Windows 10 DFIR and InfoSec Challenges

this talk is entitled Windows 10 differ and InfoSec challenges and we'd like to thank thank our sponsors the inner circle sponsors critical stack and Valley Mail and Stella sponsors Amazon blackberry and silence if you could please put all of your mobile phones on silent and any questions we'll be at the end about ten minutes okay take it away Andrew [Music] so thank you all for coming out to my presentation for those who haven't met before my name is andrew case and i spend most of my professional time on tasks related to Incident Response and malware analysis so I do some open source software development one of the core developers on the Volatility project and then I also do a large

number of real cases that we work dealing with intrusions and insider threats and so on so what I wanted to talk about today was over the last year and then really in the last six months we have seen a surge in the number of Windows 10 investigations that we have to do so systems running Windows 10 and for years we've had a pretty standard workflow going all the way back to XP Windows XP we would make tweaks and changes along the way but for the most part was probably 95% the same there was new artifacts new things we had to look at but most of most of our investigation processes scripts and so on could stay

the same Windows 10 really changed all of that it broke a lot of things that we had relied on for years and so what I wanted to do is basically take what we've gone through in the last year the changes we've made and just kind of give you a cheat sheet these are the things we're doing to really get all the artifacts the talk is titled challenges I info sex including there as well so I'm obviously coming from like the blue team defensive perspective but if you're a red team member if you do pen tests you'll see that if your processes made you stealthy on say a Windows 7 machine you're probably not as stilted as you think you

are in Windows 10 machine you also do get some advantages though because Windows hides some things from the forensics investigators that we would like to have but again I want to walk through kind of the last year year and a half of improvements that we've made to our workflow and with the focus on Windows 10 this is not something particular to where I work in my specific company and the jobs we do there's been a major shift to Windows 10 really across the industry so if you look at the statistics starting in January of this year Windows 10 finally overtook Windows 7 as far as market share and when we talked to our clients and our friends across

the industry really government private sector everywhere one of the big reasons for the push is that on January 14th of this coming year 2020 when seven is end-of-life so there's no more official support Microsoft is not going to support the operating system anymore and depending on where you work what companies you help what regulations they have to follow what laws they have to follow they can't run that software anymore without major exceptions so you're seeing this huge push to Windows 10 even across enterprises which are normally the slowest to adopt to the changes but like I said in almost every investigation with Windows systems now we're seeing more and more Windows 10 so we've had to change what we do the other

thing I wanted to point out is how Microsoft is dealing with Windows 10 so how many people have heard of this term Windows as a service about naadi maybe a quarter of the room at best so this is a big change that's going to affect all of us across the industry so this source this quote I have here and what I have highlighted in red this was from a Microsoft Developers Conference where they were in one of the main senior Microsoft developers was talking about their workflow and the whole idea is for the consumer and user versions of Windows there will never be another major version besides Windows 10 so we went from Windows 7 Windows 8 Windows 10

Windows 10 is the last one so every time they update the operating system it's still going to be called Windows 10 so you'll see as I go through some of the artifacts and the changes I'm very specific about when they happen because they got introduced into a version of Windows 10 at a specific time frame and really as a forensics I or industry saying Windows 10 is not very hopeful you have to say starting at this version affecting these versions and so on and like I said Windows 10 is going to be the last one the way Microsoft breaks it down is they have two releases a year one in the spring one in the fall and

what's interesting about it and what's make makes it painful for IT in particular is that they really see it as a whole new operating system update to Microsoft when they do a spring update a full update to them that's like going from a Windows 7 to a Windows 8 so there are significant changes that they're making in just six months they're gonna make them every six months for now one and it's really up to us to stay up to date with them we don't have this luxury of years and years to learn a new operating system we start on a six-month boundary six months later we have to start over again and so it's one of those things where you

really have to keep up your skills but Microsoft has heard from a lot of their customers especially the large ones large ones about how difficult this is these are two newspaper or online articles that I clipped and the idea is Microsoft is pushing out changes so fast that as a forensics industry we don't necessarily keep up with them but certainly as an IT industry also Microsoft at this point literally wants you to do a full operating system update in your enterprise twice a year and that's the strategy they're pushing forward obviously not all people companies are keeping up with it but it definitely affects us in our cases and so like I said I'm gonna give you a

