Monday, April 21, 2014

The semester has come to an end, along with my research on Virtual RAM disks. All in all, I would say the project was a success and certainly a great learning experience.

As I mentioned in my last post, the main goal of this project was to examine and recreate ways in which malicious users may make use of RAM disks in order to cover their tracks or conceal the fact that they were present on a machine at all. Previously I had mounted a RAM disk, dropped some files on it, and then dismounted the disk in order to search for remnants of files in RAM after the disk was gone. As I said, the entire structure of the disk and the files located within are indeed deleted after dismounting the disk. For this portion of the research, however, I took a closer look at how malware interacts with a system when it is being run solely from a RAM disk.

Forensic Artifacts

In order to recreate a scenario in which an executable (whether malicious or not) was run from a RAM disk, I wrote a short Python script to use a CLI RAM disk mounting software to accomplish the following:
  • Mount a virtual disk
  • Download a standalone executable to the disk
  • Run the executable
  • Dismount the disk
 After running this test scenario, it became obvious that running an executable from RAM still left behind the same forensic artifacts that you would normally see when an executable is run on the system. For example, I was able to prove that the executable was run by examining the Application Compatibility Cache (Shim Cache) using Mandiant's Shim Cache Parser.

As you can see below, an entry for autoruns.exe (the executable I used for the test) is present in the Shim Cache Parser output, including the path of the RAM disk it was run from:


After finding a way to prove that an executable was run from a RAM disk, I chose a piece of malware to run the same script on, to see if it acted similarly to the standalone executable.

After running the malware from the virtual disk and the local system and comparing the artifacts left behind, it became obvious that it runs in virtually the same exact way and leaved behind the same artifacts regardless of the location of the original executable. This is mostly due to the fact that the first thing the malware does is delete itself and recreate a new executable in a temporary directory, as seen below in the ouput of Noriben, a malware analysis tool:


Conclusions

After a semester long of research, I was able to ultimately determine that virtual RAM disks operate extremely similarly to other mountable media such as USB drives. Consequently, virtual RAM disks should not pose much of a challenge to forensic investigators. Executables run from the RAM disk operate nearly identically to those that are run locally, and leave the same artifacts for proving they were executed. Additionally, malicious software that was run from RAM still leaves artifacts on the operating system level. The only real obstacle that RAM disks introduce is the fact that when a disk is dismounted, all files that were on the disk are completely deleted and unrecoverable.

Overall this was a great project to work on and I enjoyed learning about the structure and operations of RAM disk mounting software, as well as recreating ways in which a forensic examiner might handle a case involving a RAM disk.

No comments:

Post a Comment