Security

Researchers describe tool that manipulates RAM, misleads cybercrime investigators

At Shmoocon 2014, Jacob Williams and Alissa Torres described a concept tool that would allow cybercriminals to cover their tracks by altering the contents of a computer's memory.
 
Attention Deficit Disorder (ADD) computer memory manipulation tool
While visiting the National Computer Forensics Institute in Birmingham, Alabama, I learned the importance of memory forensics to computer crime investigations. But as Jacob Williams, Chief Scientist at CSR-Group and creator of DropSmack, recently pointed out, it's possible to manipulate the information stored in a computer's memory to cover one's tracks and mislead investigators.

During Shmoocon 2014, Jake along with co-presenter Alissa Torres, a digital-forensics investigator with Sibertor Forensics, described a concept tool that will force forensic scientists to rethink how they analyze memory used in computing equipment.

"At Shmoocon, we introduced a proof-of-concept tool I specifically created to show how easily artifacts can be faked in a particular discipline of computer forensics."

Jake then explained the significance of his discovery:

"Digital forensic scientists can no longer trust their automated tools when they are investigating artifacts by means of memory dumps. Forensic scientists and digital-crime investigators will have to spend more time manually validating results than before."

Full interview

Kassner: Jake, you keep mentioning "memory dump" and "artifact," what are they, and why do they interest forensic investigators?

Williams: A memory dump is a snapshot of everything running on a computer. A forensic analyst will use tools to parse through a memory dump looking for evidence or artifacts of a crime, compromise, employee misconduct, etc. Forensic analysts like memory dumps for the same reason Target's malware authors do: data encrypted on the hard drive is unencrypted for processing in memory. Memory also offers an analyst a much smaller search space. If you think about your average computer today, it might have a 1TB hard drive, but only 4GB of RAM. An analyst would look for artifacts like the following:

  • Evidence of private browsing sessions that are never written to disk
  • Malware that only operates in memory without ever touching the disk
  • Unsaved files
  • Passwords typed into forms and applications
  • Encryption keys for mounted encrypted drives

Kassner: Next, I asked Jake if he would share an example of where memory forensics played a major role in solving a case.

Williams: In a case I worked recently; a company told a computer-savvy employee his services were no longer needed, but they didn't actually terminate him for weeks. During that time, the employee attempted to remove traces of his illicit activity from the computer. He then challenged the termination, claiming there was no evidence for what the company alleged. We found evidence, using memory forensics, showing that the employee altered the computer in an incriminating fashion after his termination. Needless to say, he didn't move forward with his suit.

Kassner: Now that we know the basics, I asked Jake to walk us through his concept tool: Attention Deficit Disorder (ADD). From what I understand, Jake has found a way to obfuscate the contents of a memory dump.

Williams: The tool creates fake artifacts in memory before a memory dump is taken. I named the tool ADD because its use would distract forensics analysts from examining the legitimate artifacts while they chase down forgeries. It seemed appropriate.

Kassner: You mentioned what you discovered will impact forensic scientists searching for evidence in a criminal investigation, could you explain?

Williams: ADD allows an attacker to preposition fake files, network connections, and processes in memory. If the computer is confiscated, and a memory dump obtained by a forensic analyst: the fake artifacts could send the analyst on a wild goose chase searching for files that do not exist. A much scarier proposition is that an attacker might insert fake artifacts that attribute the attack to another cybercrime group or nation state. The mere existence of anti-forensics tools like ADD is an alert that analysts need to validate their findings. Some researchers commented about the possibility of forging artifacts in memory at BlackHat in 2007. But as far as I know, nobody has built a publicly available tool capable of doing so until now.

Kassner: Do you think this technology is already in use, and if so, how would forensic scientists know?

Williams: It's hard to say whether the bad guys are currently using tools like ADD. But if I had to guess, I'd say advanced adversaries (cybercrime groups and nation-states, for example) are already using similar techniques. As for knowing, we won't see the fake artifacts, unless we specifically look for them. That's the real contribution of ADD—to expose the possibility of forging artifacts in a demonstrable way.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

11 comments
tim_bowler
tim_bowler

@4nier, thanks. Makes sense but I can't believe it's worth the effort. I suppose it could be in extraordinary circumstances.

tim_bowler
tim_bowler

I'm confused.  When a  computer is confiscated it is powered off.

Why wouldn't someone just shut off their computer thus destroying memory.


Sanders Kaufman Jr.
Sanders Kaufman Jr.

Instead of getting caught stealing data, they'd just get caught destroying evidence.

Charles Bundy
Charles Bundy

@tim_bowler Memory dumps are pretty useful. You get "naked" machine state information. The hard part is verifying in front of a jury whether or not the passwords, security certificates, TCP stack info et-al are real or just part of the ever changing memory landscape. And that's before you throw in artificial artifacts created by this ADD proof of concept. Defense lawyers will use this to sow doubt whether or not the bad guys actually have an ADD tool.

Michael Kassner
Michael Kassner

@tim_bowler 


You are correct. I asked Jake about this. And, as I understand it, keeping computers powered up, looking at hibernation files, systems restore files, and remotely obtaining a memory dump come into play. Also Memory dumps not only used in criminal investigations. Jake does many of them for company clients, where the employee is told to step away from the computer. 

4nier
4nier

@tim_bowler I watched a program on computer forensics, and they tapped the power cord with a UPS and took the machine "live". I assume that is how the pro's do it.

Charles Bundy
Charles Bundy

@tim_bowler Good question. I'm assuming if they can't do a hot dump, then a forensic investigator will use swap files.

Michael Kassner
Michael Kassner

@HAL 9000 


Good point, Col. Like so many things today (green screen or photoshopping), this is another example of deception.

HAL 9000
HAL 9000 moderator

While the low end Black Hats may not have access to this type of thing you had better believe that the Intelligence Agencies have tools like this to allow them to break in and blame others if they are caught.

With that level of infiltration or at least those performing it require deniability and ideal ya Scape Goat.

It's perfectly possible that all those recent catches that blamed China could have been done with a tool like ADD and the Guilty walk away free and not required to justify their actions.

Of course it's also possible that China was responsible for those Reported Penetrations and deserved what was levelled against them.

Makes you think though.

Col

Editor's Picks