Alissa Torres - Building "Muscle Memory" with Rekall Memory Forensic Framework

All right. All right. All right. How's everybody doing? All right. Don't get pumped up

because because this next speaker is one of the highest energy speakers you will ever hear. Every time I hear Alyssa speak, I'm just like, she's up there bouncing off the walls. She is like, she gets people pumped up. So, uh, ladies and gentlemen, please join me in welcoming Miss Alyssa Torres.

Thank you very much for coming out. I think that you guys are freaking awesome. I think you're freaking awesome. Not just you, but I kind of have a bias for those of you that are in this room. I think it's incredible that you guys are spending your Saturday here learning and so important, right? We know that in the security field, if we don't continue to learn, we become extinct like the dinosaur that's on my slide. So, I've spent a lot of time recently delving into memory forensics. I'm the co-author of the 5.6 class at SANS. But it is my passion. I spent a lot of time uh in particular, I think the last job I had,

people didn't know I was researching her. I was supposed to be doing something else. Don't tell them. Don't tell them. So, we're we're here today. I know I had two different topics. I tried to resolve that. But, you know, if you wanted to the Plinko persistence, who who saw that Plinko persistence uh who saw it on the on the board? That's what I was asking. I have uploaded that presentation because I've given it before. So, at the end of my uh slide deck here, I have my Dropbox, a bit link to my Dropbox. But I at least wanted to show you guys so you're believers that if you came for that, then you'll you'll get that one and my cheat sheet for

recall uh this presentation here. So, I'll give you the bitly link if you wanted to see the persistence mechanisms, which is a pretty badass presentation. Today is going to be on recall, which is a pretty badass tool. So, Any everyone okay with that? So is is anyone actually doing memory forensics who's in this room? Oh, I see some hands. You don't want to raise them too high. Totally understand because you're a little scared I'm going to call on you. I've been known to do that. Totally holding people accountable. But you know it's growing as a technique. is growing as an analysis technique in a lot of theerts. They're writing into into their standard operating procedures. Memory frenzy is

just part of the deal with how they analyze potentially compromised machines. Nowadays, this is where we start, right? We start by either doing live memory analysis or we're dumping memory, bringing it back to our forensic workstation and analyzing it there. So, recall actually allows us to do both of these things. That's why I'm so excited about it and tell you guys about it and I'm going to do some demos. Michael's here is my good lifter arm. Yeah, this stuff easy stuff. That's easy stuff. All right. So, we know that memory has an enormous amount of evidence. Tons of artifacts up in there. It's not just for malware analysis. It can be for employee investigations, trying to figure out

what your kids were doing on their computer. Totally. You can you can use this for any type of use case and we teach that in our class. We we have people coming in they're doing criminal investigations and they are applying these skills because are there additional copies of memory on the file system? Yeah. Where where can I find memory? Page file fragments of memory. Yeah. Yeah. whatever was in physical memory may end up in a page file that's very fragmented hibernation file. I heard someone say freaking crash dome, right? Crash dump. So tons, my law enforcement friends are like, we don't collect me, right? Ah, we don't memory, but sometimes they have to hit the

hibernation file or the crash dump file to really get a view as to what was going on to include encryption keys, right? Pulling the master key out, true crypts, master key, and applying it to a true crypt volume still in use today. So really exciting. The the first bullet on my slide here is running processes. And yeah, that's pretty good. Running processes. You can catch malware in action. But the really cool thing is is terminating processes, giving a historical view of what was going on the machine prior to you arriving there. Sometimes we're called by security analysts, you know, who are instant response. Maybe you're in tier two, tier three. They call you up middle of the

night and say, "Hey, this machine was seen beating out to a bad domain, bad IP address. By the time you get there, do you think the connection is still going to be active? It will probably be a terminated connection." Right? So, memory analysis will allow us to get in there and see artifacts left behind because there was at some point a network connection that was established. Now, it's terminated. We can still gain access to it. So, I convince you, totally convince you, this is worth your time. Before we enter in, I'm going to show you some process listings and ask you to go ahead and determine what evil looks like. Pick something out of a lineup. We'll say I

want to stress you have to know normal in order to find evil. Guys, yeah, and I'm not saying like I have by do antivirus running on my system. Anyone else? Anyone else? Yeah, people make fun of me. I mean they made fun of me when I was the only one using Internet Explorer as well way back in the day. So I got by and it's just for fun. It's totally fun. But do you think by anti virus looks different from semantic? Do you think when you're looking at a process listing or loaded modules? Do you think it looks different based on the antivirus you're running? Totally. Totally. So you have to know your environment. You can know normal.

