Update: Memory Forensic EnScript
I added TCP connection scanning modules for Windows 7/2008.
Support OS: x86 Windows XP/2003/7
Support OS: x86 Windows XP/2003/7 and x64 Windows 2003/7/2008
The EnScripts implement two methods: Tree & List Traversal and Object Fingerprint Search (See http://www.itu.int/ITU-D/cyb/events/2008/doha/docs/
forensics-waits-live-memory-forensics-doha-feb-08.pdf).
Tree & List Traversal emulates data access performed by OS. Specifically, it translates virtual addresses to physical ones and traverse kernel data structure using address pointers.
Object Fingerprint Search carves signatures of kernel objects (e.g., _EPROCESS) and Validates search-hit data.
The classification of each module is as below.
I prefer CDA to RIA because CDA can get debug information (kernel directory table base, PsActiveprocessHead and PsLoadedModuleList) from 1st memory page. RIA must guess them.
For example, RIA scans "Idle" _EPROCESS data in order to find the kernel directory base value, but the method cannot work if the process name is changed.
I'll lecture Windows memory forensic analysis using my EnScripts in CEIC conference.
« Memoryze: Missing Connections (Settled) | トップページ | Reserved Address Space in Windows Physical Memory »
「Digital Forensics」カテゴリの記事
- Bug Fixed: NTFS SI/FN Timeline EnScript(2012.05.11)
- Update: Memory Forensic EnScript(2011.05.06)
- Memoryze: Missing Connections (Settled)(2011.03.05)
- Making Filename Attribute Timeline(2010.11.18)
- Reserved Address Space in Windows Physical Memory(2011.05.11)
コメント
トラックバック
この記事のトラックバックURL:
http://app.f.cocolog-nifty.com/t/trackback/401548/39332674
この記事へのトラックバック一覧です: Update: Memory Forensic EnScript:
« Memoryze: Missing Connections (Settled) | トップページ | Reserved Address Space in Windows Physical Memory »
The scripts could work EnCase 6.14 or later, but EnCase 7 had changed EnScript APIs, so the scripts cannot be executed there.
投稿: cci | 2012-01-12 00:31
Hi, can i know what the min verison of EnCase to run the memory scripts?
投稿: Benjamin | 2012-01-11 16:22
Thanks for comment!
You mean the EnScript making compile timeline, right?
I think the compile time of PE files can be easily modified by packer, but it may be useful to find suspicious binaries on the victim hard drive if you don't have other clues like filename/size.
Now I'm working on an Immunity Debugger script task. After that finishes, I will implement the script ;-)
投稿: cci | 2011-07-05 18:06
Thank you for all your work on the EnScripts. They are very helpful.
I think there may be some value in creating an EnScript that sorts all EXE and DLL files by their Compile Time in the PE Header.
That way you can get an idea of when the malware was compiled. If you find multiple pieces of malware on a machine you can figure out which one was created first.
What do you think?
Is that something you could get an EnScript to do?
よろしくお願いします
投稿: Kur3 | 2011-07-05 03:31