>> As we discussed in previous units, forensic investigators exam physical memory content
to detect malicious processes, threats, and memory resident malware
to recover passwords and encryption keys.
>>正如我们在前面的单元中讨论的,法医调查人员检查物理内存内容,以检测恶意进程、威胁和内存驻留恶意软件,以恢复密码和加密密钥。
In some cases, forensic examiners will not be able to start a forensic investigation
without having the physical memory content.
在某些情况下,法医审查员无法在没有物理记忆内容的情况下展开法医调查。
To start memory acquisition, let's learn some well-known Windows memory acquisition tools.
为了开始内存获取,让我们学习一些著名的Windows内存获取工具。
The open source MoonSols Windows memory toolkit is a host-based Windows memory
acquisition toolkit.
开源的MoonSols Windows内存工具包是一个基于主机的Windows内存获取工具包。
It is very easy to use. 它很容易使用。
When you run DumpIt, a tool from this toolkit, from a USB,
the raw memory dump will be generated and then written
to the same directory you are running DumpIt from.
当您从这个工具包、从USB运行DumpIt时,将生成原始内存转储,然后将其写入运行DumpIt的相同目录。
The other host-based Window's memory acquisition tools I recommend include winen.exe
from Guidance Software, MemoryDD from ManTech, FTK Imager from Access Data, and Belkasoft
Live RAM Capturer.
我推荐的其他基于主机的窗口内存获取工具包括winen。来自引导软件的exe,来自ManTech的MemoryDD,来自Access Data的FTK Imager,以及Belkasoft Live RAM Capturer。
The commercial tools such as F-Response and the forensic toolkit allow examiners
to conduct forensic acquisition remotely by running an agent on a suspect machine.
F-Response和forensic toolkit等商业工具允许检查人员通过在可疑机器上运行代理远程进行法医采集。
Once we have a physical memory image dumped, how do we extract information
such as running processes, registry data, event logs, network traffic and web history,
et cetera from the memory image for forensic analysis?
一旦我们转储了物理内存映像,我们如何从内存映像中提取诸如正在运行的进程、注册表数据、事件日志、网络流量和web历史记录等信息,以便进行取证分析?
We use a command called streams to extract printable streams from Linux memory dumps,
but streams does not give us all of the variable information we need.
我们使用一个名为streams的命令从Linux内存转储中提取可打印的流,但是流不能提供我们需要的所有变量信息。
Let's study some memory analysis tools that are capable of extracting processes,
network registry information, even password from a memory dump.
让我们研究一些能够从内存转储中提取进程、网络注册表信息甚至密码的内存分析工具。
Some of these tools also work for Linux UNIX memory contents.
其中一些工具还可以用于Linux UNIX内存内容。
WindowsSCOPE is a commercial tool for Windows memory acquisition and analysis.
WindowsSCOPE是一个用于Windows内存获取和分析的商业工具。
You can get one month's full featured trial to try out this tool.
您可以获得一个月的全功能试用来试用这个工具。
One of its strengths is the detection and the reverse engineering of root kits and malware.
它的优势之一是检测和反向工程的根工具包和恶意软件。
Redline Memoryze from FireEye is a free tool for Windows memory acquisition and analysis.
FireEye的Redline Memoryze是一个免费的Windows内存获取和分析工具。
The open source Python-based toolkit called Volatility Framework is able
to extract information from both Windows and Linux UNIX memory images.
基于python的开放源码工具包volatile Framework能够从Windows和Linux UNIX内存映像中提取信息。
Let's closely look at Volatility framework to understand how memory analysis tools extract
processes and other information.
让我们仔细研究一下volatile框架,了解内存分析工具是如何提取进程和其他信息的。
Volatility framework requires acquired memory image as an input.
波动性框架需要获取内存映像作为输入。
To start a memory analysis using Volatility, you should run the Volatility plug-in image
info first to identify the operating system's service
pack hardware architecture and the address of kernel debug structure from the given memory.
要使用volatile启动内存分析,首先应该运行volatile插件映像信息,从给定内存中识别操作系统的服务包硬件架构和内核调试结构的地址。
So, here the given memory is called mem file.
因此,这里给定的内存称为mem文件。
The image in for output tells you the suggested profile of the image.
输出的图像告诉您图像的建议配置文件。
For example, WinXPSP386.
例如,WinXPSP386。
You will pass on this parameter when you run other plug-ins.