You can know what processes are typical for Windows. Like anyone look up in the middle there. Is this an XP system or is this this and why? There's a few different reasons. People always come up with more than what I'm looking for. But tell me this is process hacker shown in the middle. So process list. I've seen process hacker like process explorer. What do you guys think? What do you see? You're afraid. I knew you'd be afraid. I totally knew it, dude. The thing I see, let's see. It's just [ __ ] Do you see this when it when Nick is the parent or a Vista yacht is the parent of services and els whereas if you're

looking at an old school, people typically say, "We've never seen an XP system before." That's what they tell me. Really young cats like we don't even know what you're talking about when you say XP but I know they're lying. So in XP those two service those two processes are kicked off by one log on right. So just by looking at a process list you should be able to determine ah is this XP? Is this Vista? Does this look normal? And that's what we hope for you. Um see we have a blue poster uh that's downloadable. This is a screenshot of the poster. Describes an SPC host. Is it okay to have more than one SBC host or

be looking at a system that's totally owned over here in the middle? Is that okay? You know, it's okay. Yeah, host is really a service host. There's tons of services that kick off when a machine boots up. So, I I'm going to also throw in as a reference a PDF written by Jason F. It's actually coincides with an at night presentation he gives an hour and a half long. It explains in great detail he kind of dumps down the Windows internals book but it's still pretty good detail. He explains what normal looks like what each of the typical Windows processes does. Sometimes I'll carry this I haven't seen on job interviews and sometimes I carry this

and cram it right before I go in. I mean I never really get asked what this process does or what that process does but I totally feel ready. So, I recommend this the PDF. I'll give you the link. No doubt. So, but why are we here? I want to talk to you about recalls. Anyone heard of recall before? Recall is a for volatility. Michael Cohen had the technology preview branch of volatility. It was badass because it had the win pan. It gave volatility the live acquisition. Well, totally memory dumping school and when he warped off, he actually took that with him and it's really exploded and added great functionality to his recall front framework. You might know that recall is

also part of GIR. Anyone know what GU stands for? Yeah, Google rapid response which is free and a free instant response uh enterprise solution if you can figure it out, right? Has anyone seen it in their environment? Truck. I know. It's getting easier though right now as a doctor. This is boom, right? Boom. It loads the agents for you. You push out. So, it's worth checking out. It's more and at least playing around with because that's what all the smart people are doing. And I hear Google uses it internally. So, um, recall is part of this. If you're doing live analysis via GIR, you're loading ap drive in order to gain access to live memory. So the benefit of doing live

memory analysis. What's the benefit of quering memory for a process list as opposed to relying on the operating system to report processes? What might be the problem? Yeah, root kits. Root kits are all about hiding things, right? So you can hide network connections. You can hide the presence of registry keys and files in a directory and hide the presence of processes from the operating system. So when we go in and we do live memory analysis, we actually get around the operating system and we get a more accurate view of what's going on in the system. So recalls to do this. There's the sixstep process. I feel better now. We got a sixstep process that we use. It's pretty much uh what's

taught in the digital friendly stride sand, but it's worked for me. If the first step doesn't work, I drop into the second step. I drop into the third step. And sometimes I'll actually mix it up and I'll start with step three or step four. Yeah, I got buddies that start looking for code injection first because oftent times malware is doing just that. Not running is like evil.exe in the process list that's obvious but code injection is just so prevalent now. Some some as a framework as we move through our analysis. Promise to take you through all six steps here. the limited amount of time we have together. All right, so different recalls you can drop into an

