The document provides an overview of memory forensics and the Rekall memory analysis tool. It discusses why memory forensics is useful, describes how Rekall supports multiple operating systems through profiles, and covers memory imaging, virtual memory concepts, and analyzing live memory. Rekall's interfaces like the command line, console, notebook, and web console are also introduced.
The document discusses kernel exploitation. It begins with an introduction to basic kernel concepts like virtual memory and mitigations like SMAP, SMEP, and KPTI. It then covers topics like basic kernel exploitation through NULL pointer dereferences, dynamic memory management techniques like kmem caches and allocators, and real world exploitation using use-after-free vulnerabilities and doubly linked lists. The presentation uses examples to illustrate concepts at a high level since each topic could be its own full talk.
This document discusses computer memory forensics. It explains that memory forensics involves acquiring volatile memory contents from RAM and preserving them for later forensic analysis. The document outlines the different types of forensic analysis that can be performed on memory contents, including storage, file system, application, and network analysis. It also discusses the challenges of memory forensics, such as anti-forensic techniques used by malware to hide processes, drivers, and other artifacts in memory.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
The document discusses performing memory forensic analysis on Windows systems using EnCase, including acquiring memory images using tools like WinEn and MoonSols Windows Memory Toolkit, and analyzing the images using EnScripts to extract information on processes, modules, and open files through techniques like traversing kernel data structures and searching for object fingerprints. Hands-on examples are provided to demonstrate acquiring memory from a system and analyzing it using EnScripts to identify processes and differences before and after terminating a process.
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
This document discusses acquiring and analyzing volatile memory from Android devices. It provides an overview of traditional Linux memory forensics and the challenges with analyzing Android memory. It introduces the tools LiME and Volatility for acquiring memory from a running Android device and then analyzing that memory image. It demonstrates how to use these tools to extract useful forensic artifacts like processes, network connections, and files.
(120513) #fitalk an introduction to linux memory forensicsINSIGHT FORENSIC
This document discusses Linux memory forensics and provides an overview of tools and techniques for acquiring and analyzing memory. It begins by covering live forensics commands and then discusses memory forensics in more depth. Several open source tools for dumping physical memory are described, including fmem and LiME, as well as tools for analyzing memory images like Foriana and Volatilitux. Commercial memory analysis solutions are also briefly mentioned.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
The document summarizes the analysis of several Linux rootkits using the Volatility memory forensics framework. It describes how the Average Coder rootkit hides processes, modules and users by hooking various file operations. It also details how the KBeast rootkit hides its module, hooks system calls and network connections. Finally, it discusses how the Jynx rootkit operates by preloading a shared library to hook filesystem and network functions and implement a backdoor. The document demonstrates how Volatility plugins can detect these rootkits and recover hidden data.
Course Objectives:
• Help the student to achieve a broad understanding of the
main types of memory forensic data gathering and analysis
• Serve as an introduction to low level concepts necessary for
a proper understanding of the task of performing memory
forensics on Windows, MacOSX and Linux (incl. Android).
• Put the student in contact with different memory forensics
tools and provide him information on how to use the
gathered forensic data to perform a wide range of
investigations
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
The document provides information on analyzing Macintosh computers for digital forensics purposes. It discusses the file systems, operating systems, and applications used by Macs and how to acquire disk images and examine key artifacts. Specific topics covered include acquiring memory using Target Disk Mode, disabling disk arbitration, analyzing browser data from Safari, Firefox, Internet Explorer, and AOL, and examining email from applications like Mail, Entourage and AOL. Forensic tools mentioned include dd, dcfldd, Emailchemy, and the Safari Tools browser analyzer.
This document outlines the key components of a Linux character device driver, including modules, major and minor numbers, data structures like struct file and struct file_operations, driver registration, and core functions like open, release, read and write. It provides an introduction to character device drivers in Linux and their basic architecture.
This presentation gives an overview of Linux kernel block I/O susbsystem functionality, importance of I/O schedulers in Block layer. It also describes the different types of I/O Schedulers including the Deadline I/O scheduler, Anticipatory I/O Scheduler, Complete Fair queuing I/O scheduler and Noop I/O scheduler.
The document provides an overview of Unix basics and scripting. It defines what an operating system and Unix are, describes the Unix philosophy and directory structure, and covers shells, commands, writing and executing scripts, variables, loops, and file permissions. The key topics covered include the Unix philosophy of small, modular programs; the hierarchical directory structure with / as the root; common shells like bash and commands like ls, grep, sort; and how to write simple shell scripts using variables, conditionals, and loops.
SANS Forensics 2009 - Memory Forensics and Registry Analysismooyix
This document summarizes Brendan Dolan-Gavitt's presentation on combining registry analysis and memory forensics. It discusses how the Windows registry contains both stable and volatile data, and how analyzing registry hives extracted from memory images allows accessing both types of data. The document outlines tools like VolReg and VolRip that were created to perform registry analysis on memory, enabling capabilities like extracting password hashes and tracking USB devices. Combining these forensic domains can provide new insights but some challenges remain regarding completeness of data in memory images.
This document provides an overview of different Linux I/O models including blocking I/O, non-blocking I/O, I/O multiplexing using select, poll, epoll, signal-driven I/O and asynchronous I/O. It describes key functions and system calls used for each model and provides examples of how they can be used in drivers and applications.
This document provides an introduction to Python programming for computational genomics and bioinformatics. It discusses the Python environment, integrated development environments (IDEs) like IPython Notebook and PyCharm, and various Python programming concepts including printing and manipulating text, reading and writing files, lists and loops, and writing your own functions. The document is presented as a tutorial with examples and exercises provided to help attendees learn the basics of Python programming.
This document provides an overview of the Linux kernel, including its history, structure, build process, installation, updating, and customization. It discusses getting the kernel source code, configuring and building the kernel, installing modules and the kernel, applying updates via patches, and determining the correct driver for PCI devices by matching the vendor and device IDs. The key steps are to find the PCI IDs, search for the IDs in kernel headers to identify the driver, search the kernel makefiles and configuration to enable that driver for compilation.
The document provides an overview of device driver development in Linux, including character device drivers. It discusses topics such as device driver types, kernel subsystems, compiling and loading kernel modules, the __init and __exit macros, character device registration, and issues around reference counting when removing modules. It also provides sample code for a basic character device driver that prints information to the kernel log.
This document discusses memory forensics and the Volatility framework. It begins by distinguishing memory forensics from disk forensics and explaining why memory forensics is needed to analyze skilled attackers and advanced malware that aim to avoid disk artifacts. It then provides an overview of Volatility capabilities for analyzing processes, network connections, code injection techniques, and decrypting software-based encryption keys from memory captures. It emphasizes that memory forensics can recover important evidence that is never written to disk.
Windows Registry Forensics with Volatility FrameworkKapil Soni
Windows Registry Forensics is the most important part of Memory Forensics Investigations. With the help of Windows Registry Forensics we can reconstruct user activity as well find the evidence easily.
Windows Registry Forensics (WRF) is a one of most important part on malware analysis. The changes made due to malware on Windows that reflect on Registry.
If attacker tried to make changes on Windows OS so all the logs like opening, deleting, modifying folder or file as well if attacker executed a file like .exe , everything is stores in Windows Registry that helps investigator to catch cyber criminal.
Memory Forensics Presentation from one of my lectures. I have tried to explain the functioning of memory in 32 bit architecture, how paging works, how windows manage its memory pages and how memory forensics job is done. The forensics part focuses on collecting data and analyzing the same
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
This document discusses Amazon Web Services (AWS) security configuration and tools. It provides AWS configuration options like Amazon S3, EC2, VPC, IAM, RDS and Elastic Beanstalk. It also discusses security groups, users, credentials and accessing AWS resources. The document shares links to AWS security documentation and best practices. It includes a demonstration of using forensic tools like Volatility on a Linux EC2 instance memory capture to analyze processes, network configuration and loaded kernel modules.
The document provides a timeline and overview of the major versions of the Mac OS operating system from 1984 to 2016. It began as System 1, the first GUI-based OS, and progressed through various System and Mac OS versions that introduced features like multitasking, networking, and the modern OS X platform based on Unix. Key versions included OS X in 2001, which was the first Unix-based release, as well as subsequent versions that focused on performance, integration with iOS, and security updates.
Operating Systems and Memory Managementguest1415ae65
The document discusses operating systems and how they manage hardware, software, memory and processes. It defines key concepts like physical memory, virtual memory, paging, swapping and buffers. It also categorizes different types of operating systems like real-time OS, single-user OS, multi-user OS and discusses how they schedule processes and allocate system resources.
Mac OS X Mavericks is the latest version of the Mac operating system. It provides many new features and improvements such as iCloud integration across devices, enhanced notifications, Finder tabs, and better power management. Mavericks is a free download from the Mac App Store and works on Macs from 2007 onward with 2GB of RAM and 8GB of storage. It continues Apple's goal of providing an intuitive and powerful desktop operating system.