cheat sheet now we're gonna start looking from the disk forensics perspective the file system artifacts that you would want to make sure you cover and get and then we'll look at memory forensics after so starting with the file system analysis one of my favorite ones is the activities cache DB this was introduced in the spring 2018 update and it stayed there ever since has anyone used this an investigation before or looked at the contents there okay so this is a sequel Lite database that is part of the connected devices platform so it allows you to have multiple devices tablets laptops and so on sharing data inside of the folder structure for that is a sequel Lite

database that really records everything you do on the system so all the applications that ran and instead of just something like user assist where you get the path it also tells you what that person did in the application what files they access what URLs they browsed the timestamps of all of these and it's not just one timestamp what's great about it is it actually gives you a start and ending time and so you have these timestamps of every application the person used over the course of however long they used the machine and we can go back and get that I just taught a class at blackhat and so I kind of did it on purpose I waited till the

last part of day three to cover these Windows 10 new artifacts and the way I demoed it is I had the windows 10 VM that I was showing him stuff for like two and a half days at that point I pulled the activities cache database from there and it was basically like going back to the first day of class it was every tool ever ran all the files in May all the files we accessed we're being stored in the background even though I had no idea about it so if you use Windows 10 for like your work machine or your personal machine and you want a quick reminder of basically everything you've ever done just pull this database

and go look at it this is an example of converting that sequel like data about database out to Jason so in this case I had pulled a YouTube video from lining - tech tips you can see the name of the URL the specific URLs that was visited what showed up in my tab while I was watching it there's timestamps in there as well and you really see this for every application so like I said in the class we were making a bunch of demo files to show filesystem activity I'd open them up in like notepad or WordPad and then you saw all of that going back throughout the whole class another thing to be aware of is the background

activity monitor so this has been in Windows 10 since the fall of 2017 release this is within the registry so in the system hive under the current control set it is an actual Windows service that was created by Microsoft so the name of the service in the in the registry here is BAM this is going to also record all the applications that executed is going to have the time that that program last executed and what's nice about it is it's also going to tell you the user or the sit in particular responsible for that program running so this is a screen shot of that out of the registry you can see here we are under

the services key this is the BAM service key that we saw before and then under user settings these are the SIDS for all the users on this particular machine and if you click on one you just get this full listing of all the programs that ran and like I said you can also get the timestamp as well there's also recent apps so this is another one where we get all the programs that executed on the machine we get the time of the last execution we also get the number of times at that program ran so especially we're doing like those insider threat cases and someone has like ccleaner on their machine and they say I just downloaded

it once and didn't really know what it did didn't use it again but then they ran it 500 times since they downloaded it and continually wiped all the artifacts helps in those cases to prove them wrong it's also nice when you have attackers on the machine so if they're dropping recon tools if it's malware on the system oftentimes if we can figure out how many times it executed we kind of know the scope and how often that was actually running the other great thing about this is it tells you all the files that were accessed as well so if you look at the recent app key for say Adobe PDF and you have the office products you

see every file that that person accessed really since the computer was installed and so it's another way to track everything that they're doing we also have the estarán database this actually started in Windows 8.1 there's a couple artifacts I'll point out that started in Windows 8 Windows 8.1 that did not see great enterprise adoption so if your company is switching from Windows 7 straight to Windows 10 you want to make sure you're getting these as well but it's still present in Windows 10 this is just a DAT file on disk it's always at the same path and what's interesting about it is it's meant for monitoring system resource usage by applications so for every application that does any type

of network connectivity you'll have that logged how much data that particular application sent and received across the network if applications use significant resource like CPU resources that will get logged all of the push notifications that pop up at the bottom get logged as well as energy usage so there is this tool on github called SRAM dump and have the reference at the end of the slides you can pull that database from the machine run it through this Python tool and it's going to produce an actual excel file so this is not like a comma separated file it's one of those XLS X files that you need office 2007 or greater to view but it breaks all of the data out for you so

these are the tabs at the bottom the network usage application usage like we saw on the last slide and then this is an example of network tracking so you get the full path of every application that made a network connection this is the SID it was running at running ads at the time and then the number of bytes sent and received by that particular application and it's very similar anyone five slides of Excel sheets but it's the same thing like for this it'll tie the data back network connections and so on again really telling you everything that happened on the machine and it's always nice when we can tie it back to a particular user there's also the a.m.

