Pattern-Oriented-Memory-Forensics-Revised-Edition-Slides.pdf

MohammadAzreeYahaya 9 views 38 slides Aug 03, 2024
Slide 1
Slide 1 of 38
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38

About This Presentation

.

Size: 554.23 KB
Language: en
Added: Aug 03, 2024
Slides: 38 pages

Slide Content

Memory Forensics
Dmitry Vostokov
Software Diagnostics Services
Revised Version

Forensics
A discipline studying past
structure and behavior.
© 2022 Software Diagnostics Services

Memory Forensics
A discipline studying past
structure and behavior in acquired
computer memory.
© 2022 Software Diagnostics Services

We Have A Problem
Proliferation of computer architectures,
operating systems, and tools
Different memory analysis narratives
Need to measure analysis quality
© 2022 Software Diagnostics Services

Solution
Empirical patterns
A pattern language
Pattern orientation
© 2022 Software Diagnostics Services

Forensic Pattern
A common recurrent identifiable set
of indicators (signs) together with a
set of recommendations to apply in
a specific context.
© 2022 Software Diagnostics Services

Memory Forensics revised
A discipline studying past structure
and behavior of software in
acquired memory using pattern-
oriented analysis methodology.
© 2022 Software Diagnostics Services

Software Forensics
Software execution artefacts
Memory forensics
© 2022 Software Diagnostics Services

Software Forensics
A discipline studying past structure
and behavior of software in
execution artifacts using systemic
and pattern-oriented analysis
methodologies.
© 2022 Software Diagnostics Services

Structure and Behavior
Memory snapshots (dumps)
Traces and logs
Source code
Digital data (media)
© 2022 Software Diagnostics Services

Diagnostics and Forensics
Diagnostics
(present and past)
Forensics
(past)
Prognostics (future)
© 2022 Software Diagnostics Services

Software Diagnostics
A discipline studying signs of
software structure and behavior in
software execution artifacts (such
as memory dumps, software and
network traces and logs) using
systemic and pattern-oriented
analysis methodologies.
© 2022 Software Diagnostics Services

Forensic Analysis Patterns
Software Diagnostics Patterns
Software Forensic
Analysis Patterns
© 2022 Software Diagnostics Services
Memory Forensic
Analysis Patterns

A Pattern Language
The same detection and analysis language
for different computer architectures,
operating systems, and tools
The same memory analysis narratives
Measured analysis quality
Predicting unknown
© 2022 Software Diagnostics Services

Pattern Orientation
1.Pattern-driven
Finding patterns in memory
Using checklists and pattern catalogs
2.Pattern-based
Pattern catalogue evolution
Catalogpackaging and delivery
© 2022 Software Diagnostics Services

Structural Memory
Patterns

Memory Region
Region Boundary
Anchor Region
Linked List
Value References
Regular Data
String Value
Small Value
Data Structure

Main Pattern Catalogues
Memory Analysis
Patterns

Wait Chain
Execution Residue
Spiking Thread
Local Buffer Overflow
Shared Buffer Overwrite
Dynamic Memory
Corruption

© 2022 Software Diagnostics Services
Malware Analysis
Patterns

Raw Pointer
String Hint
Out-of-Module Pointer
Hooksware
Hidden Process
Deviant Module
Namespace

Disassembly, Deconstruction, Reversing Patterns
Memory Acquisition Patterns

Analysis Pattern Classification

Dynamic Memory Corruption Patterns
Stack Overflow Patterns
Stack Trace Patterns
Symbol Patterns
Exception Patterns
Meta-Memory Dump Patterns
Module Patterns
Optimization Patterns
Thread Patterns
Process Patterns

© 2022 Software Diagnostics Services

Structural Memory Patterns
https://www.patterndiagnostics.com/Training/Structural-Memory-Patterns.pdf
© 2022 Software Diagnostics Services

Memory Acquisition Patterns
https://www.dumpanalysis.org/memory-acquisition-patterns
https://www.patterndiagnostics.com/Training/Memory-Acquisition-Patterns.pdf
Structural space patterns