A ppt on Mac Operating System by Apple. I've made this presentation simpler by changing the words in it to a simpler English which everyone can understand and explain it easily. For getting customized projects on Information Technology, contact at https://quvor.com
The document discusses Mac OS, including its history, versions, memory management, process management, and pros and cons. It provides an overview of Mac OS from its introduction in 1984 through various versions such as Mac OS X, OS Cheetah, Puma, Jaguar, Panther, Tiger, Leopard, Snow Leopard, Lion, Mountain Lion, and Ventura. It describes the kernel, multitasking, hierarchical file system, memory management using pages and page lists, and process scheduling. The document also outlines the different layers of Mac OS including the core services layer.
The document provides an overview of computer system organization based on the Von Neumann architecture. It describes the key components of a computer system, including memory, I/O, the ALU, and control unit. It explains how these components work together in the fetch-decode-execute cycle. The document also discusses limitations of the Von Neumann model and introduces parallel processing as an alternative architectural approach.
The document provides an overview of operating systems, including processes, threads, interprocess communication, deadlocks, and scheduling. It discusses the evolution of operating systems from first to fourth generation. Key concepts covered include processes, files, system calls, command interpreters, and signals. Operating system structures like monolithic, layered, and client-server models are summarized. Common interprocess communication problems like the bounded buffer, readers-writers, and dining philosophers problems are also briefly outlined. Finally, it discusses process scheduling algorithms, deadlock conditions and strategies to handle deadlocks.
Windows XP is a 32-bit, preemptive multitasking operating system that was the most widely used OS at the time. It has a layered architecture with a microkernel at its core providing basic services, and various user-mode subsystems that emulate other operating systems. Its design focuses on extensibility, portability, reliability, compatibility, and performance. It uses a file system called NTFS that supports advanced features like security and recovery through transaction logging.
The document provides an overview of operating systems, including:
1. An operating system acts as a virtual machine that hides complex hardware details and provides services through system calls. It manages resources like time and memory allocation.
2. Core OS functions include process management, I/O device control, resource access control, error handling, and accounting. The kernel contains frequently used functions and privileges.
3. Early systems used serial processing but evolved to batch processing, multiprocessing, time-sharing, and today's graphical user interfaces across networks.
The document discusses Linux kernel internals and provides an overview of key concepts such as memory management, process creation, device drivers, and file systems. It describes how the kernel handles tasks like compiling programs, managing memory and processes, and facilitating communication between software and hardware. The document also outlines common Linux system calls and functions related to program execution.
This document provides an overview of the Linux kernel internals and device drivers. It discusses topics like memory management, process creation, inter-process communication using shared memory, and device drivers. The key aspects covered are virtual memory mapping, demand paging, steps in program execution, different types of device drivers, and how the kernel interacts with hardware through device drivers in the userspace.
This document provides an overview of embedded Linux for an embedded systems design course. It discusses various commercial and open source embedded Linux distributions and their characteristics. It also covers important topics for embedded Linux including tool chains, the Linux kernel, debugging, driver development, memory management, and synchronization techniques. Example code snippets are provided for common Linux system programming tasks like file I/O, processes, threads, IPC, signals, and sockets. Cross-compiling for embedded targets is also briefly explained.
The document provides an overview of the Linux kernel internals including:
1) The Linux kernel architecture adopts a monolithic design that provides stability, safety, and high performance while maintaining advantages of both monolithic and microkernel approaches.
2) Key kernel components include processes and threads management, memory management using paging and segmentation, file systems, networking, and device drivers.
3) The kernel uses inodes and blocks to organize file system data on disk and supports various file systems like Ext2 through a virtual file system interface.
This document contains teaching material on distributed systems operating systems from the book "Distributed Systems: Concepts and Design". It discusses key concepts around processes, threads, communication, and operating system architecture to support distributed applications and middleware. The material is made available for teaching purposes and cannot be used without permission.
The document discusses operating system concepts including:
1. The operating system controls computer resources and provides an interface between applications and hardware.
2. It hides hardware complexity and manages resources like processors, memory, and devices.
3. Key OS components include processes, files, pipes, and system calls that allow programs to request services from the OS kernel.
The document provides an overview of operating systems and UNIX/Linux specifically. It discusses how operating systems manage resources and tasks. It then covers the history and development of UNIX, its multi-user and multi-tasking capabilities, and common flavors including Linux. The rest of the document details key aspects of UNIX including processes and process management, memory management, file management, and starting processes.
Mca i-fundamental of computer-u-3-functions operating systemsRai University
The document discusses operating systems and their functions. It describes how operating systems manage hardware resources like the CPU, RAM, and storage devices. It also explains how operating systems provide security, a system interface, and an interface for application software. Common operating system types include batch processing, real-time processing, and time-sharing systems. Key operating system functions are also summarized like multi-tasking, multi-programming, buffering, and spooling.