cache this started with Windows 8 and is still there through Windows 10 how many people have used this in investigations before some people look very happy that there's a slide so this is one of my favorite artifacts now this is something that every investigation we deal with as long as it's Windows 8 or later OS we're gonna use this kind of like other sources we've talked about this will tell you every program that ran on the machine it'll give you time stamps like the last time it ran in the modified time and the executable things like the shim cache and user assist will do that too but AM cache takes it a few steps further

so for one it's going to give you the product and company name of the application so you'll see where malware will try to say like Microsoft produced the binary or something like that but it's not signed you get the size of the file in the description and then what I have highlighted in red is the best part is you get the sha-1 hash to the file so for every executable that ran you have the unique hash for it this really really helps us especially in those ir situations you will have attackers that will drop executables and to say the temporary folder they'll name it something like l SAS or service host to blend in or they'll name it something

stupid like a dot exe or one dot exe you go do your investigation later you know that there was a binary in the temp folder that was definitely malicious it's gonna be something related to the attack but the attacker is deleted it so you can try to use something like photorec or other file carver's - maybe recover the executable that's gonna be very hit or miss and that's been a big problem before so we're like I said it was a Windows 7 machine without this present you don't know what ran so you're doing your investigation you know there was foreign tools on the machine but you don't know what they did if you get the sha-1 hash things completely

changed you can google that you can check your thread Intel sources you can search it on virustotal and now you know the exact executable that ran even though you don't have it on the file system and you can't cover it does that make sense so of everything from the dist forensic side this is one you should definitely be including this is a separate registry hive there's a reg Ripper plugin for it I believe there's a parser for it and registry Explorer and then some of the commercial forensics tools will automatically parse it as well there's also a volatility plugin so we will parse this data out of the memory dump and then you can get the am cache

listing even if you don't have the high from disk something you should study if you haven't seen it before there's this awesome document it's either on Dropbox or Google Drive because it moved once but as an excel sheet called available artifacts evidence of execution so I have the references at the end of the slide deck this is every place in any version of Windows that tracks program execution then it's broken down by versions Windows XP 7 8 and then for Windows 10 it's for every release so there's a column for like spring 2017 fall 2017 all the way through the latest and like I said it's going to tell you every place that windows stores it programs

that ran whether it's in the registry or whether it's somewhere on the file system so this is definitely something you can go back check your own processes your own personal forensics processes against if you have workflow processes documented at your job this is something you'd want to check it against to make sure that you're not missing things and it also gets updated so every time there's a new version of Windows and something else gets found within a week that documents updated with exactly how to find it in all of the references [Music] so that was the filesystem ones that was mostly in our advantage as investigators places where we can find new pieces of evidence that you didn't have in Windows

7 and that it gives us extra pieces of data we didn't have before such as the precise activity someone was performing an application things like the sha-1 hash and the am cache so that was mostly good news as defenders none of that was really a good news if you're trying to stay stealthy but that changes with memory forensics memory of forensics changed changed a lot with Windows 10 and we've had to change our workflow quite a bit so we're gonna start by talking with acquisition challenges because there's enough of them to warrant their own section and then we'll talk about challenges with analysis so one of the first problems with Windows 10 is that you need so first off you

need a driver that's going to load into kernel mode in order to acquire memory and then Windows 10 made significant changes to what type of drivers it would allow to load so starting with Windows 10 it enforces sign drivers so you need a real certificate to sign your driver with in order to get your code into the kernel the other thing is some companies and even some open source developers would have local code signing certificates so on their machine they would have their code signing certificate they'd sign the executable do their latest release I'm sure we've all read of the stories online where companies will have their code signing certificates stolen they use it as the

malware authors will then use it to sign their malware now the program is going to load it's going to blend in so Microsoft wanted to fix that so you can't just hack into random game company steal their code signing certificate sign your malware that's not going to work with Windows 10 so instead if you want your driver to load and to actually to pass the signing test you have to use the Microsoft hlk portal so what this means is you take the compiled version of your binary you actually ship it off to Microsoft they do tests and then they kick back they cross sign your driver gets cross signed at that point and then it gets allowed to load where I

work we have a driver that we use and it took what I would consider very very smart engineers a long time to get this process working so this is not something like I said you can't just steal the certificate and move on the other thing is by sending your driver to Microsoft they essentially have a binary copy of it so if you have if you're submitting malware maybe they don't catch it right away it's still in their repo forever so this is a significant change to if you want to get kernel mode code loaded legitimately through a driver in Windows 10 another challenge is a virtual secure mode what's also called virtualization based security so the idea behind this is with

