4:15 PM -- Digital forensics and incident response procedures have changed drastically over the last several years, as malware has become more prolific and more advanced.
Guidance Software used to be the dominant force in enterprise forensics, but now forensic investigators have a wealth of new options on the market -- and some that will be released in the next two to 10 months. (See Network Computing's "Forensics: New Options for the Enterprise.") Commercial tools are finally catching up to what forensic researchers have been focusing on and developing tools for during the last two years: analysis of Windows memory images, or dumps.
With Windows XP and earlier, the physical memory could be imaged using George Garner's modified version of "dd" -- a part of his free, and formerly open source, Forensic Acquisition Utilities. Forensic investigators who had to dump the memory from running Windows systems were limited to looking for ASCII and Unicode text strings.
Some investigators also do "file carving" to help collect clues about a case. File carving is the act of searching a block of data for known file headers and/or footers (like images, Word documents, and PDFs), then copying that portion of data out to view in its native application.
Today, partly due to interest spurred by the 2005 Digital Forensic Research Workshop (DFRWS) forensic challenge, commercial, free, and open-source tools have been developed for analysis of Windows memory dumps.
Why is this important? Valuable information can be lost if a first responder does not dump memory from a Windows system when collecting volatile data before pulling the power. Research based on the DFRWS forensic challenge showed that information from processes that had terminated or were running prior to that last system reboot still existed in memory.
Some malware and security tools stay resident in memory without ever touching the hard drive where traditional digital forensic techniques could find traces of them. The Metasploit Framework's meterpreter is a perfect example. It can be loaded into memory after a computer system is exploited, then used to download/upload files, change file times, execute commands, or kill processes. Meterpreter is never written to the filesystem -- so as soon as power is lost, all traces of it disappear, leaving investigators lost if they haven't a Windows memory dump.
AccessData and Mandiant are both in the process of launching enterprise forensic and incident response tools that can acquire memory from Windows systems and analyze it.
If you're interested in learning more, or trying out some of the available free tools, take a look at the writeups from the 2005 DFRWS forensic challenge, Harlan Carvey's blog, Andreas Schuster's blog, and the Volatility Framework.
Oh, and if you aren't doing it already, modify your incident response procedures to include dumping memory from Windows systems. You might find that this dump is the missing link that helps you break the case.
John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading