Monday, March 15, 2010

Memory Analysis Part 3

OK…so I learned this week from Rob Lee that you can copy the installed files for Memoryze onto a removable storage device, drop them into a folder with Audit Viewer, and run them on against a live system. Doing so will enable you to not only capture memory, but will allow you to review the Malware Rating Index (MRI) scoring of any suspicious binaries. This sounded like a good thing to me, so I gave it a try.

First, I copied the contents of C:\Program Files\Mandiant\Memoryze and the contents of C:\Audit_Viewer into a single folder on my thumb drive called F:\Memoryze.

Next, I launched Audit Viewer by double clicking on the AuditViewer icon and selected “configure memory” and clicked “Next”. Then, I set my paths to memorize, and my output results as seen below and clicked “Next”.

From there, I chose to “Acquire Live Memory” and clicked “Next”, and then I chose only “Process Enumeration” and clicked “Next”. Then, I chose “Memory Acquisition” and clicked “Next”. The following screen simply showed my options, which read, “Process Enumeration” and “Memory Acquisition”. From there, I selected the information I wanted to enumerate from the memory.

Based on trial and error (and according to Rob), I learned to select all of the options EXCEPT for “Strings in memory”. Doing this against a live memory acquisition will lead to Audit Viewer running for a very, very long time…in excess of 12 hours long (I know this b/c I tried it and I finally killed the process at 12 hours!). From this screen, just click “Next” followed by “Finish” and your acquisition will begin, and looks like this…

I ran this on my local XP system, which as 4 GB of memory, and the entire process took about 15 minutes. It’s a Dell D620 with an Intel Core2 T7600 2.33 Ghz CPU…so nothing super fast.

Next, I will cover what your RAM dump will likely look like, what is an MRI anyway, and what you should look for in terms of compromise indicators.

2 comments:

  1. The key to live analysis is the ability for the MRI to score based off of validation against against the files of the system. (The "Verify Digital Signatures" option) This can only be accomplished by running it live. You can still acquire memory at the same time so you can process strings later.

    Thanks for helping in class last week Chris. You were a wonderful mentor and teaching assistant for the course. (SANS Forensics Training in Orlando, FL. http://computer-forensics.sans.org)

    Best,
    Rob

    ReplyDelete
  2. Thanks Rob! My next post in this series will cover the MRI scoring and what it means. I think actually SHOWING people what it means and how it works is going to go a long way for really showing the true value of the tool.

    ReplyDelete