DFRWS EU Slide Deck and Generic IOCs

My talk pdf “Fast and Generic Malware Triage Using openioc_scan Volatility Plugin” is uploaded to SlideShare. The code and IOC examples are located in GitHub. Please let me know if you have any question and request.

Fast Malware Triage Using Openioc_scan Volatility Plugin

Last year, I proposed “volatile Indicators of Compromise (IOCs)” based on RAM evidence only at SANS DFIR Summit. We can detect malware using them faster than using disk-evidence-based IOCs. Besides, we can define indicators based on not only metadata (e.g., file path) but also malware function (e.g., code injection sign, imported functions and unpacked codes). The IOCs are described according to OpenIOC specification. IOC Editor is used for defining IOCs and Redline is used for scannning IOCs.

Since then, I continued to make volatile IOCs and detect malware through the tools, but I’ve got some frustrating problems about them. First, We can’t automate IOC scanning for daily task because Redline is a GUI tool. Second, Redline is compliant with OpenIOC 1.0 but the spec doesn’t support regular expression, case sensitiveness. In addition, “AND” combination of different items (e.g., ProcessItem and RegistryItem) does not work. Furthermore, Redline cannot scan unallocated objects (e.g., dead process, unloaded kernel drivers). So I decied to make a new tool for volatile IOCs.

64bit Big Sized RAM Image Acquisition Problem

The Problem

One day, I acquired a 16GB raw memory image on Windows7 x64 machine using MoonSols DumpIt for malware investigation. Then I tried to analyze it using Volatility Framework and Redline, but they returned no output like this:

vol_no_result

I guessed the acquired image was corrupted, so I took an image again, but the result was the same. I googled about the problem and found a similar issue. According to the report, I tested several memory acquisition tools such as FTK Imager and Windows Memory Reader, but they didn’t work.

I changed an image format from raw to crashdump. Then Volatility Framework could parse it and display the result. Strangely, Volatility also could analyze the raw image converted from the crashdump. Where does this difference come from?

Some Old Stuffs

IOCs for memory forensics

Never forget to configure “advanced parameters” (check String and the length is 4)

IDAPython script

Immunity Debugger script

  • immbone_nx break on execute script on DEP environment (enable DEP and uncheck the option ignoring Memory access violation in the debugger settings)
  • immbone break on execute script on non-DEP environment (disable DEP and uncheck the option ignoring single-step break in the debugger settings)
  • blackmanta slightly-changed version for Immunity Debugger v1.8

EnCase EnScript

Others

  • amf_7x86 PoC driver for anti memory forensics on Windows7
  • amf_XPx86 PoC driver for anti memory forensics on WindowsXP