Dementia Wipes Out Attacker Footprints In Memory

  /     /     /  
Publicated : 22/11/2024   Category : security


Dementia Wipes Out Attacker Footprints In Memory


New tool exposes weak links in forensic tools that inspect Windows memory for attack intelligence



Forensics increasingly encompasses the analysis of potentially valuable clues and intelligence in the physical memory of an infected machine. But like anything in infosec, its a constant cat-and-mouse game, with attackers finding new ways to hide their tracks in memory from incident response handlers trying to get to the bottom of a breach.
A researcher has developed a new tool called Dementia that cheats forensics tools that inspect attacker’s footprints in a Windows computers memory. Dementia basically renders a phony image of the infected machines memory as a way to hide evidence of an attackers movements. The tool removes specific artifacts from the memory or the image being created. While the image itself is correct -- it can be analyzed -- specific artifacts are not present, which can hide traces of attackers activities, says Luka Milkovic, who developed the tool. Milkovic, who is a information security consultant with Croatia-based Infigo, recently
demonstrated the tool at the CCC conference in Hamburg, Germany
.
Dementia demonstrates how an attacker who has wrested control of a system can muck with the forensics investigation process by fooling memory-acquisition tools. It can hide artifacts such as processes and threads from several popular tools: Moonsols Win32dd (in kernel-mode only); Mandiant Memoryze; Mantech MDD; FTK Imager; and Winpmem.
Memory analysis has become a vital process for triaging machines after an attack. Security experts say its more efficient than just slogging through hundreds of gigabytes of hard drive space, for example, and to instead drill down on a few gigs of RAM where the attacker is executing code.
[Researchers simplify the process of physical memory analysis in forensics investigations. See
New Free Tool Helps Gather Attackers Footprints.
]
Disk forensics has been prevalent for more than a decade, and there are lots of tools and methodologies for extracting valuable information or forensic evidence from a target computer or device, Milkovic says, such as files, folders, file and folder metadata, system logs, and registry entries.
Incident handlers realized that by acquiring the memory of the examined machine, they might create less side effects on the machine, while obtaining a cleaner and more trusted snapshot of the state of the machine, he says. In the last couple of years, a significant rise in the number of tools for acquiring and analyzing memory can be seen, and memory forensics are now considered a vital part of the incident-handling workflow.
But anti-forensics tools and techniques are nothing new. Attackers already can block memory acquisition altogether or break memory analysis itself so that an investigator cant study the memory image. Dementia is basically an evolution of previous breakthroughs in cheating memory forensics, Milkovic says. Dementia can be considered as a beginning of the memory anti-forensic framework aimed at hiding arbitrary artifacts from the memory dump, he says.
It doesnt stop investigators from memory acquisition nor does it touch artifices in the live system. Instead, it modifies artifacts in the memory dump that the memory acquisition tool creates. Milkovic points to other anti-forensics techniques, such as Haruyama and Suzukis work on breaking memory analysis and Sparks/Butlers ShadowWalker.
Compared to these techniques, Dementia is a bit more noisy -- no advanced self-hiding capabilities implemented so a forensic expert can easily detect Dementias presence -- but [it] can hide arbitrary artifact, has little performance impact, and does not break the analysis, he says. Dementia has two modules, user mode and kernel mode.
So what can incident handlers do when faced with anti-forensics methods by attackers? Employ another method of acquiring memory from the live and infected machine, for example, such as Firewire, or enlist an integrated crash-dump technique, Milkovic suggests. While that causes a reboot, its tougher for the attacker to modify the artifacts.
The bottom line: Live forensics cant always be trusted because it relies on an infected machine that the investigator doesnt have complete control over. I think they can be of extreme forensic value, but I just wanted to demonstrate that they cannot be trusted at all times, he says.
Milkovic plans to release the free Dementia tool this month.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dementia Wipes Out Attacker Footprints In Memory