您将在运行其他插件时传递此参数。
Knowing this profile information, Volatility will use the kernel debug structure to point
to kernel objects and structures which contains processes and network information.
了解了这些配置文件信息后,volatile将使用内核调试结构来指向包含进程和网络信息的内核对象和结构。
For example, a Windows kernel uses EPROCESS data structure
to store information for each running process.
例如,Windows内核使用EPROCESS数据结构存储每个正在运行的进程的信息。
All active EPROCESS are double-linked together.
所有活动的EPROCESS都是双链接在一起的。
This linked list of EPROCESS structure is pointed by PS active process head.
此EPROCESS结构链表由PS active process head指定。
Volatility uses kernel debug structure to find the PS active process head and then
to list all current running processes by traversing through the EPROCESS linked list.
volatile使用内核调试结构找到PS活动进程头,然后通过遍历EPROCESS链表列出所有当前运行的进程。
Volatility framework supports a variety of plug-ins, including PS list, PS scan, DLL
lists, modules, conn scan, hive list, et cetera to
allow us to extract processes, threats, registry, network connections, and many crucial
information.
volatile框架支持各种插件,包括PS列表、PS扫描、DLL列表、模块、conn扫描、hive列表等,允许我们提取进程、威胁、注册表、网络连接和许多关键信息。
PS list plug-in instructs Volatility to use PS active process head to list all
running processes.
PS list插件指示volatile使用PS active process head来列出所有正在运行的进程。
To run Volatility framework with plug-ins, we will provide the profile we learned
from the plug-in image info.
要使用插件运行volatile框架,我们将提供从插件映像信息中学到的概要文件。
So, here is one example using a plug-in, PS list.
这里有一个使用插件PS list的例子。
However, to hide processes, rootkits simply unlink these processes from the EPROCESS list.
但是,要隐藏进程,rootkit只需从EPROCESS列表中断开这些进程的链接。
Once unlinked, although these processes continue to run normally, they will be hidden
from most standard process enumeration tools such as Windows Task Manager and Sysinternals
utilities.
一旦解除链接,尽管这些进程将继续正常运行,但它们将被隐藏在大多数标准的进程枚举工具(如Windows任务管理器和Sysinternals实用程序)之外。
The Volatility plug-in PS scan does not use the linked list of EPROCESS.
volatile插件PS扫描不使用EPROCESS的链表。
It scans memory looking for EPROCESS structure that represent process
and then returns the physical address spaces for all EPROCESS objects.
它扫描内存,寻找表示进程的EPROCESS结构,然后返回所有EPROCESS对象的物理地址空间。
Therefore, PS scan will list all processes, even the process are hidden by rootkits
and are not shown by PS list plug-in.
因此,PS scan会列出所有进程,即使是被rootkit隐藏的进程,也不会被PS list插件显示。
Any discrepancy between outputs shown by PS list and PS scan may indicate
that rootkits is likely installed on the suspect machine.
PS list和PS scan显示的输出之间的任何差异都可能表明rootkit可能安装在可疑机器上。
Similarly, the plug-in conn scan can extract hidden network connections while the plug-in
connections cannot survive from the malicious attack.
类似地,插件conn扫描可以提取隐藏的网络连接,而插件连接不能幸免于恶意攻击。
The plug-in CryptoScan attempts to recover encryption passphrase from a memory image.
Here is an example of using CryptoScan.
插件加密扫描试图从内存映像中恢复加密密码。
下面是一个使用加密扫描的例子。
For Windows memory images, Volatility framework uses plug-ins hive list and hive scan to dump
out the registry hives such as SAM, security, software, NT user dot at,
user class dot at found in memory.
对于Windows内存映像,volatile框架使用插件hive list和hive scan来转储注册表蜂箱,例如SAM、security、software、NT user dot at、user class dot at。
Google's open source Rekall Memory Forensics framework, in terms of functionality,
is very similar to Volatility framework.
就功能而言,谷歌的开源Rekall内存取证框架与volatile框架非常相似。
In addition, Rekall is able to acquire Windows, Linux, and Mac memory images.
Volatility framework does not have the acquisition function.
此外,Rekall还可以获取Windows、Linux和Mac内存映像。
波动性框架不具备获取功能。
In the demo, I will show you how to use Volatility framework to analyze a memory dump.
在演示中,我将向您展示如何使用volatile框架来分析内存转储。