Bca i-fundamental of computer-u-3-functions operating systemsRai University
The document discusses operating systems and their functions. It defines an operating system as software that manages computer hardware resources and provides interfaces. The key functions of an operating system include managing the CPU, RAM and hardware; providing security; and providing interfaces for users and application software. Common operating system types include batch processing, real-time processing, time-sharing, and examples of Windows, Linux/Unix, and mobile operating systems.
The document provides an outline on operating systems memory storage and management. It discusses how the OS must manage memory to ensure each process has enough space to execute without interfering with other processes. It describes different types of memory like cache, RAM, and disk and how the OS uses these properly. Specific topics covered include cache memory, RAM, virtual memory using swap files, the kernel, kernel types, shells, types of shells, shell scripting, and the four freedoms of open source software.
The document provides an overview of the Linux operating system, including:
- An introduction to Linux and its history as an open-source clone of UNIX.
- Descriptions of Linux's core functionality like multi-user support and virtual memory.
- Discussions of key Linux components like kernels, distributions, packages, and updates.
- Explanations of enterprise-level Linux features around performance, scalability, and reliability.
The document discusses operating systems and their functions. It defines an operating system as software that manages computer hardware resources and provides interfaces. The key functions of an operating system include managing the CPU, RAM and hardware; providing security; and providing interfaces for users and application software. Common operating systems are described as well as different types like batch processing, real-time processing and time-sharing systems.
The document discusses operating systems and their functions. It defines an operating system as software that manages computer hardware resources and provides interfaces. The key functions of an operating system include managing the CPU, RAM and hardware; providing security; and providing interfaces for users and application software. Common operating systems are described as well as different types like batch processing, real-time processing and time-sharing systems.
Similar to Mac Memory Analysis with Volatility (20)
Proactive Measures to Defeat Insider ThreatAndrew Case
This presentation was delivered at RSA 2016 and discussed measures to defeat insider threat. It focused on real investigations that I have performed and how the victim companies could have prevented the associated harm.
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
This document discusses analyzing Linux rootkits using Volatility, an open source memory forensics framework. It analyzes several Linux rootkits including Average Coder, KBeast, and Jynx/Jynx 2. For each rootkit, it describes the rootkit's techniques for hiding processes, files, network connections and how Volatility plugins like linux_check_fop, linux_check_modules, linux_check_syscall, and linux_check_afinfo can detect the rootkit by validating file operations structures, the kernel module list, system call tables, and network operations structures. It also shows how Volatility can recover hidden files, processes, network connections, and shared libraries loaded by the root
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
This is the slides from keynote presentation at BSidesTampa 2015. A recording of the talk can be found at: https://www.youtube.com/watch?v=751bkSD2Nn8&t=1m35s
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
The document summarizes research on analyzing the memory of the Dalvik virtual machine used in Android. It describes acquiring memory from Android devices, locating key data structures in memory like loaded classes and their fields, and analyzing specific Android applications to recover data like call histories, text messages, and location information. The goal is to develop forensics capabilities for investigating Android devices through memory analysis.
Lecture 8 of the IVE 2024 short course on the Pscyhology of XR.
This lecture introduced the basics of Electroencephalography (EEG).
It was taught by Ina and Matthias Schlesewsky on July 16th 2024 at the University of South Australia.
Multimodal Embeddings (continued) - South Bay Meetup SlidesZilliz
Frank Liu will walk through the history of embeddings and how we got to the cool embedding models used today. He'll end with a demo on how multimodal RAG is used.
Leading Bigcommerce Development Services for Online RetailersSynapseIndia
As a leading provider of Bigcommerce development services, we specialize in creating powerful, user-friendly e-commerce solutions. Our services help online retailers increase sales and improve customer satisfaction.
Ensuring Secure and Permission-Aware RAG DeploymentsZilliz
In this talk, we will explore the critical aspects of securing Retrieval-Augmented Generation (RAG) deployments. The focus will be on implementing robust secured data retrieval mechanisms and establishing permission-aware RAG frameworks. Attendees will learn how to ensure that access control is rigorously maintained within the model when ingesting documents, ensuring that only authorized personnel can retrieve data. We will also discuss strategies to mitigate risks of data leakage, unauthorized access, and insider threats in RAG deployments. By the end of this session, participants will have a clearer understanding of the best practices and tools necessary to secure their RAG deployments effectively.
IVE 2024 Short Course - Lecture 2 - Fundamentals of PerceptionMark Billinghurst
Lecture 2 from the IVE 2024 Short Course on the Psychology of XR. This lecture covers some of the Fundamentals of Percetion and Psychology that relate to XR.
The lecture was given by Mark Billinghurst on July 15th 2024 at the University of South Australia.
Generative AI technology is a fascinating field that focuses on creating comp...Nohoax Kanont
Generative AI technology is a fascinating field that focuses on creating computer models capable of generating new, original content. It leverages the power of large language models, neural networks, and machine learning to produce content that can mimic human creativity. This technology has seen a surge in innovation and adoption since the introduction of ChatGPT in 2022, leading to significant productivity benefits across various industries. With its ability to generate text, images, video, and audio, generative AI is transforming how we interact with technology and the types of tasks that can be automated.
Welcome to our third live UiPath Community Day Amsterdam! Come join us for a half-day of networking and UiPath Platform deep-dives, for devs and non-devs alike, in the middle of summer ☀.
📕 Agenda:
12:30 Welcome Coffee/Light Lunch ☕
13:00 Event opening speech
Ebert Knol, Managing Partner, Tacstone Technology
Jonathan Smith, UiPath MVP, RPA Lead, Ciphix
Cristina Vidu, Senior Marketing Manager, UiPath Community EMEA
Dion Mes, Principal Sales Engineer, UiPath
13:15 ASML: RPA as Tactical Automation
Tactical robotic process automation for solving short-term challenges, while establishing standard and re-usable interfaces that fit IT's long-term goals and objectives.
Yannic Suurmeijer, System Architect, ASML
13:30 PostNL: an insight into RPA at PostNL
Showcasing the solutions our automations have provided, the challenges we’ve faced, and the best practices we’ve developed to support our logistics operations.
Leonard Renne, RPA Developer, PostNL
13:45 Break (30')
14:15 Breakout Sessions: Round 1
Modern Document Understanding in the cloud platform: AI-driven UiPath Document Understanding
Mike Bos, Senior Automation Developer, Tacstone Technology
Process Orchestration: scale up and have your Robots work in harmony
Jon Smith, UiPath MVP, RPA Lead, Ciphix
UiPath Integration Service: connect applications, leverage prebuilt connectors, and set up customer connectors
Johans Brink, CTO, MvR digital workforce
15:00 Breakout Sessions: Round 2
Automation, and GenAI: practical use cases for value generation
Thomas Janssen, UiPath MVP, Senior Automation Developer, Automation Heroes
Human in the Loop/Action Center
Dion Mes, Principal Sales Engineer @UiPath
Improving development with coded workflows
Idris Janszen, Technical Consultant, Ilionx
15:45 End remarks
16:00 Community fun games, sharing knowledge, drinks, and bites 🍻
Webinar: Transforming Substation Automation with Open Source SolutionsDanBrown980551
This webinar will provide an overview of open source software and tooling for digital substation automation in energy systems. The speakers will provide a brief overview of how open source collaborative development works in general, then delve into how it is driving innovation and accelerating the pace of substation automation. Examples of specific open source solutions and real-world implementations by utilities will be discussed. Participants will walk away with a better understanding of the challenges of automating substations, the ecosystem of solutions available to help, and best practices for implementing them.
Project Delivery Methodology on a page with activities, deliverablesCLIVE MINCHIN
I've not found a 1 pager like this anywhere so I created it based on my experiences. This 1 pager details a waterfall style project methodology with defined phases, activities, deliverables, assumptions. There's nothing in here that conflicts with commonsense.
Airports, banks, stock exchanges, and countless other critical operations got thrown into chaos!
In an unprecedented event, a recent CrowdStrike update had caused a global IT meltdown, leading to widespread Blue Screen of Death (BSOD) errors, and crippling 8.5 million Microsoft Windows systems.
What triggered this massive disruption? How did Microsoft step in to provide a lifeline? And what are the next steps for recovery?
Swipe to uncover the full story, including expert insights and recovery steps for those affected.
TrustArc Webinar - Innovating with TRUSTe Responsible AI CertificationTrustArc
In a landmark year marked by significant AI advancements, it’s vital to prioritize transparency, accountability, and respect for privacy rights with your AI innovation.
Learn how to navigate the shifting AI landscape with our innovative solution TRUSTe Responsible AI Certification, the first AI certification designed for data protection and privacy. Crafted by a team with 10,000+ privacy certifications issued, this framework integrated industry standards and laws for responsible AI governance.
