‘Dementia’ Erases Memory Prints

Monday, January 7, 2013 @ 04:01 PM gHale


Forensics increasingly encompasses the analysis of potentially valuable clues and intelligence in the physical memory of an infected machine. It is a valuable tool to find out what really happened in a breach.

But like most things in security when you are dealing with the bad guys, there is always a new approach they are taking to hide their tracks from incident response handlers.

RELATED STORIES
Security Report: Use more Honeypots
Honeypot Now SQL Injection Capable
USB Malware Heart of Investigation
Malware Hides as Help File

There is now a new tool called Dementia that cheats forensics tools that inspect attacker’s footprints in a Windows computer’s memory.

Essentially, Dementia renders a phony image of the infected machine’s memory as a way to hide evidence of an attacker’s movements. The tool removes “specific artifacts from the memory or the image being created. While the image itself is correct — it can be analyzed — specific artifacts are not present, which can hide traces of attacker’s activities,” said security researcher Luka Milkovic, who developed the tool. Milkovic, who is an information security consultant with Croatia-based Infigo, just showed the tool at the CCC conference in Hamburg, Germany.

Dementia demonstrates how an attacker who gained control of a system can mess up the forensics investigation process by fooling memory-acquisition tools. It can hide artifacts such as processes and threads from several popular tools: Moonsols Win32dd (in kernel-mode only); Mandiant Memoryze; Mantech MDD; FTK Imager; and Winpmem.

Memory analysis has become a vital process for finding out what happened and how it is possible to treat machines after an attack. Security experts said it’s more efficient than wading through hundreds of gigabytes of hard drive space, for example, and to instead drill down on a few gigs of RAM where the attacker is executing code.

So what can incident handlers do when faced with anti-forensics methods by attackers? Employ another method of acquiring memory from the live and infected machine, for example, such as Firewire, or enlist an integrated crash-dump technique, Milkovic said. While that causes a reboot, it’s tougher for the attacker to modify the artifacts.

At the end of the day, researchers will need more that just one way to find the results of an attack. Live forensics are not always correct because of the reliance on an infected machine where the investigator does not have total control.

Milkovic plans to release the free Dementia tool in January.



Leave a Reply

You must be logged in to post a comment.