Windows ones to really separate what it considers sensitive information from the real operating system I think everyone's heard of me me cats this is a good example of a tool that was originally kind of blocked by this so the idea is if you look at everything before this was implemented all you had was this chart so if you're on a Windows 7 machine you have the host operating system running you have the operating system kernel you have your applications running and so on what that meant is if you could load a kernel driver you could really tamper with whatever you want you could overwrite any data in the kernel you could overwrite data in any

application and then obviously you could read that data as well so things like maybe cats other credentials stealing malware right a great advantage here because assuming they had enough privileges on the machine they had access to whatever they want so Microsoft really upped the game here and they said ok well what we're going to do is you're gonna take what is your what is really the base OS so you boot your laptop you log into Windows and behind the scenes you're not going to notice the difference but that is actually a guest virtual machine of the hypervisor so as you're using Windows 10 you're really in a virtual machine guest and then under you is a very thin hypervisor

providing an extra layer of security and then for the places where the actual credentials are the other sensitive data that's going to live in a different virtual machine guest and then on top of that if you've ever read on like kernel mode code integrity and how Windows now prevents certain route kids from running and they monitor the locations in the kernel where if malware tries to change the middle blue screen all of that gets put somewhere else that you have no control over so this so for something like mimic a see can't go read the credentials directly because they're no longer in the same physical memory space but that also really affects us when we're trying to acquire memory because

if you walk up to a machine and you pull a memory sample when it has this enabled your own getting the memory here so you run whatever your acquisition tool is you get the memory here everything that's happening in the hypervisor and everything that's happening in the other guests you are completely blind to and unless you have like a hypervisor exploit that you're going to integrate into your forensics tool or something kind of ridiculous like that you really have no access to it and you're not going to see it so again we're missing that view even doing memory forensics which in the past gave us the full view of everything and I'm really surprised ours I'm in a black hat talk it I guess

because it would be so valuable if you had one of these exploits if malware was running inside one of those guest virtual machines like I said you would be completely blind to it so even with memory forensics which in the past gave us access to everything we're definitely missing places where interesting data is and what we used to be able to view before is that make sense okay so this is the other view of credential isolation Microsoft usually refers to it as credential guard so again the idea is you have this separate guest virtual machine running that separate virtual machine has the actual credentials and when you do something like login to the system that password you type in gets checked

in the virtual machine the second one the real credentials are never exposed or at least a copy of the credentials are not exposed where you can access it directly so things like live prudential harvard harvesting where mimi cats will inject code into else a CXC it can still try to do that if it wants but the credentials aren't going to be there even if mimi cats gets to inject its kernel driver and it scans the memory of elfs ass from kernel mode it's still not there so that way of directly harvesting cache credentials really doesn't work anymore and that was a huge pain from an ir perspective because all of those cached credentials otherwise were

readily available I saw some blog posts and stuff online people were kind of making in front of them on Twitter to where they said like Oh key logging is dead and you know this credential harvesting is dead on Windows now that is not true don't believe that hype the cache credentials are hidden in a place where you know the tool won't be able to access them but you can certainly still steal live credentials as people log in any user land key logger is still going to work you can still call set windows DX and get your dll loaded into memory and mimikatz also has a cool module called mem SSP so what this is going to

do is register as basically a package to monitor passwords so as you log in and then it can just steal it that way it is very similar to what the was I called the the ghost key Mauer did that Dell produced a long time ago but the difference here like I said is you have to have your malware active when someone actually logs in you can't just steal the ones that are that were cached before but it's still a very useful attack and obviously now we're still doing it now so Microsoft up the game even more with application guard has anyone dealt with this before ok so Microsoft Application guard takes the virtual machine idea that runs behind

you even further so for things like the browser which we know historically is one of the main ways that attackers will get into an environment they'll have a client-side exploit against the browser itself or one of the plugins like the PDF viewer so what Microsoft said is instead of just putting else and these other critical system processes in their own VM why don't we put these often targeted applications in their own VM as well so again you click on the Microsoft edge shortcut on your desktop your browser loads to you you're just browsing the web like normal and visiting websites but what's really happening in the background is that entire application is running in a

different virtual machine that was spun up behind you so obviously what that means is even if you have an attack where the codes running in in the compromised browser it doesn't have access to all the same resources this is really like sandboxing on steroids all done behind you without any of your knowledge but again if you walk up to that machine and you do a memory dump here all you're getting is the memory here you're not getting any of this and you're not getting any of this so you are going to be blind a little bit in that sense to what's running because all the applications are no longer in the same address space does that make sense