This webinar will review:
- How compliance can play a role in the development and deployment of AI systems
- How to model trust and transparency across products and services
- How to save time and work smarter in understanding regulatory obligations, including AI
- How to operationalize and deploy AI governance best practices in your organization
TrustArc Webinar - Innovating with TRUSTe Responsible AI Certification
Mac Memory Analysis with Volatility
1. Mac Memory Analysis with Volatility
Andrew Case / @attrc
Digital Forensics Researcher
Terremark
2. Who Am I?
• Digital Forensics Researcher @ Terremark
• Volatility Developer & Registry Decoder Co-
Developer
• Former Blackhat, SOURCE, DFRWS, BSides,
and SANS @Night speaker
• GIAC Certified Forensics Analyst (GCFA)
3. Motivation for this Research
• There is a good tool for acquisition of memory
from Mac machines [1], but no tools for deep
analysis of the captured memory
• Matthieu Suiche did initial research but no tool
[16]
• Only one public tool, Volafox [7], supports Mac
analysis, but not as robustly or as thoroughly as
we would like
• To fix this, we added full Mac support to Volatility
4. Agenda
• Introduction to Memory Analysis
• Overview of the Volatility architecture
• Mac Memory Acquisition
• Analysis with Volatility
• Conclusions/Q&A
6. Introduction
• Memory analysis is the process of taking a
memory capture (a sample of RAM) and
producing higher-level objects that are useful
for an investigation
• A memory capture has the entire state of the
operating system as well as running
applications
– Including all the related data structures, variables,
etc
6
7. The Goal of Memory Analysis
• The higher level objects we are interested in
are in-memory representations of C
structures, custom data structures, and other
variables used by the operating system
• With these we can recover processes listings,
filesystem information, networking data, etc
• This is what we will be talking about
throughout this presentation
7
8. Volatility
• Most popular memory analysis framework
– Written in Python
– Open Source
– Supports Windows {XP, Vista, 7, 2003, 2008}
– Supports Linux on Intel and ARM
– And now supports Mac!
• Allows for analysis plugins to be easily written
• Used daily in real forensics investigations
8
9. Volatility Terminology - Vtypes
• A representation of structures used in the OS, such
as size, names, members, types, and offsets
• Example:
'_IMAGE_EXPORT_DIRECTORY': [ 0x28, {
'Base': [ 0x10, ['unsigned int']],
'NumberOfFunctions': [ 0x14, ['unsigned int']],
'NumberOfNames': [ 0x18, ['unsigned int']],
'AddressOfFunctions': [ 0x1C, ['unsigned int']],
10. Volatility Terminology - Profiles
• A profile is set of vtypes and (optionally)
symbol addresses that are used to model a
particular OS version
• This is what allows Volatility plugins to be
generic to all the different versions of
Windows, Linux, Mac, etc
11. Volatility Terminology – Address Spaces
• Address spaces are used to translate virtual
addresses into physical offsets
• They also prevent the need to convert all
memory captures to a linear format
12. Current Address Spaces
• Memory Management Address Spaces
– x86 / x64
– Arm (Android)
• Interface (File) Address Spaces
– Firewire
– Windows Hibernation Files
– Crash Dumps
– EWF Files
– Lime
– And a new one for this talk!
12
13. Mac Profiles
• Mac profiles are built in two steps:
• The addresses of symbols are gathered from
the system’s mach_kernel
• The types are gathered by running dwarfdump
on the debug mach_kernel
― This is contained in the KernelDebugKit
― This output is then converted into a proper vtype
15. No Native Software Support
• Modern versions of Mac do not support /dev/
mem or /dev/kmem
• This means that 3rd party software must be
used to access physical memory
16. Mac Memory Reader [1]
• Main memory acquistion tool
– Free, but not open source
• Supports capture from 32 and 64 bit systems
running on native hardware as well as from
Parallels and VirtualBox guests
– Does not work with VMware Fusion guests
• Loads a driver to recreate /dev/mem and
captures from it
17. The Capture File
• Mac Memory Reader creates a mach-o file of
captured memory
– Mach-o is the standard Mac exe format
• RAM is not contiguous in physical memory so
a linear capture would be much bigger than
actual RAM size
– Too big to deal with on 64 bit
18. Mach-O Address Space
• To handle Mac Memory Reader captures, a
mach-o address space was developed
• Supports 32 and 64 bit captures
• It parses mach-o files and for each segment
gathers:
– The offset into the file
– The size of the segment
– Its mapped address, which is its physical address
20. Runtime Information
• This rest of this session is focused on orderly
recovery of data that was active at the time of
the memory capture
• We will be discussing how to find key pieces
