New tool helps reconstruct attacks that don’t leave traces on hard drives

Researchers at Black Hat will demonstrate memory forensics to track malicious activities

Certain attacks that leave no trace on computer hard drives may be discoverable using a new tool that will be demonstrated at the Black Hat conference in Las Vegas next week.

Researchers who work for Mandiant will present a means for piecing together what malicious activity might have been carried out by an attacker's payload that runs only in memory and so evades traditional disk forensics, the researchers say.

More cool stuff from Black Hat: How to use electrical outlets and cheap lasers to steal data and SSL hack vulnerability details to emerge

In particular, the memory forensics tool being presented by Mandiant's Peter Silberman and Steve Davis finds traces in memory of what activity might have been performed via Meterpreter, a software module for the open-source Metasploit penetration testing framework.

Meterpreter can be injected into a legitimate running process on a victim computer and thereby avoid detection by host IDS/IPS software. Meterpreter can then be used as a platform for further attack, the researchers say.

The attack scenario is effective in gaining access to key processes on the victim machine. “It’s such a great method for doing that, and it makes it difficult to see in a system,” Davis says. Through Meterpreter attackers can log keystrokes, end processes, upload and download files and otherwise compromise the machine.

Using an adapted version of Mandiant's commercial Memoryze memory-forensics software, the researchers say they can parse Virtual Address Descriptor files in Windows. The tool looks for the packet structure of the protocols Meterpreter uses to talk to its server. Based on these recovered fragments of communication, analysts can infer what attack occurred. For instance, evidence of dumped hashes might indicate that passwords were compromised, they say.

“We describe in detail how Meterpeter operates in memory and specifically how memory looks when Meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space,” the researchers say in the abstract for their talk.

Because the data is volatile, the tool cannot recover 100% of Meterpreter's activity, but it is a proof-of-concept that could possibly be refined, Silberman and Davis say. They hope other researchers will jump in to help develop more tools to aid memory forensics.

Traditional attacks insert malicious processes on computer disks, making them subject to traditional disk forensics, but those traditional methods don't reveal attacks that avoid using disk space.

Silberman and Davis say they don't know of any tools similar to the one they plan to demonstrate.

Learn more about this topic

Using computer log data to support a forensic investigation

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.