machines. Several new plug-ins for the Volatility Framework -- a Python-based toolkit for extracting information from Windows memory images -- have been released as well, including two from Jesse Kornblum to recover TrueCrypt passwords and the command line used in “suspicious” processes.

F-Response, a new forensic tool that enables first responders and investigators to mount storage devices on remote Windows systems read-only, released a beta version last week that allows remote, read-only access to the physical memory on live Windows systems. Leveraging the power of F-Response and the Volatility Framework, Aaron Walters from Volatile Systems announced at the SANS Digital Forensics Summit a new enterprise incident response product, Voltage, that can continuously monitor the runtime state of systems, automatically capture portions of memory, and search for advanced persistent threats.

Collecting typical volatile data such as network connections, running processes, and open files is important, but that’s only part of the reason that these new tools have been developed. Another key goal of these tools is to address today’s malware threats and hacking tools.

When attackers and malware inject malicious code into running processes, the only evidence of the attack is in memory, and it rarely gets cached to the hard drive where disk-based tools could possibly detect it. At the SANS Summit, Aaron Walters described attacks where the intruder injected one-time use URLs into Web server processes. (See Richard Bejtlich's "Thoughts on 2008 SANS Forensics and IR Summit.") These attacks are completely invisible, for example, to an investigator only looking at files on the hard drive searching for the cause of Web page redirect to a competitor's site. Or, the investigator may think an attack was not successful because a malicious page stored on the hard drive isn't linked to a publicly accessible page.

Current threats and the realization that valuable evidence is being lost through traditional forensic methods is making live incident response and forensics a more acceptable and commonplace practice today. Live forensic analysis also can help determine if computer systems should be taken offline for deeper analysis. More importantly, it can allow for live acquisition of a running system’s hard drive if the business decision is made that downtime could lead to irreparable damage to the company as a whole. Either way, it’s time for organizations that are relying solely on “dead” forensics to re-evaluate their incident response and digital forensic practices and see how live forensic analysis can help.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.