Rekalling the times I played with Windows
The more and more you learn about Information Security, the more you learn about how insecure things are. From your personal devices that you are to protect, to devices in our environment. I remember reading my CompTIA Sec+ book back when I was a youngling, and remembered a story in there that described a raid where a hacker took a shotgun and shot his hard drive before the Feds grabbed him and seperated him from his computer.
Another reason as to why the Feds separate hackers from their computers, is because their RAM holds valuable information so long as the computer is on. That information includes all passwords, websites, and other types or what forensics people call 'artifacts'.
After playing around with some Reverse Engineering challenges, I've been wanting to get deeper and deeper. Down the rabbit hole we go.
Few days ago, I wanted to see if I could take a image of my RAM. Test would be conducted on my Macbook Air, so I looked for tools to do this. Rekall, created by Google, has a tool called osxpmem which will take an image of your RAM. I wrote a script to make this a bit easier. Root privileges IS required. Jonathon Poling goes deeper into how to do this in his terrific article.
#!/bin/sh # Create directories mkdir /tmp/mem mkdir /tmp/mem/Memory_Captures # Takes us to our work env cp osxpmem_2.0.1.zip /tmp/mem cd /tmp/mem unzip osxpmem_2.0.1.zip # Required to use utilites sudo chown -R root:wheel osxpmem.app/ sudo osxpmem.app/osxpmem -o Memory_Captures/mem.aff4 sudo osxpmem.app/osxpmem -e /dev/pmem -o Memory_Captures/mem.raw Memory_Captures/mem.aff4 # Unload our kernel extension sudo osxpmem.app/osxpmem -u
I posted my code on Github for your convenience and for the commits. No shame in my commit game.
I sent this to Rekall and got some problems with profiles. More learning!
So, I put my Mac image down, and picked up the other computer next to me. A family member's Windows7 computer. Just like I'm sure the rest of you do, I reinstalled the OS for my family because someone who studies Computer Science means I can help remove your malware and spyware you got installed from just doing "normal computer stuff". =] I set a password on via login, and wanted to take an image of a Windows computer, and see if I could get the login password from it!
Initially, I was worried and thought taking an image might be difficult or maybe I'd have to dive pretty deep into a tool to figure out the password. I am very grateful for the heroes and heroines that took on this frontier.
"If I have seen further than others, it is by standing upon the shoulders of giants." - Newton.
I accomplished this goal with 2 lines. But first image.
1. Get winpmem (current writing was winpmem-2.1.post4.exe)
2. Open up cmd.exe as Administrator (Right-Click and click Run as Administrator)
3. winpmem -o Win7Image.aff4
Got RAM?! YEAH BITCH!
Alright, so now let's open in up in rekall.
Rekall is very well documented on how to setup their environment.
$ virtualenv /tmp/MyEnv New python executable in /tmp/MyEnv/bin/python Installing setuptools, pip...done. $ source /tmp/MyEnv/bin/activate $ pip install --upgrade setuptools pip wheel $ pip install rekall-agent rekall
If you don't have virtualenv, sudo pip install virtualenv.
Assuming you got it installed, check it out:
We got it loaded in! Now what are those two lines? Well...loading was one of them. Now use the plugin mimikatz
If you have any questions, as I wrote this pretty late and ran through it, please feel free to contact me!
Quickest would be Twitter. Send more more things to play with or correct me if I'm wrong! Until next time hackers!
Defcon 21 - Offensive Forensics: CSI for the Bad Guy by Benjamin Caudill
DEF CON 24 - int0x80 - Anti Forensics AF by DualCore
Taking Memory Forensics to the Next Level by Jamie Levy
Rekall Memory Forensics Cheatsheet
OSX (Mac) Memory Acquisition and Analysis Using OSXpmem and Volatility by Jonathon Poling