so again it's great from a security perspective but it's making memory forensics a little bit harder to deal with and then with virtual secure mode and all of these protections that Microsoft is thrown in this is from a blog post back in July 2017 so Jason Hale who does a lot with sans he basically took all the acquisition tools he could find he built out a Windows 10 system with all the security protections turned on from what's about two years ago now and these were the results he got trying to get memory off of those systems and so as you can see it was not too successful this was also two years ago so some of these tools not

all of them but some of these tools have tried to adjust to the Windows 10 secure boats and update them but especially as your organization moves to Windows 10 you really need to do full testing on your acquisition tool so as you see in the last the slide since this talk if you've seen my other presentations before I usually don't put 27 bullet points on the same slide and just read them this is the exception if you went if you're gonna take a picture of any slide this would be the one to do it or get it offline later because when if you want to really know if your memory acquisition tool is going to work on

Windows 10 you can't just do the old process of build out a VM give it two gigs of RAM oh I got a memory acquisition that worked that is not going to match real hardware that you run in one so instead what you need to do is actually enable all of the security features make sure for the latest version of Windows 10 you have all of them turned one eventually Microsoft is going to turn these on by default so even when you even if you don't do it yourself they will all be turned on so all the security features we just talked about plus several other ones will be enabled on the system that will have a great effect on your memory

acquisition tool you then want to test on bare metal Hardware do not do this in a VM and make sure that a TPM chip is in use because that's going to enable more security features like I said fully update the operating system because there are significant changes every time make sure using the 64-bit version that's gonna have other features as well compared to the 32-bit one and tests on a system with real RAM get at least 16 gigs of RAM or more when you talk about two gigs of RAM four gigs of RAM that's not realistic even if you buy the cheapest laptop now it's going to have eight gigs of RAM as you add more RAM to this system the

way memory is laid out actually changes and so you don't want to test your tool on like four gigs and your tools fine you go to your production server with 64 gigs of RAM and you get a blue screen of death so try to match what's actually in your environment with the tool and then if you test your acquisition tool and you get a file back that seems reasonable so you run it on a machine with 16 gigs of ram you roughly get a 16 gig file back actually test your acquisition tools take volatility and do more than just a process listing don't just do PS list and think you're good run do like a deep analysis as if it was

an actual case and see what type of data you'd get back and I think you might be surprised if you take some of the tools that you are familiar with they do not do very well and they struggle pretty hard on real systems and like I said we're lucky in the sense that basically every investigation we do we have memory samples I know that's not the truth everywhere but we deal with samples from 8 gigs to up to 256 gigs all the time you want to make sure that the tool you're using and the process you're using is it going to fail when you have a real incident and if your company is not already switching to Windows 10 I

assume they will be soon so the sooner you can do this the better so another challenge with acquisition is hibernation files how many people have pulled like a windows 7 harbour nation file and done analysis with it a few people so this is really popular especially in those situations where someone just hands you a laptop and says do forensics or do analysis you don't have a memory dump at that point but from Windows 7 Windows Vista Windows XP what was on disk in the harbour nation file was a full copy of memory so the last time that machine Harbor nated when you harp when you hibernate those older versions they write a full memory dump

out to disk in Windows 8 and then Windows 8.1 in Windows 10 all of that changed and fell apart so what happened before but with Windows 7 and previous like I said when you close the laptop lid and your machine hibernated a full memory dump was written out when you opened your laptop lid again and the machine resumed from hibernation windows would zero out the header so the first 4096 bytes of data but then leave all of the memories still intact and so we could go back and volatility you could do your full analysis on it starting in Windows 8 the file format changed which normally is fine we're used to dealing with that but what

happens upon resume also changed quite a bit also so now instead of just having the header wiped out and all the data left over the header stays intact in most cases but all the data gets zeroed out so you have this header that's giving you metadata of nothing useful you can't do forensics so in many cases if you would like look in a hex editor or run a script that saw let you know how many zeros were in the file compared to non zeros usually the entire file is wiped out so this process that many people work with which is trying to or is using hibernation files to do memory analysis is no longer going to work the

other thing that's really difficult and especially if you have a lot of laptops in your environment go read this reference 23 which you'll see at the end of the slides starting with the new with hardware that's been released in the last two years or maybe three years going back and also with the way Windows 10 changed hibernation you normally don't get full hibernation files probably the most difficult way of this is what's called fast startup so this is a mode where Windows 10 before letting the Machine hibernate will log out all of the active users and then hibernate the machine obviously that's really going to affect memory forensics and in most cases you don't it's very rare that

