Live analysis and its footprint

Recently there was a conversation on Harlan's Windows Incident Response blog which mentioned the footprint of Memoryze and other tools. Every tool has positives and negatives depending on the use case.

First, the blog entry mainly mentions the footprint on disk, which is larger than other acquisition tools because Memoryze does both acquisition and analysis in the same package. What you may not have known is that Memoryze runs completely fine from a USB key. You can install Memoryze to your USB key and use it on the target machine. This mitigates the concern of a large disk footprint.

Second, Matthieu Suiche pointed out that some may be concerned with the memory footprint as well. Because Memoryze is a portion of MANDIANT Intelligent Response, it was built with the enterprise in mind. In an enterprise, it is not practical to acquire and bring back 15,000 or 20,000 memory images to analyze offline. With compression, analysis, and filtering capabilities, Memoryze's memory footprint is larger. How do you mitigate this? We make use of the paging file(s). So if we force a page out of memory, Memoryze can still analyze it from the paging file(s).

Why do you do live analysis? First, as I stated above, it simply is not practical to bring back an image of RAM off of every host when the number of hosts grows larger than you can count on a hand or two. Second, by doing live analysis, we can make use of the paging file(s). If we were to acquire memory and then acquire the paging files, the synchronization issues between the two would be more severe. Third, the risk of doing the analysis on the host is similar to the risk associated with acquiring memory on the host. A.) The attacker can block access to physical memory, or B.) as Darren Bilby pointed out in his talk at Ruxcon06, the attacker can intercept the calls to map the view of physical memory. Sidebar: It is necessary to map portions of physical memory into your address space in order to acquire or analyze memory. Both attacks are possible when doing acquisition or analysis. If attack A is carried out, memory acquisition tools including Memoryze will error out. If attack B is used, neither acquisition nor analysis tools will be effective. Joanna Rutkowska demonstrated the equivalent of attack B even when doing hardware acquisition. However, attack B also requires the attacker to know the physical address of their malware in memory.

Thanks to Matthieu for engaging me in this discussion. If you have not read his work on the hibernation file in Windows, it is very interesting.

Jamie Butler

By the way, you may be asking yourself why you cannot run Memoryze or other acquisition tools from a CD. Basically, Microsoft will not load a driver from a CD. It must first be copied to the local host. This is similar to trying to map a network drive with Memoryze and using it. Microsoft will not allow you to load a driver that is located on a network share. Check back in the coming weeks. We just might copy that single driver file to the local host so you can run it from a CD.