Windows physical memory acquisition and analysis
DC 2011 Training Session // january 16 - 17
In this live incident reponse and forensics course, students will learn using software based acquisitions methods about different full memory dump file format (Microsoft Hibernation file, Microsoft crash dump, and raw dump). Using MoonSols Windows Memory Toolkit (win32dd, win64dd, hibr2dmp, hibr2bin, dmp2bin, bin2dmp, ..). Students will learn the difference between hardware and software acquisition method. Based on this, they will learn how to do advanced analysis of these dumps, such as the hibernation file, using free Microsoft Debugger WinDbg. The analysis part of the training will explain basis of processor memory management, Windows memory and process management internals, WinDbg SDK and scripting. At the end of the course, students will be able to analyze a Windows Hibernation File from Windows 7 x64 with WinDbg. The students will also be able to perform a "cloud memory analysis" for VMWare Workstation and Microsoft Hyper-V R2 products.
DAY 1: Acquisition
How to obtain memory dumps and how it works.
- Description of main memory dumps file format
- - Raw dump
- - Full memory crash dump
- - Hibernation file
- How to do physical memory acquisition for the Cloud (without stopping any VM)
- VMWare Workstation case * MoonSols bin2dmp
- Microsoft Hyper-V R2 case * MoonSols LiveCloudKd
- How to use and internals of Win32dd and Win64dd utilities.
- Introduction to and how to use MoonSols memory toolkit (provided by teacher) to illustrate previous points by converting a Microsoft hibernation file into a Microsoft crash dump loadable by Windbg.
DAY 2: Analysis
- Processor Memory Translation (Translation of virtual addresses into physical address on both x86 and x64 architecture)
- Windows Memory Manager internals
- Windows Process Manager internals
- Identification of active, hidden and exited processes
- Dynamic Libraries (Dlls)
- Files, Handles, Objects
- Registry in memory
- Brief introduction to WinDbg SDK and scripting
- Cloud Offensic (Offensive + Forensic) Modifying Virtual Machine activity/memory content from the Hypervisor via LiveCloudKd
The course will be alternate with lectures to explain basis, with demonstrations to give a visual representation and with hands-on-labs to verify the knowledge and practice it.
Students will run utilities from MoonSols Memory Toolkit (provided by the trainer) on their system to acquire memory dumps, and they will work with memory dumps provided by the trainer (e.g. Win7 x64 Hibernation File). Microsoft Windbg will also be used.
Students must know the difference between Kernel-land and User-land, what RAM or Physical Memory is, and must have used WinDbg at least one time.
Who Should Attend:
Win32/64DD users who want to upgrade their knowledge, and learn more. Law Enforcement, Forensic Investigators, Incident Responsers, Malware Analysts and people interested in Microsoft crash dump analysis (Kernel developpers, Troubleshooters, etc.)
what to bring:
Students must bring their own laptop with at least Windows XP (or above; x86 or x64 only) installed, Administrator rights, enough RAM, 20GB of empty HD space and Microsoft WinDbg installed.
what you will get:
- A CD with: 1 x Copy of MoonSols Windows Memory Toolkit (Professional Edition) per student
- Memory dumps (Windows 7 (x64) Hibernation File)
Matthieu Suiche is a security researcher who focuses on reverse code engineering and volatile memory analysis. His previous researches/utilities include Windows hibernation file, Windows physical memory acquisition (Win32dd/Win64dd) and Mac OS X Physical Memory Analysis.
Matthieu has been a speaker during various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon, CanSecWest, BH DC etc. Prior to starting in 2010 MoonSols, a computer security and kernel code consulting and software company, Matthieu worked for companies such as E.A.D.S. (European Aeronautic Defence and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.