Tuesday, August 21, 2007

DFRWS 2007

Let me begin by saying that DFRWS is one of my favorite conferences of the year. I highly recommend the conference to anyone interested in the latest research being done in the forensics community. DFRWS has established itself as the main venue for research being done in volatile memory analysis and is able to draw researchers working in this area from across the world. The organizing committee does an excellent job and the conference keeps getting better every year. In particular, Matthew Geiger and rest of the CERT team did a wonderful job in hosting the conference this year.

The keynote address was "Digital Forensics, Covert Monitoring, and Active Methods" given by Greg Hoglund. Greg discussed what "bad guys" are currently doing and the importance of digital forensics for dealing with these sophisticated attackers. In particular, he emphasized the importance of volatile memory analysis for detecting these attackers. His presentation also discussed his company's "surveillance" technology that is capable of defeating all conventional anti-virus. During questions Simson asked, how this "surveillance" technology is different than what the "bad guys" are trying to build? He also asked, what differentiates them from the "bad guys"? Finally, he wanted to know if it was merely related to the fact that they worked for a different "mob"!

I thought the keynote was entertaining and Greg has a unique perspective, but I would have preferred a keynote from someone who is actually involved in the forensic research community or at least a practitioner in the area. It was too bad that Karl Levitt had to cancel!! On the other hand, it is interesting that this is the third talk this summer by people who are arming the malware community, discussing the importance of volatile memory analysis. At SyScan, in the talk "The IPO of the 0 day" Justine Aitel of Immunity mentioned "think memory dump analysis" when performing incident response. At Black Hat, Jamie Butler of Mandiant also discussed the importance of volatile memory analysis and demonstrated his desire to stunt research and collaboration by filing patents on other peoples work (I hope those bonuses are worth it!). Now that the offensive community is beginning to focus their attention on volatile memory analysis, hopefully more investigators will realize the importance of integrating volatile memory analysis into the digital investigation process.

The first talk to discuss volatile memory analysis was "Forensic Memory Analysis: From Stack and Code to Execution History", which was presented by Mohamed Saleh. Personally, I liked the fact that the talk focused more on the analysis being done than on how data structures can be extracted from memory. In the talk they discuss a formal approach to analyzing stack memory of process threads to infer execution history. I also like the approach of combining volatile memory analysis with static analysis. We have been leveraging a similar approach with the FATKit research and found it very powerful. I wish the student who worked on the research had been there to present it. I would have enjoyed discussing some of the issues we faced when analyzing larger and more complex programs.

Another intriguing talk was given by Brendan F Dolan-Gavitt called "The VAD Tree: A Process-Eye View of Physical Memory". Brendan is one of the main people that Jamie ripped off in his Black Hat talk, so it was good to finally see him present his own work. His talk discussed how an investigator can use the Virtual Address Descriptor (VAD) trees found in memory to improve volatile memory analysis. He discussed how to parse the tree and a number of different antiforensic techniques that an investigator needs to be aware of. He also mentioned how the VAD can be used to augment the techniques we presented in "FATKit: Detecting Malicious Library Injection and Upping the 'Anti'" to detect advanced DLL injection attacks. Brendan did some great work on this research and is a really nice guy. Not to mention, he also helped integrate these tools into Volatility. I can't wait to see what he decides to work on next.

The final talk relevant to volatile memory analysis was presented by Bradley Schatz, who presented "BodySnatcher: Towards reliable volatile memory acquisition by software". Bradley began by presenting an abstract model for comparing volatile memory acquisition techniques. Then Bradley presented a new method for memory acquisition that attempts to snatch control of the host hardware from the running OS. A host specific kernel driver is used to load a minimized acquisition focused operating system into memory, it then halts the running kernel and switches control to the acquisition operating system. The acquisition operating system then preserves the host memory, initializes an output device, and copies the memory image to the output device. Finally he compares his software based acquisition method with using Garner's dd. Surprisingly, the paper concludes that using BodySnatcher is less obtrusive than running Garner's dd. I am astounded by the fact that loading an entirely new OS would be less obtrusive than running a single userland application. There is also another difference which must be mentioned: Once BodySnatcher runs, it freezes the state of the system and you will not be able to unfreeze the system. It will be exciting to see if Bradley will be able to overcome the limitations that he mentions in the paper and address the comments made during the presentation. I also want to wish Bradley luck with his new company Evimetry.

During the Work in Progress session, I gave a quick talk on Volatility and I discussed some of the things we are currently working on. The first being a collaboration with Doug White of NIST to make some new resources available to the volatile memory analysis community. The second being work that we are doing on malware analysis. Finally, I showed a screen shot of a visualization tool we have built for combining filesystem and volatile memory analysis to visualize temporal relationships during investigations. I will discuss this tool in more detail in an upcoming post.

Golden Richard and Vassil Roussev also gave an very intriguing WIP on the persistence of volatile evidence. During this talk they discussed research they had performed with their students to determine how long artifacts exist in memory once power has been removed from the machine. They presented some interesting results related to different types of machines and how long digital artifacts can be recovered once power is removed. I have heard numerous people speculate about this, so it is nice to see people actually taking time to investigate it.

If you are interested, the DFRWS 2007 papers have been posted. Hope to see you next year at DFRWS 2008 in Baltimore!!!

No comments: