As mentioned in my last blogpost, I had the pleasure to participate in this years DFRWS USA and present our paper. The paper and presentation can be freely viewed and downloaded here or here. Note that there is also an extended version of the paper, which can be downloaded here.
The keepassx, zsh and heap analysis plugins are now also part of the Rekall release candidate 1.7.0RC1, so it’s easier to get started.
The conference had some great talks and workshops, which I’m going to briefly sum up.
Andrew Case (from the Volatility Foundation) presented the results from building a Fuzzing Architecture for Memory Forensic Frameworks (Gaslight). Their main goal was to test the robustness of memory forensic frameworks against malware tampering and {memory, page, data} smear, resulting from non-atomic aquisition process. The results covered mainly volatility and rekall and did found several issues, which lead to crashes, infinite loops and the creation of 20GB+ files while dumping ELF files.
Another interesting talk was given by Jonas Wagner, called “Memory Based Dynamic Malware Analysis”. Their approach was basically to track the memory space for changes (e.g. new memory allocations) via virtual machine introspection by taking 100 snapshots per second, in order to detect code injections and self modifying code. The conference organized a Boat Ride Banquet on the Colorado River, where I had a chat with the author and also ask him about a source code release, but unfortunately they don’t plan to release it at the moment, so there is no way to give it a closer look. However, there might be a product coming up soon.
Researchers from Fraunhofer Institute for Communication, Information Processing and Ergonomics presented their paper about pooled storage file system forensic analysis. They extended the sleuthkit framework with support for the ZFS file system and created a fork of the sleuthkit project, containing their results: https://github.com/fkie-cad/sleuthkit
On the last day, Michael Cohen (main author of the Rekall Framework) gave a workshop on the new Rekall Agent. The material can be downloaded here. Everyone familiar with grr might also be familiar with the pain of setting it up. While this incident response framework is awesome to have, during an incident analysis (another solution is Mozilla Investigator), setting it up (especially regarding the database) is far away from easy, not to mention problems such as scaling, load balancing and so on. These challenges were the reason to start the Rekall Agent project. The basic concept is the same as with grr: There are agents (the clients – analysis wise), the server instance that controls the clients and retrieves information from them and there is the investigator, who issues commands on some or all agents during an investigation. The main advantage now is that setting all up and including some agents is really easy and quick (the necessary steps are explained in the workshop material). Michael did it live from scratch during the workshop and we were ready to go with the server and some agents within a few minutes. One of the concerns I had with the Cloud based approach, however, is the fact that all data gathered from agents is processed in clear text in the cloud. While the Rekall Agent offers fine-grained access controls on actions and viewing data, an attacker with physical access resp. the Cloud provider itself is still able to extract the data. He mentioned that there might be an encryption layer coming soon, but it is not planned yet. Besides that, and the current “highly experimental” state, it seems really promising, so give it try with some dedicated test machines and have a look at its capabilities.
\x00
Frank