you get a full hibernation file with newer hardware you can either get no hibernation file and the data still kind of sitting in memory or you get a very limited file which is just what was in kernel memory but like I said the users are logged out so you don't have all the processes that were running related to their session anyway so this is something you want to test if in your environment you buy your company buys a standard set of laptops that everyone gets issued see what your hibernation settings are see if you actually get any hibernation files at all and then just remember if that machine is resumed the file is probably going to be all zeros

anyway so people have done this type of analysis before but it has to come from a dead disk you have to get that disk image get the harbor nishan file off when it before it was resumed to do your analysis you can't have a booted machine take a disk image or pull select files off and expect to analyze the hibernation file because it's going to be zeroed out [Music] so then the last part we'll talk about is analysis challenges so we had a bunch of as we just talked about there was a lot of changes to the way we acquire memory and try to get memory off the system with analysis we have ran into a

lot of issues as well the first thing that changed is gathering encryption keys and so on our volatility blog it's still by far the most viewed post is when Michael did a post on finding true crypt keys in memory and breaking open the containers so this is something especially on the law enforcement side that was really relied on for a long time if even if you had encrypted containers where there was the full partition whether it was just individual files or like a TrueCrypt container on disk being able to find those encryption keys and recovered them obviously led law enforcement to get the plaintext data and then they could do the real investigation so this changed a lot

starting in July 2016 Microsoft said in order to be for Hardware to be certified for use in Windows it had to have TPM 2 capabilities so the TPM chip present and one of the main purposes of a TPM chip is to move the keys out of software actually don't know what the other purposes are except that it makes memory forensics really hard so with the TPM chip your keys are stored on the TPM chip BitLocker has was updated to support this mode so at that point if you walk up to a machine and you take a full memory capture you're not getting the key so even if you have like the full volume encrypted BitLocker

that key is living in the memory of the TPM chip so your tool is not going to acquire it like I said before this is really affects how law enforcement deals with encrypted containers it's usually not such an issue in enterprises you have like the key that you can generate and open the volume anyway but in those situations where the suspect doesn't cooperate it's definitely a painful point and then have this bullet point at the bottom it really doesn't have anything to do with memory forensics it was just a really cool technical write-up where a guy showed with the custom FPGA he built and obviously physical access to the device he was able to sniff the keys so you're not

going to do that in every investigation but I figured if you were at this conference you would find the hardware hacking cool anyway so this was a cool blog post you can go back and read and it has a lot of pictures as well so it's kind of painful that we can't get the encryption keys out but not all hope is lost when you have a memory capture from a machine where an encrypted container was present all of the files that are cached in memory are the plain text version so within that file cache that Windows keeps is the plain text version the data is decrypted when it's read from the drive originally so what's sitting in

memory is the plain text files so with volatility you can run file scan that's going to list all the files that are cached in memory any files of interest you can use dump files in most cases you'll be able to get at least a partial contents out if not the full contents and that will be the plain text version so like I said even with with the memory dump you'll have a lot of luck the other thing you can do is try to find the password in memory even though the key isn't there so has anyone done this before like running strings to build a dictionary this is something else that's really popular with law enforcement so

the idea is you can imagine within the memory capture of a machine is everything the person's ever typed so the passwords I used to login the two websites to the operating system itself if their password manager was open and they saw passwords on the screen or it was decrypted in the background all of that data is sitting in memory so when you get a memory capture of a person's machine like I said everything that was on their screen everything they ever typed everything in everything and ever an application loaded is sitting in memory so if you want to break open an encrypted container in the case where you don't have a key normally have to do

something like get the English dictionary or try brute force that's only gonna break really weak passwords but with the memory dump you can run strings on it that's gonna get all the ASCII strings all the Unicode strings and then you can use that as your password cracking database and you're basically using everything that's on the person's machine and everything they typed against them in hopes of breaking open that container is that process make sense people have people have a lot of success with this we've had law enforcement people tell us before like yeah volatilities cool whatever we don't care about processes malware all they want memory forensics for is breaking you up in encrypted containers and it's as

simple as strings and John the Ripper or Cain and Abel and you're well on your way to breaking those containers open in most cases so challenge two with analysis was memory compression so the idea is modern processors are so fast now that it's quicker and more efficient to when you have memory pressure and you want to write a page out to the page file instead of actually writing it out to the page file what they do now is simply compress it in memory so you take your fork a page that normally be written out to the page file you can press it down to a much smaller size and then you store that compressed page