interactive session. That's kind of cool because when you're in a session, things are cash and that's the next slide. All the way up there use volatility. So tell me what's missing here. You see the top? What's missing in that? Yeah, you say in the profile the image profile is the the image is there process foodg but it's the d-p profofile equals isn't that a pain to type that in like I'm really pitching this to you I'm not really selling you the tool but I'm pointing out the differences recall accesses and online it goes out there and grabs the profile from online profile repository people get really nervous about this because they're like Well, that means I

need internet access. True. That totally I'm going to need something to drink. That totally means you do need internet internet access. Is that a diet code? Doug. Doug. Diet code is not hydration. Some people think it is. Thank you. So yeah is that is a concern that your friends organization has to have internet access. So we can actually move the repository and that takes care of that right. We point our configuration file to use the local repository. Can we set it as a variable? Oh the command line. Yeah. I have never played around that. I've never played around that. It is it is the um make you Oh my gosh. Take your piss. Do you know Jake hooked

me up? I tried to call you. I know. But now, hey, they've been free. Hey, wait a second. So, you know what? I think because you're on the forensic workstation, you're running recall is the tilda recall rc file that you change. I don't think you can put an email on that, right? Thank you very much for the question, but it might be there. It might be there. So, yeah, that's the cool thing. Um, once you're in this interactive shell, you can type in plugins.tab tab. Another kind of neat thing is it will tell you all of the plugins, you know, the Actio parsing modules that are available for your specific image. You will not be shown a list of things that

aren't going to work. So, these are Windows specific and all I had to do when I was the interactive shells plugins tab and boom, I got some cool and that was awesome. session hashing. Session hashing is enabled when I drop into an interactive session. So it starts keeping track of cool structures like the KVG and all these process blocks. So the next time I run something is really fast. This is good, but if you're following along with me doing live analysis, tell me how session caching is not going to work well. [Music] It's going to be cached in memory which is going to basically changing that you're working. Exactly. Well, it's caching memory once you run PS list, but

what if something else launches while you're doing live analysis? Exactly. So, it's working on the cash. They totally fixed this. They fixed this. So, now the transient cache is doing live analysis. So, it's it's a moving target. It's a moving target. So, I know volatility is probably your favorite analysis tool. I want to take a moment to compare just taking a simple plugin like PS list. So I'm going to show you how volatility is. We have something called the kernel kernel debugger the KDBG man. All right. So in order for volatility to actually walk the PS list actually a bunch of process blocks that are linked together by pointers. In order for volatility to walk this list,

it needs to spot the columns on our data block. So this is actually difficult when you're dealing with say an encrypted KDG, right? Which operating system actually start encrypting the KDG? It should be a question. Did you notice that when we move from Windows 7 to Windows 8, volatility just kind of dropped off and it's in the building? No, this is in trouble. I hear you. For a while, we could not run PS+ on Windows 8 memory images because they didn't figure out they didn't put release the decryption of the kernel data block which has a pointer. You can see the pointer to the active process head and that's the awesome visual there. And I'm walking the doubly linked

list. process blocks. All right. So you can see if I can't get one structure parsed then I have broken a lot of the plugins of volatility. We are not prone to that when we're running recall. Recall actually has five different methods in which it comes upon the PS list. You can think okay recall actually scans you process block. It scans the process to the system you process block and once it finds it then it will start blocking the list. So it doesn't rely on the kernel debugging data block. It'll figure this stuff out in many different ways. You can force its hand so it mimics volatility. But realize when I'm running it full board, it will go

through all of the five options. So you'll get more than just what's in the double link list. You're going to come away with something equivalent to a PS scan when you run a PS list invol make sense. I'm relying on you guys to bring the knowledge here. I know there's some assumed knowledge. Oh, it's going to get worse. So, here's PS scan in recall has a little bit of an extra flavor there. You can see I've highlighted over the right hand side of my slide. There's an E and a P in each of the entries. The E means, hey, we found this in PS list. The P means we actually found a kid in PS list. Um, so if you see that, this