of information and then use Volatility to
recover them
20
21. Information to be Recovered
• Processes
• Memory Maps
• Open Files
• Network Connections
• Network Data
• Loaded Kernel Modules
• Rootkit Detection
21
22. Mach Overview
• No split address space
• (Almost?) Micro-kernel
– Only the components that need hardware access
run in ring 0
– Everything else runs as a userland process
– Mach is the only mainstream kernel like this
– The mechanisms needed to make this work tend
to be annoying as a memory analysis researcher
23. Mach Processes & Tasks
• A process (proc) represents a BSD process
– Its threads are called uthreads
• A task (task) represents a Mach task
– Its threads are called “Mach Threads” and
represented by the thread structure
24. Recovering Processes
• The list of processes is stored in the allproc list
• Each element of the list is of type struct proc
– The p_comm member stores the ASCII name of
the binary that was executed
– The p_pid member stores the process ID
– Other members you would expect:
• p_uid, p_gid, p_ppid
• The mac_pslist plugin enumerates this list and
prints out the per-process information
25. Recovering Command Line Arguments
• mac_pslist only recovers the name of the
binary that was executed
• mac_psaux recovers the command line args
(**argv) and optionally the env variables
• The CR3 value for each process is stored in:
– <proc_structure>.task.map.pmap.pm_cr3
• user_stack and p_argslen are used to recover
where the args and environment arrays are
26. Recovering Memory Maps
• The mac_proc_maps plugin recovers per-task
memory maps
– Mimics vmmap or Linux’s /proc/<pid>/map
• For each mapping, it lists:
– Starting and ending address
– The mapped file (if any)
• Makes spotting shared library injection easy
• A starting point to malware/unknown binary
analysis
28. Dumping Memory Maps
• The mac_dump_map plugin is able to dump
the contents of memory mappings inside of
particular processes
• Common usages:
– Check against virus DBs
– Binary Analysis
– Further forensics analysis (strings, file carving, etc)
29. Open Files
• The mac_lsof plugin lists the files that are
opened for each process
– Similar to /proc/<pid>/fd on Linux
• Walks the proc.p_fd.fd_ofiles array
• Checks the vnode type, if DTYPE_VNODE, then
it’s a regular file and reported
• Useful to determine file system activity, log
files, etc
30. Mount Points
• The mac_mount plugin recovers all mounted
devices and their mount points
• Mimics the mount command
• Very useful when integrating disk and memory
analysis during an investigation
• The mount flags can are also good artifacts
(read only, no exec, no atime, etc)
31. Dmesg
• mac_dmesg recovers the kernel’s debug
buffer
• Contains a wide range of useful information
• Viewed on the live machine with the dmesg
binary that reads /var/log/kernel.log
• The contents are very easy to manipulate on
disk – not so in memory
32. Network Connections
• mac_netstat emulates the netstat command
• Lists each connection along with relevant
information (src/dst IP address & port, state,
etc)
• Also walks the list of open files and acts on
DTYPE_SOCKET entries
• Obviously useful when investigating network
traffic and connections
33. Ifconfig
• mac_ifconfig emulates the ifconfig command
• Walks the dlil_ifnet_head list in memory to
get each interface, which are represented by
ifnet structures
• For each interface it recovers:
– The interface name (en0, en1, etc)
– Any IP addresses
– MAC Address
34. ARP Table
• Found in the llinfo_arp list
• Recovers the ARP table out of memory
• Useful in IR scenarios to determine which
networked devices the investigated machine
recently contacted
35. Routing Cache
• When researching the routing table, I noticed
that Mac has a very interesting routing cache
• Keeps track of connections made to remote IP
addresses
• Statistics about these connections are kept as
well including the start time and total packets &
bytes
36. Entry Expiry
• Entries in the cache expire based on the value
in net.inet.ip.rtexpire for IPv4 and
net.inet6.ip6.rtexpire for IPv6
• This time is in seconds
• The countdown timer starts when there is no
more references to the connection
– So if the memory capture fits in this window, we
can recover it
37. What are the expiry times?
• I asked Mac users for their sysctl value & OS
version on twitter and G+
• Got about 20 responses, but wasn’t conclusive
• For IPv4:
– People with the same exact OS version had widely
different values
– Range was from 10 seconds (bad!) up to an hour
• IPv6 was always 3600 (one hour)
38. Uses of the Routing Cache
• Malware Analysis & Data Exfil Investgations
– You know when the current session started
– You know how much data was sent
• Beating Rootkits
– How many rootkits hide from netstat/lsof and
other tools using easily detectable techniques?
– vs how many manipulate the kernel’s routing
cache?
