'Dementia' Wipes Out Attacker Footprints In Memory

New tool exposes weak links in forensic tools that inspect Windows memory for attack intelligence
Forensics increasingly encompasses the analysis of potentially valuable clues and intelligence in the physical memory of an infected machine. But like anything in infosec, it's a constant cat-and-mouse game, with attackers finding new ways to hide their tracks in memory from incident response handlers trying to get to the bottom of a breach.

A researcher has developed a new tool called Dementia that cheats forensics tools that inspect attacker’s footprints in a Windows computer's memory. Dementia basically renders a phony image of the infected machine's memory as a way to hide evidence of an attacker's movements. The tool removes "specific artifacts from the memory or the image being created. While the image itself is correct -- it can be analyzed -- specific artifacts are not present, which can hide traces of attacker's activities," says Luka Milkovic, who developed the tool. Milkovic, who is a information security consultant with Croatia-based Infigo, recently demonstrated the tool at the CCC conference in Hamburg, Germany.

Dementia demonstrates how an attacker who has wrested control of a system can muck with the forensics investigation process by fooling memory-acquisition tools. It can hide artifacts such as processes and threads from several popular tools: Moonsols Win32dd (in kernel-mode only); Mandiant Memoryze; Mantech MDD; FTK Imager; and Winpmem.

Memory analysis has become a vital process for triaging machines after an attack. Security experts say it's more efficient than just slogging through hundreds of gigabytes of hard drive space, for example, and to instead drill down on a few gigs of RAM where the attacker is executing code.

[Researchers simplify the process of physical memory analysis in forensics investigations. See New Free Tool Helps Gather Attackers' 'Footprints.']

"Disk forensics has been prevalent for more than a decade, and there are lots of tools and methodologies for extracting valuable information or forensic evidence from a target computer or device," Milkovic says, such as files, folders, file and folder metadata, system logs, and registry entries.

"Incident handlers realized that by acquiring the memory of the examined machine, they might create less 'side effects' on the machine, while obtaining a cleaner and more trusted snapshot of the state of the machine," he says. "In the last couple of years, a significant rise in the number of tools for acquiring and analyzing memory can be seen, and memory forensics are now considered a vital part of the incident-handling workflow."

But anti-forensics tools and techniques are nothing new. Attackers already can block memory acquisition altogether or "break" memory analysis itself so that an investigator can't study the memory image. Dementia is basically an evolution of previous breakthroughs in cheating memory forensics, Milkovic says. "Dementia can be considered as a beginning of the memory anti-forensic framework aimed at hiding arbitrary artifacts from the memory dump," he says.

It doesn't stop investigators from memory acquisition nor does it touch artifices in the live system. Instead, it modifies artifacts in the memory dump that the memory acquisition tool creates. Milkovic points to other anti-forensics techniques, such as Haruyama and Suzuki's work on breaking memory analysis and Sparks/Butler's ShadowWalker.

"Compared to these techniques, Dementia is a bit more noisy -- no advanced self-hiding capabilities implemented so a forensic expert can easily detect Dementia's presence -- but [it] can hide arbitrary artifact, has little performance impact, and does not break the analysis," he says. Dementia has two modules, user mode and kernel mode.

So what can incident handlers do when faced with anti-forensics methods by attackers? Employ another method of acquiring memory from the live and infected machine, for example, such as Firewire, or enlist an integrated crash-dump technique, Milkovic suggests. While that causes a reboot, it's tougher for the attacker to modify the artifacts.

The bottom line: Live forensics can't always be trusted because it relies on an infected machine that the investigator doesn't have complete control over. "I think they can be of extreme forensic value, but I just wanted to demonstrate that they cannot be trusted at all times," he says.

Milkovic plans to release the free Dementia tool this month.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5