within the store this was originally implemented in Linux and Mac they've had it for years now and now it's fully integrated into Windows 10 so instead of when you first have memory pressure or when a page is going out needs to be paged the first place that goes is is to the in memory store and then it's only if you have real memory pressure does it get written out to the page file on disk and then even when it gets written out to the page file on disk it's still compressed so all these pages that we can normally go back and recover out of the page file are compressed there or they're compressed still in memory so if

your memory forensics process involves running tools like strings or bulk extractor or page brute over a page file that you acquire from disk or over the entire memory sample itself with Windows 10 you're gonna get limited results because a lot of those pages are going to be compressed and in the case of the page file is probably where every page is going to be compressed so it's like you're running these tools over a zip file which as you imagine is not going to get very useful results so there's a few ways to deal with this one is there's a tool on github and have the link to it at the end called wind mem decompress this looks at whatever the

entire input is a memory sample or a page file and it brute force tries to decompress all of the pages so all of those pages whether they're active or not that were compressed in memory it's going to try to decompress them and then write them out to a file the tool is slow the author admits in the documentation that it's really slow so it's not like I'm saying something bad about the tool but it works really well so this is something where we're where I work if we get a Windows 10 memory sample is in to investigate one of the first things we do is kick off our processing script and part of that is decompressing all of these pages

like I said it's not just the ones that are actively compressed you'll have pages that were compressed and memory and active at one point those pages get freed that compressed data is still there and we want to go back and recover it and then like I said if we have a paid the page file that system disk we're gonna point the script there as well to decompress all that data does that make sense so again if like I said a lot of page brood is really popular in the field bulk extractor as well but you need to decompress this information first so that you actually get usable results as far as structured analysis so taking

volatility and it being able to decompress the active pages a couple weeks ago at the Sand summit this team from fire I released volatility and recall updates in order to support the compressed stores they're talking about the same thing at blackhat I think today so this was really nice work they did we were working on this kind of in parallel we didn't know they were working on it at first so we were working on our own implementation doing the reverse thing to figure out how the store is there so this is really awesome because now we have something to compare it to and it's something we'll be we were already running the comparisons to see kind of

how what their plugins recover versus ours we'll probably marry the two to get the best results out and we should see you should see something soon in quotes in volatility that will properly support it because again the idea is if we're trying if we're doing our analysis and a plug-in trying to get some data out with volatility we hit these compressed pages right now we can't access them because they're in the store but then once these patches are in properly as a user of volatility you won't know the difference but you'll be getting a lot more data back than you currently do [Music] another new addition to Windows 10 forensics is swap file dot sis on so

this started with Windows 8 still there in Windows 10 and the idea is when you have what windows calls its modern applications so the ones I could get out of the store or the revamp like calculator and so on though the way those page out is completely different than previous applications before let's say you had your you were using your browser and a page was gonna get swapped out individual for K pages of that application could be swapped out to page file dot sis starting with Windows 8 like I said in swap file that sis if Windows decides that it wants to swap out a modern application it swaps out the entire address space of that

application at once and it stores it in swap file that sis so what that means is if you have a collection script that runs say you get your memory sample then you pull the page files out if you leave swap file assist by you're leaving a significant amount of memory data out that otherwise you would want to analyze there's no current currently there's no structured analysis of this so there's no plans really in the works we don't we've never reversed the data structures yet as far as integration with volatility but if you're doing Windows 10 analysis you want to make sure that you're acquiring this file if you work where you get like a full disk image

anyway you want to make sure you're analyzing it and take your tool strings both extractor page route and in custom stuff you wrote whatever you would do with page file that sits in the past make sure you're doing that with the swap file as well does that make sense and then with volatility itself you might have noticed starting with Windows 8 analysis and then through Windows 10 if you just run volatility by itself and you don't give the - - kadiebug option you can run into very very slow analysis even doing something like running the PS list plug-in can take twenty minutes where normally would take like ten seconds the reason for this is starting

with Windows 8 Windows will encrypt the kadiebug structure this was not to make memory forensics difficult this was an anti exploitation thing they did but it had a huge effect on volatility because we use the kadiebug for basically every plugin that runs so if you don't sell volatility where it is then every time you run a plug-in volatility has to go scan for it and the past this was pretty quick we just found the data structure and could use it now we have to find the the instructions in memory that reference the key to decrypt this then we have to go find where it is it's a bunch of operations that we do every time you run volatility if you don't