Process Memory Dump
Kernel memory Dump
Physical Memory Dump
Fiber Bundle Dump

© 2022 Software Diagnostics Services
Acquisition strategy patterns

External Dump
Self Dump
Conditional Dump
Dump Sequence

ADDR Patterns
https://www.dumpanalysis.org/addr-patterns

Potential Functionality
Function Skeleton
Function Call
Call Path
Local Variable
Static Variable
Pointer Dereference
Function Prologue
Function Epilogue
Variable Initialization
© 2022 Software Diagnostics Services
Memory Copy
Call Prologue
Call Parameter
Call Epilogue
Call Result
Control Path
Function Parameter
Structure Field
Last Call

Analysis Pattern Implementation
By OS vendor (Windows, Mac OS X, Linux, …)
By tool (WinDbg, Volatility, IDA, GDB, LLDB, …)
By CPU architecture (x86, x64, ARM, …)
By digital media (memory, volume, file, blob, …)
© 2022 Software Diagnostics Services

Pattern-DrivenAnalysis
Memory Checklists Patterns Action
© 2022 Software Diagnostics Services
✓Pattern
Pattern
Pattern
✓Pattern
✓Pattern
1.Tool-specific checklist: https://www.dumpanalysis.org/windows-memory-
analysis-checklist
2.Pattern catalogue checklists: https://dumpanalysis.org/

Pattern-BasedAnalysis
Memory
New Pattern
Discovery
Pattern
Catalog
+
Usage
© 2022 Software Diagnostics Services

Systems Approach
Narratology
Trace
Analysis
Patterns
Memory
Analysis
© 2022 Software Diagnostics Services

Native Memory Forensics
Using native OS debuggers such
as WinDbgfrom Debugging Tools
for Windows or GDB (Linux) or
LLDB (Mac OS X).
© 2022 Software Diagnostics Services

Practical Examples
WinDbg session…
© 2022 Software Diagnostics Services

Analysis Patterns for Example A
Tampered Dump
Exception Stack Trace
Stored Exception
Lateral Damage
Execution Residue (Unmanaged Space, User)
Hidden Exception (User Space)
NULL Pointer (Data)
© 2022 Software Diagnostics Services

Analysis Patterns for Example B
Dynamic Memory Corruption (Process Heap)
Stack Trace Collection (Unmanaged Space)
RIP Stack Trace
Hooksware
Patched Code
Hidden Module
Deviant Module
String Hint
Fake Module
No Component Symbols
Namespace
© 2022 Software Diagnostics Services

Example C
Analysis pattern correspondence
Process Dump
Physical (Complete) Dump
Kernel Dump
© 2022 Software Diagnostics Services

Further Reading (Patterns)
The Timeless Way of Building (by Christopher Alexander)
A Pattern Language: Towns, Buildings, Construction (by
Christopher Alexander, et al.)
Pattern Theory: Introduction and Perspectives on the Tracks
of Christopher Alexander (by Helmut Leitner)
© 2022 Software Diagnostics Services

Further Reading (MDA)
Cloud Memory Dump Analysis
Fundamentals of Physical Memory Analysis
Victimware
Pattern-Oriented Software Forensics
Debugging TV
© 2022 Software Diagnostics Services

Further Reading (SD)
Software Diagnostics Institute
Pattern-Driven Software Diagnostics
Systemic Software Diagnostics
Pattern-Based Software Diagnostics
Philosophy of Software Diagnostics
© 2022 Software Diagnostics Services

Historical Reference
© 2022 Software Diagnostics Services
Memory Dump Analysis Anthology (Diagnomicon): 14 volumes
Volume 15 is planned for 2022/2023

Alphabetical Reference
© 2022 Software Diagnostics Services
Encyclopedia of Crash Dump Analysis Patterns: Detecting Abnormal
Software Structure and Behavior in Computer Memory, Third Edition

Referenced Training Courses
Accelerated Disassembly, Reconstruction and Reversing
Accelerated Windows Malware Analysis with Memory Dumps
Advanced Windows Memory Dump Analysis with Data Structures
© 2022 Software Diagnostics Services

Transcript
© 2022 Software Diagnostics Services
Pattern-Oriented Memory Forensics: A Pattern Language Approach, Revised Edition
(ISBN-13: 978-1912636761)

Q&A
© 2022 Software Diagnostics Services
Please send your feedbackusing the contact
form on PatternDiagnostics.com

Thank you for attendance!
FacebookLinkedInTwitter
© 2022 Software Diagnostics Services
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 9
  • Slides 38
  • Age 487 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
35 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
32 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views
View More in This Category