Outspect: Live Memory Forensic And Incident Response For Virtual Machine

No ratings

Presented at SyScan 2009 by

Nguyen Quynh

Recently, memory analyzing has become a popular mechanism to perform incident response and forensic. However, traditional approach of memory forensic has some major drawbacks that cannot be solved in current systems. The first shortcoming is the inconsistency memory problem: memory cannot be consistenly acquired because system is still functioning in the process. Another issue is that existent rootkits can easily tamper with the acquired and analyzed steps. Last but not least, loading forensic tools into the memory will inevitably erase evidences in the memory.This research presents "Outspect", a new tool set to perform memory forensic and incident response for live virtual machine (VM). By running Outspect outside of the inspected VM, we can solve the above-mentioned problems of traditional memory forensic. While Outspect and its architecture is designed to support all kind of guest OSes and hypervisors, in this presentation we focus on Windows guests running on Xen hypervisor.The talk dedicates some time to discuss the advantages and challanges of our approach. The mechanism to inspect and extract important system objects from raw memory will also be examined. We will go into detail on our architecture, and prove that it is useful for many things other than just live memory forensic.The presentation includes some live demos to demonstrate the effectiveness of Outspect. We will use Outspect to inspect and detect some popular kernel rootkits and userspace malware on Windows VM. The demo will also show that it is trivial to detect exploitation using sophisticated attack technique like Metaspoit with Meterpreter payload (which cannot be detected by any anti-virus at the moment).