• Hint: 0
39. Loaded Kernel Modules
• The mac_lsmod plugin lists all of the loaded
kernel modules (extensions) active on the
system
• This replicates the output of the kextstat
command
• This can lead to further investigation by
dumping the executable in memory [14]
41. I/O Kit [3]
• I/O Kit is the framework that allows for
development of device drivers as well as the
OS’es tracking and handling of hardware
devices
• Provides the ability for programmers to hook
into a wide range of hardware events and
actions
42. The I/O Registry [2]
• The I/O registry tracks devices that are
attached to the computer as well as the
classes that represent them
• The ioreg binary can list all of the registry
contents
• The mac_ioreg plugin provides similar
functionality to ioreg
43. Rootkit Detection
• Most rootkit discussions, whether offensive
or defensive, make a distinction between
userland (unprivileged) and kernel (fully
privileged) rootkits
• Mac blurs this line with its micro-kernel design
• When referring to “kernel” rootkit detection, I
mean core parts of the OS and not individual
userland applications or services
44. Types of Rootkits
• Static
– Alters data that is set at compile-time and never
changes
– Examples: modifying system call table entries,
code (.text) instructions, global data structure
function pointers
– These are generally boring from a research
perspective and already covered by other projects
(Volafox [7], Phrack article [8], etc)
45. Types of Rootkits Cont.
• Dynamic
– Alters data that is only created and referenced at
runtime
– Generally includes manipulating live data
structures (lists, hash tables, trees) used by the
operating system for accounting or for core
operations
– Much more interesting from a research
perspective
46. Logkext [4]
• Logkext is a rootkit that uses the I/O Kit
framework to log keystrokes
• It accomplishes this by adding a
'gIOPublishNotification' callback that filters on
the 'IOHIKeyboard' service.
• This effectively gives the rootkit control
everytime a key is pressed.
47. Detecting logkext
• Enumerate the gNotifications hash table
– Keyed by the type of notification: (gIOPublishNotification,
gIOFirstPublishNotification, gIOMatchedNotification,
gIOFirstMatchNotification, gIOTerminatedNotification)
– Each element is a IOServiceNotifier
• The handler member of IOServiceNotifier points to the
callback function
• We verify that each callback is either:
1. In the kernel
2. In a known kernel module
48. IP Filters [8]
• Part of the Network Kernel Extension
framework
• Allows for kernel extension programmers to
easily hook incoming and/or outgoing
network packets
• These hooks have built-in support for
modifying packets in-place!
– Done with ipf_inject_input and ipf_inject_output
49. IP Filter Rootkits [9]
• The potential for abuse of these filters is
pretty obvious and existing rootkits take
advantage of it in different ways
• We can detect these rootkits by verifying that
every IP hook is in a known location
– Implemented in mac_ip_filter
50. Detecting IP Filter Rootkits
• We walk the ipv4_filters & ipv6_filters lists
• These lists are of type ipfilter_list whose
elements are ipfilter structures
• ipfilter structures hold the name of the filter
(might be empty) as well as pointers to the
input, output, and detach functions
• All three of these functions need to be in the
kernel or in a known module if set
51. TrustedBSD [17, 18]
• The TrustedBSD framework provides hooks
into a large number of functions in the kernel
related to processes, memory, networking,
and much more
• These hooks are meant to be used to enforce
security polices & access control
• From my testing, it seems all Macs have
“SandBox”, “Quarantine”, and “TMSafetyNet”
loaded by default
52. Abusing TrustedBSD
• As you can imagine, having an “official” way to
hook the kernel is an attractive feature for
rootkits
• The author of the http://reverse.put.as blog was
the first to think of this method and implemented
a POC rootkit named rex that does it [10, 11]
• Works by adding malicious “trusted” policies that
allow userland processes to call into the policies
in order to gain root privileges
53. Detecting Rex
• All policies are stored in the global
mac_policy_list
• Each element is of type mac_policy_list_element
• Name of the policy - <element>.mpc.mpc_name
• Function pointers - <element>.mpc.mpc_ops
• We verify that every function pointer is either in
the kernel, a known kernel module, or NULL
– This finds Rex as well as any other malicious policies
55. Volafox Comparison
• Based on Volatility, but does not use the
profile/object system
– So it only supports a small number of OS versions
and adding support for a new version is difficult
• Only a few plugins:
– Process list, netstat, lsof, mount
– Only rootkit detection is syscall hooking (static)
• SVN version supports 32 bit Mac Memory
Reader but no 64 bit support
56. Conclusion
• Volatility now has proper Mac support
• Everything talked about today exists in the
open source repository
– Instructions on how to access can be found at [15]
• Much more new functionality will be added
over the next couple months
– Check [12 & 13] for updates