this is awesome because it shows you what might be notable, what might be terminated. You can quickly look for an exit time. Okay, I I'll be explaining some of this output as we go. A lot of people are concerned when they're in the interactive session that they can't output to a file. behind. There's a problem. Again, I'm providing a a cheat sheet if we'll play around with this at home. Um, it's easy to download and you too can play. Can I do that? No. He looks down and takes notes. I know that you're faking taking notes. I know you are. All right. So, um, you know what we're focused on is baseline, right? A lot of the tools that are

coming into the instant response states are all about like hey if you baseline then we can detect deviations from baseline that's what analysts do that's what forensic examiners have done since the dawn of time right we're looking for artifacts are left behind say by user activity by now where we emphasize baselining when we're talking about memory focus as well again if you know what normal looks like that that strange kernel module that's loaded on the system is going to pop out at you. You're going to know his road. That again is what we hope and this going to allow us to detect faster and know what three and four actually speak to what's happening out in the industry today. A

lot of sea level is actually doing let's move into the response inhouse. Let's build some in-house capabilities so we can get better at this, right? But it's not all at once. It's not full capability and in many regards I don't know you might have one person as part of the dedicated team and surge staff when you have serious data breach. So what we are saying is if you get a good baseline you are actually preparing yourself for the external support that you know is going to come in and look over your shoulder and look at your documentation. So baseline is really important. It will save you money in the back end if you fall into that category

of needing external support. So this is what my system looks like. A good example of how BYU kind of services everything that starts with BA is BU antivirus. If you came in uh and looked at my process list, what? No, I'm letting you look at my process list. You would not know what these are, right? PHM, being betrayed. All right. So really knowing normal is about your environment or your system. uh you know and that requires time looking at many images in your particular environment. So I actually infected a machine with X patch. You're wondering why I chose X patch because it's just an ad clicking piece of malware. I like X patch because it infects the master boot record. And I

had some techniques I wanted to employ in order to identify detect infection of the master boot record. Pretty cool stuff. So that's what I'm going to be using here as we walk through the sixstep process. There we go. So this is actually So this is just step by step of my process list. I want to point out what is SMSS? What can I use SMSS gauge for? It's at the top of the list. Just go with it. Yeah. could potentially have could have SQL. This is session manager subsystem service, dude. It's like the first process in my process list. I'm going to go off the creation time here as like the last time the system

rebooted. So that's I mean you'll see this popping up. Sometimes you'll see um processes from a previous boot creep their way into your PS scan and you need to find the active SMSs to figure out when the system last rebooted. All right. The next one, the next key process. What is explore.exe indicative of nice someone actually logged on. So, what I'm suggesting to is a bit of time analysis because I have this chronological order. I've actually taken the PS list of recall. I sent it you remember the output equals and I've brought it into Excel and so I can sort. So, I just sort by creation time here and that's what we get. Someone actually logged in and I

can follow the pins and parent pins and do that type of heart analysis. So, oh things to look for session as a vista we actually have um a bit of a delineation between system processes and user sessions. So the system uh process they're going to be booked in session zero and a user session is going to be subsequently one user log in at session one user in session two you got the idea so that's important and I'm going to ask you to take a look at this and tell me what's wrong now that we've gone over the basics we got a serious issue here I output this where do you This one's really obvious. So don't

think it's too deep. Yes, explorer is running twist, which is okay, right? What makes me think this is not okay that I have two explorers in my process? Nice. He's holding up one. I have two explorers in session one. How many should I have? Yeah. Right. So all of the processes associated with the user session, dude, they're in session one. There's only one explorer that should exist. We know that. We know that. So we've identified a rogue explorer. Which one would you go with as rogue? The second one. Yes. The second one. Now what we know about the first explorer, it's actually an orphan process. So we don't expect to actually see in the PS

list 196. So what that second column of numbers is but the 2684 turns out to be looking at it. Um you know it's an orphan too. So we don't really have deep analysis. We could probably do a PS scan maybe come up with some of this stuff but in the immediate PS list we don't really have anything to go on as to who spawned what. Pretty interesting stuff. Good job. Well done sir. That was awesome. All right. So, can we detect this stuff with other tools? I mean, I kind of grew up on Red Line. I didn't really tell you about me, but I used to work at Manion. It's like the Manion Drew up in here,

you know. I used to work at Manion, so I had I have some love for the Red Line. Anyone use Red Line for memory analysis? There's some hands going up. All right. All right. So, I got some love for the red line, but you know, I have how my two explore processes. So, those are found, but I don't have any session information. So it's really hard for me to detect to tell whether do I have two systems on that on the system because explore.exe it's legit. Do you see the path there for explore? Both of them are running from Windows. Is that right? Explore. Yeah, it's supposed to run from Windows. This is insanity, right? Both

of them look legit. another tool is not giving me enough detail for me to immediately pick it up like we did with recall like you can do with volatility. I'm not going to say you pass. So good job. Good job or more. So this second step is doing a deeper analysis of process. So I don't really see anything interesting here. I took the pig of what we suspected to be the rogue explorer and I did did a deal on this in that interactive session with recall. So pig what eight do it do it all the dls look pretty legit just by eyeballing I'm not going in with any special knowledge but if you continue to

look down the way here I have some networking deals that are being called if I compare that to the normal explorer those were there so I'm not really find anything but that's okay I got some other steps I can look through and this one is just pure gold Network connections is step three of doing our malware investigation. Step three, we got net scan that we get out to a text file. Again, I open it up in Excel and I found remember that 48. In this case, it's actually right 2940. This is the screenshots. So, the real one is 2940. And now I can see that 2940 has several connections, right? There's one that's established and there's a couple

that are closed. What is this indicative of? What do you think? Beginning. Yeah. So I have the structure created internal memory that's indicative of a network connection. It's actually state changes to close. I get another one created. it changes to close and I have another one created. It is still in the established at the time the memory was dumped. It had an active TCP connection to this 204 uh IP address. So I looked this thing up. I looked this thing up. Uh blue coat actually said malicious outbound data botn nets. Yeah, this fits with what I would expect from an active infection with next cache. So, we're rolling on step three and boom, we found some

pretty significant indicators. You know, we're all about selecting indicators because what are we going to do next? Come on. I got like half of the room full of nanny people. Indicators compromise scanning, right? Fire mirror. That's what I He's not laughing. Oh crap. All right. So uh step four is looking for sign of code injection. We can do this quite easily with malines. Maline actually popped and identified one memory section a memory range that was specified in that 2940. What it wasn't process in and of itself was kind of out there. Why would it have injected sections of memory? Why would it have injected code? Have you seen this before? as additional functionality is dropped

on the machine. Dude, that additional functionality is not going to create another process. It's going to inject additional well in this case I'm not saying that it starts with an MD header, but additional shell code is being injected in the context of e rule.exe, but that's okay. It's somewhat expected if you play around interpreter and you're writing in the context, let's say explore.exe you see when you add books exploitation modules you are continuing to inject in that same process you're writing it's pretty cool to look at so that that's what is expected there step five you have to do this even if you think you have enough you're going to look for sign of the root kit

I don't see anything here but note that if you're used to looking for this in volatility we have the same plugins and recall so I got s going to be looking through my system services script constructor table, the pointers to the Windows functions uh called uponified by my user processes. So this all looks legit because we called a figure out, hey, that address is in fact pointing to this particular so that all checks out. Step six, I've got something of interest, right? I got a particular process in this case 2940. I do go about dumping it. You're gonna grab the executable and I'm gonna thoroughly thrash it, right? Malware analysis. Bring m for some deeper explanation and

investigation here. So, that was any questions on the sixstep process? You feel like we tore into that machine? Interrogated that thing. All right. So, good job. Good job hanging in there with me. I'm going to introduce the PM acquisition suite. So far, we were using recall. And if you remember the PM is part of recall. We got wind pm.x PM and win PM. All three of these can do live analysis which again makes them totally cool because I don't have to walk away with a memory bring it over to my forensics machine and analyze. I can do a media analysis right there. Uh also why it's being thrown into the default output right now is an AFF4 to explain

the benefits of AFF4. you're going to buck at this. You can't take an AN4 and run it or run in volatility against it. You just can't. But you can extract the physical memory, the raw memory image, and check out the cheat sheet quite easily from an AMF4. The benefit of an AF4 is adding stuff. You can add additional streams. So, I can throw in the metadata. I can throw in the page file. I can walk away with this stuff. All I have to take from the machine is the MF4. I can analyze it that on my forensics workstation. So has some serious benefits and uh there's some believers in it. What I'm showing you here is actually it uses uh zip

compression. So I'm listing the contents of AF4 with unzip and then you can see what it contains. This is my Linux. So quickly no one asks any question about that. Um here's when came out. I'm going to show you this. This is step one in live analysis. All you're doing is manually loading a driver. So, of course, it's going to be an administrative command prompt because I'm going to need admin privileges. But I loaded the driver and I love this. Love this. It's showing you the memory ranges that are accessible for reading. What is that first 10,00 what is going on there? It turns up the operating system upon boot up. If you have the BIOS password that you're

entering, sometimes it'll get saved off in that first frame we call it. So right now the operating system can't see it once the operating system comes up um and the memory manager we're looking at physical memory through the eyes of the memory manager that which the operating system can commit um to with the exception first bite those memory ranges that are assigned to physical devices right yeah that was more than you want to know so step two we'll move on so I got my driver loaded all I need to do now points to that layer of abstraction. So understand this is not pointing to physical memory per se, but like a file that represents physical memory. So got

back slashback slashback slashpm and I'm at the ready to drop into that interactive session. So I can then go about thoroughly trashing it from PS list all those steps that we just follow through. The last finale is something we just added to when PM actually recall because we're in recall right now is AF4 acquired. So from a recall live by analysis session you can dump me. You don't have to back out and use. They're really proud of that. They really proud of that. Um so I'm supposed to demo now. How much time do I have? You have about 20 well about 15 minutes. You okay? Oh, yeah. I was laughing. I wasn't joking. All right. So, I will

put it out there. Who wants to see more Windows or who wants to see a little live analysis with my Mac? Live analysis. You chose the hard. But luckily, I'm ready. I'm ready except for thought. Figure that out. Oh, it's probably we typically don't do many demos in uh in our Macs. You know, makes people jealous if they attend our class when they don't have a Mac. You know what I mean, right? So, I totally don't want to do that. Um I actually downloaded this uh I downloaded the zip file. I extracted it. I'm actually in my downloads directory, but it doesn't matter. Uh, I have root level privileges because I'm about to load a kext

file, a text, which is your kernel module on an OSX platform here. Do it. Do it. It really is. Uh, and I've written my notes down just in case I got nervous here. Boom. That's all you have to do. What? Okay. Um, getting too excited now. The backslash. No, just dev pee. And as long as I have internet access, like I said, I should be in there. I'm going to blame this on Michael if it doesn't work. Or the jealous vibes that I have going on in the room. She comes back and I'm so jealous. Sometimes it don't work the first time, you know. What do you What do you think? Give it more time, Michael. Check.

check connectivity. It's It's now not only a control C, but now I got to go to the control and the Z. Well, forget you people that wanted me to demo on the on the Mac. We'll come back to that. Yeah, I recently did a webcast where it was just that way. I was I was doing a a live memory dump. Got pissed at me. All right, Michael, can you see the font? All right, cool. Um, so I got this thing. I'm ready. Let's do the winp. So I'm going to load just like we saw in the slide and then I'm going to drop back and apply this to employee investigations and then wow you the

little mini cats, right? Who doesn't love mimic cats? All right. So right now I've loaded the driver. Now all I have to do is call it windows backslashes pam. And this happens to be my VM that is infected with X patch. So if I did a PS list, that would be one thing. This is actually when it starts looking for the profile is when when you run PS list. So this is like the make or break moment here. And let's see if I actually have access,

man. You know how many times I tried? That's what it looks like when you're uh when you're just totally screaming. So yeah, there you are.

Nice. Maybe this will work better. If everyone everyone saw me today like practic practicing this over and over and over again. That's why that's every single demo I do. So luckily I have a backup. I have an employee investigation image here that we're going to be playing around in the show. And uh so right now it's in my cases directory.

And it's my um I guess if you don't have internet access, it's not going to work no matter what number you're done looking at. So we'll just cross our fingers.

