Shouts to Michael - keep up the great work!
Before attending this class I had a strong digital forensic background, but lacked an understanding of the "under the hood" workings of RAM and the stuff running in RAM. I knew I was in for a challenge and boy did I get one. I always had a desire to learn about memory analysis and I had some knowledge of what it contained, but it was the significant increase in POS breaches that I was investigating that I realized I needed this class sooner than later.
After taking this class in May of 2014 I began investigating a POS breach involving a local business chain. The chain was a Common Point of Purchase for thousands of credit/debit that were compromised that lead to more than $100,000 in losses from fraudulent use. From the class, I learned of a new memory acquisition tool from GMG Systems, Inc. called " KnTTools". I tested it out and found it to be an extremely reliable, fast and efficient program that has a very small footprint. I used KnTTools to acquire numerous RAM dumps from several locations.
Now came the time to figure out what I had. Going in blind, not knowing where to look or even what I was looking for was a daunting task. Referring to my notes and the student handbook, I began to use Volatility to try and understand what I had. I began to use plugins such as pslist, psxview, malfind, apihooks and connections and I started to get some information to look more into. Understanding the PID/PPID relationship and what process should call another was very helpful. Working with the business I learned what programs were legit and white listed them. This was important to me since I did not know what programs and applications were supposed to be running on those computers. I located three running processes that turned out to be malware. I used dlllist, dlldump, procdump and dumpfiles to extract out the processes, files and dll's and ran strings on them. From there I located great information including the POST/GET commands that show where the cards were going to... BINGO!
I located the same malware on ALL other RAM acquisitions. Although I do not know exactly how the malware got onto the system or fully how it works, I located the necessary information I needed to proceed with my investigation. Without this class or the Volatility tool, I would never have been able to further my investigation. Volatility is a game changer in memory forensics. With more and more POS breaches being reported every day both on a local and national scale, responders need the ability to efficiently and effectively analyze the RAM where the malware attempts to run.... and hide. But you can't hide from Volatility!
Post a Comment