just give us that command-line option so to do that when you get a Windows 8 and Beyond sample that's from a 64-bit machine what you want to do is run your kata Buckskin you want to give the profile to whatever the memory sample is that you're looking at and then you want to look for the third line of output which is kaity copy data block this tells us exactly where those encryption keys are exactly where the data is that we need to decrypt and I'm not exaggerating when I'm saying we have memory samples that we've gotten in the field where PS List literally will take 30 minutes or more if instead you just run k2 bug scan and then all of your

future invitations to volatility you pass that address on the command line you're gonna go from 30 minutes plus down to 5 seconds like you're used to with Windows 7 it takes a long time to scan for those things and like I said we have to scan for multiple values it's not just one so we see horrible memory symbols where those keys are like gigabytes in we're gonna have to scan that every single time just take that initial step and pull the kadiebug value out and then specify it on the command line does that make sense another challenge is what we call the underscore profiles and so I talked about before Microsoft would wait for things like service packs to do major

changes to the operating system that would break a bunch of plugins so from like Windows 7 so respect 1 on a service pack 2 and so on with Windows 10 every six months they basically completely changed the operating system all the data structures change all the places we look changed so the way volatility did profiles broke as well so now if you go to if you go on our wiki on github we have all of these profiles listed but it's not enough if you have a Windows 10 sample just to say profile equals win 10 x64 you need to figure out what version from Windows 10 it actually came from which release and then if you go on our

github wiki it'll tell you the proper proper profile to use and it'll be like win 10 x64 underscore the version number if you do that you'll get all the results as you would expect but is something that we had to change volatility use the same model since like 2008 when it was first released up until about a year ago year and a half ago when when two started doing these major quick releases so we had to change the profile system so we get a lot of support requests and like github tickets people say I have a Windows 10 memory sample they use the base Windows 10 profile for like the latest version the plugins don't work you can fix all of

that by using the underscore profile so make sure that's something you are familiar with as you do your analysis so in conclusion basically just summarize all the things I've had to change and our company has had to change and how we do different types of analysis over the last year year and a half if you're a company or the clients you support aren't on Windows 10 they're gonna be there very soon because organizations are gonna have to update to it so as I showed if you don't get things like activities cached and there's other things on the file system you're just throwing away a bunch of data you could use and then if you try to apply your

existing memory analysis workflows to Windows 10 that's not going to work either you're gonna miss a bunch of data you're going to use a tool that's not updated and supported on the newer OS versions then you'll get blue screens of death instead of an actual memory sample which isn't so as your company's updating or if you're already on Windows 10 go back make sure you're analyzing all those artifacts from disk and then with your memory acquisition tools do real testing don't wait til you have a big incident and then you have to try to find a tool that works test it now before before it's too late assess my presentation I'll take questions and comments after but just

for when the slides go online or feel feel free to email me all those numbers you saw in the slides these are all the references so anywhere you saw a number said like read this or more information here this is what those numbers map to so I have an email here feel free to email me with anything or the slides will be online after so any questions I believe they post them online if not just email me and I can send like a PDF of them yes Esther own database is I don't know if I've looked for the activities cache on the server one I have the path I don't know I just never look for it on that one so like we have

a we have a tool we use that automatically collects the files we care about after memory is taken so if the files there is just gonna take it unconditionally anyway so any other questions [Music] oh I guess you're supposed to come up to the microphone Andrew so over to about that activities cache how long can you get information from there is it like uh yeah so so the documentation of Windows says it's like the last 30 days of activity but it's a sequel light database so there's tools where you can go back and recover deleted like historical entries that were deleted out of there so it's 30 days in that active tables but you can just go like recover

older ones as well and reconstruct it so yes so what are your thoughts for Windows 10 for the usefulness still of like the MFT and the prefetch in addition to like app compatibility cache and I mean we said all that we still used the MFT in every case as far as like reconstructing the file system and time stamps free fetches turned off when a lot of systems now so like one servers it's usually not there and then on solid state drives Windows will disable it if it detects it so like I said we have a collection tool that pulls in the files that we care about there there it's configured to look for prefetch files

but there's a bunch of other backup places that tell you programs that ran the cool thing about prefetch though starting with Windows 8 is instead of just giving you the timestamp of the last time it ran for every program it gives you the last eight timestamps so then it becomes even more useful when it's actually enabled so and we're just what's your thought for like Windows Server 2019 have you guys done any kind of extensive and how applicable some of this will still convey forward sixteen is kind of the analog to 10 yeah we have a we have 2019 servers built out in our test environment I don't know of any new artifacts but I know like our

acquisition tool works on it as far as getting memory so any other questions if not thank you all for coming out and I'll be around for a few