So is there really no way with recall to to to statically set the the memory profile you're working with? Um you can point it to the repository. it it says it actually has hundreds of profiles and that's the benefit but yes you can specify a profile you can it actually has that as one of the options and sadly sadly uh I don't I don't know I don't have their profile available which is another thing I was attempting to do obviously I have internet All

right, I'll try one more time.

Oh, no. I mean, I just loaded a page. Let's try again. I might have dropped off, right?

That's just a little flow. I actually have my machine up and running. So, we can do this.

You're exactly right. Here we go. My DHP lease must have expired. The things you cannot anticipate or you can anymore. And then you suffer the consequences. All right. Go to my other one and we can try this again.

Thank goodness. Thank goodness. All right. I know. I needed to burn a couple minutes. Anyways, that was all planned and I wanted you guys to feel like you helped me cuz I I wanted you to walk away with that feeling. So, this is an investigation that uh we suspected here. We suspected this guy was using a peer-to-peer file sharing application. Um, and so we were doing a process list first. We did a memory dump, brought it back, did a process listing. And does anyone see it? I know email. And my students are like, dude, that's old school. And I'm like, it's still alive and well. It's still kicking. All right. So the interesting thing about this if you did some of like

analysis of granny's persistence mechanisms one of them that you'd find is Microsoft Windows current version run right what's about that one as found in the software registry key what about that one uh kind of might give him a pass if it's in a software registry registry hive who does it apply to software registers back. So have these keys in them run independ upon log on. But if it if it's in the software registry hive, who does it affect? Everyone. Nice. Everyone. So that turns out to be the case that upon log on it's actually kicking off. So if we were to do timeline analysis, you'd note that email quickly starts right after it's scored. We got 22 21 um and

what 11 seconds 2 seconds later email starts it's wrapping around you know so can you really prove that the user is making use of email maybe somebody else installed this and now he's just a victim. How can we prove he's using it? You guys can probably think of a couple ways, right? Network connectivity. We could do a net scan. I'm going to show you the easy way cuz it's been a hard hard day here. I'm going to do handles. Handles are cool, right? With handles, I can I can actually further investigate a process to see what resources it's connecting to, like what files does it have a handle to? And this turns out to be pretty revealing.

I'm going to add a couple filters when I'm running this. Handles pit equals it's 1808. Uh, and it turns out to be object types because if I just did handles to, there's a ton of them. All of the things this particular process is making reference to. So, object types equals and in quotes because it's kind of picky about syntax, it's going to be file. So, just show me the file handles that are associated with email. Now, what do you think? Do you think you're actively using this? Definitely that because you see the 006 that part you know with a peer-to-peer file sharing application you get lots of different seeds pushing parts of the file uh that you've asked to download

and that's just what's happening here and it's all pointing to users downloads. Sure enough, that is what I would recommend for at least one of those findings. Network connectivity. What else would you look for? User assist, right? User assist. That's a plugin that's in recall. Uh just showing evidence of execution, doing timeline analysis, saying you can download or install it. Sweet. Good job. All right. I'm going to go back do a little bit of hooking and jab here. I'm loaded. Yeah. Tempting bait. Or did it? I think I actually unloaded the driver. You guys are going to have this memorized. You know exactly what happened. I know where she failed. So, I'm going to do a PS list on my live

machine. This is actually working. Shout out to the person called the internet and the problem. Uh, in this case, I see the sticky not.exe. of can I go after and get the contents of a sticky note which you know it's pretty cool. Anyone know that song where the lyrics came from? No one's an Ed Shiran Shiran fan. Okay, so Justin Bieber is also one of my favorites. I really want to go after this. It's like if I didn't if I walked away with a memory image and I wasn't doing live analysis, I I'd be interested in what's in a sticky note because, you know, just like the old days when users would use leave sticky notes on monitors

with passwords, they're still doing this with text files, Excel spreadsheets, I'm always trying to grab credentials to make use of them later in my investigation. It pans out panned out. So, how would I go about doing this? It actually be a process. Step six was acquire notable bindings. This is going to make use of memdump. Anyone heard of memdump? Yeah, memdump goes in and grabs all of the memory mapped uh say physical memory that's associated with a process. So it dumps it out to a DMP file. It's excellent to run strings against. So I'm going to do just that. And now you're really worried for me. Um I think it'll be okay. We're just going dump pit

