Wednesday, September 17, 2014

Detective Michael Chaves Shares A Memory Forensics Success Story

Detective Michael Chaves from the Monroe CT Police Department shares the following story regarding his experiences with Memory Forensics, Volatility Training, KnTTools, and POS breaches. Michael was also recently quoted in Brian Krebs' article Card Wash: Card Breaches at Car Washes for the key role that he played in that investigation.

Shouts to Michael - keep up the great work!
Before attending this class I had a strong digital forensic background, but lacked an understanding of the "under the hood" workings of RAM and the stuff running in RAM.  I knew I was in for a challenge and boy did I get one.  I always had a desire to learn about memory analysis and I had some knowledge of what it contained, but it was the significant increase in POS breaches that I was investigating that I realized I needed this class sooner than later.

After taking this class in May of 2014 I began investigating a POS breach involving a local business chain.  The chain was a Common Point of Purchase for thousands of credit/debit that were compromised that lead to more than $100,000 in losses from fraudulent use. From the class, I learned of a new memory acquisition tool from GMG Systems, Inc. called " KnTTools".  I tested it out and found it to be an extremely reliable, fast and efficient program that has a very small footprint.  I used KnTTools to acquire numerous RAM dumps from several locations.

Now came the time to figure out what I had.  Going in blind, not knowing where to look or even what I was looking for was a daunting task.  Referring to my notes and the student handbook, I began to use Volatility to try and understand what I had.  I began to use plugins such as pslist, psxview, malfind, apihooks and connections and I started to get some information to look more into.  Understanding the PID/PPID relationship and what process should call another was very helpful.  Working with the business I learned what programs were legit and white listed them.  This was important to me since I did not know what programs and applications were supposed to be running on those computers.  I located three running processes that turned out to be malware.  I used dlllist, dlldump, procdump and dumpfiles to extract out the processes, files and dll's and ran strings on them.  From there I located great information including the POST/GET commands that show where the cards were going to... BINGO!

I located the same malware on ALL other RAM acquisitions.  Although I do not know exactly how the malware got onto the system or fully how it works, I located the necessary information I needed to proceed with my investigation. Without this class or the Volatility tool, I would never have been able to further my investigation.  Volatility is a game changer in memory forensics.  With more and more POS breaches being reported every day both on a local and national scale, responders need the ability to efficiently and effectively analyze the RAM where the malware attempts to run.... and hide.  But you can't hide from Volatility!

No comments:

Post a Comment