equals and 41.88, right? Didn't specify a dump directory, but it's working for me. All right. So, you can see what's happening here. New wording of that. So, it's taking a look at the virtual address space and mapping it back to physical memory. It's getting the job done. It's almost like one, two, go, go, go. Um, what we're going to end up with again is a dump file. I don't have to really wait for this to finish, but it did. Um, so that's that's good. Uh, the next thing I ran was Mark Vinovich's tool from CIS internals strings, which is so much better than the Linux strings, right? Because it does it's asy unicode little Indian big boom. I got my strings.txt

and I actually I pre-anned this, right? But you think, why didn't you prepare? Well, I kind of I did in some regards. I mean, because look, I then opened up that output, that text file, and I found the sticky note output. You're thinking, well, there was guilty knowledge involved. Can you be right? But we can totally look for things like the word password like I did here, and we might run into something the user saved on their desktop. There's also a way to extract using dump files, the SNT file, which is the city textile. So we could go in and just pull out that one file opposed to doing the entire memory address space dump. But yeah, so there's

a couple ways of doing it all using recall. And of course you want to see the Mimi cats, right? You totally want to mimic cat. Okay, so who wrote Mimi Cats on the offensive side? Freaking badass French. A French guy was badass. Fats. I know Benjam, right? uh he wrote baby cats and a couple people he also so he wrote on the offensive side but then he wrote a Windows bug extension as a little gift to the blue team you know a little gift graced us with an extension and that's pretty cool Francesca Picasso uh worked with the recall team and has actually imported this to recall he's also responsible for the volatility plugin becats as well so let's see what we got

here I know exactly what's going to have some interesting credentials or at least some credentials because But it doesn't work on every memory dome. Only works on some. Where does it pull the passwords out of? What process? Elsas. Yeah, Elsas process. Right. Right. So, here we go. I got this thing. It's in the case directory. [Music]

All right. Dropping in. And I think it's just in there. It's just running. It's that easy. Let's see if there's anything interesting there for our son Mark and his password is lame. But if you, you know, if you've done, you have test, you want to aggregate these lame passwords so you can put them in your binding. You don't suck, right? And all your employees suck. So, um, blue team side the house. I'm going to aggregate these credentials and use them. If I ever run into the password protected zip file, true crypts, I need a true cry password. I have some credentials that could be possible for password to use. So, that was the grand finale. I'm going to open

up for questions. Don't let one of your questions be why did your demos fail. I merely I was merely showing my human side and that's important as a presenter. Any questions? Yeah. PDF. Oh, all right. All right. Sorry. Sorry. Sorry. You can take a picture of this. Thank you. I didn't return to my slide deck. I got really carried away here. Um, I will project this. And I think I have a couple screenshots of the memory acquisition as well. So, uh, in the slide deck. So if you hit that bitly link you just saw where it where it directs you to the dropbox uh it is like five for 526 resources and you'll have all my presentations to include the one

I didn't get to do today the clinko persistence I love persistence mechanisms but recall is just so awesome I wanted to share that with you today you'll also get the cheat sheet there thank you for reminding me I want to share that anyone else thank you yeah go ahead Yes.

[Music]

Speed up. computer. So I would assume that would be in there. It is a very resource area. So yeah, it would be if you're smart enough that I need that then you could extract it. I mentioned files files allow you to isolate or identify the process address location and then extract it. So you can totally do that totally recall now throwing in now it's throwing in file whatever it doesn't physical memory will actually go in [Music] anyone else is specific for I gave you a question there's kernel version, right? And if you go through my cheat sheet, we actually still have to use PM in order to um create the profile. So you still need the profiler

understand and properly parse of course as long as the proport is available and it will require the whole profile which they haven't. So, I guess not yet. Anyone else? Anyone else? All right. All right. Thank you very much for coming. I still have posters up here. So, if you want to know this poster, uh, come up and grab one. More details. Thanks. Have a good afternoon.