Outspect: Live Memory Forensic And Incident Response For Virtual Machine presented at SyScan 2009

by Nguyen Anh Quynh,

Tags: Security Rootkits Exploitation Malware

Summary : Recently, memory analyzing has become a popular mechanism to perform incident response and forensic.
However, traditional approach of memory forensic has some major drawbacks that cannot be solved in
current systems. The first shortcoming is the inconsistency memory problem: memory cannot be
consistenly acquired because system is still functioning in the process. Another issue is that
existent rootkits can easily tamper with the acquired and analyzed steps. Last but not least,
loading forensic tools into the memory will inevitably erase evidences in the memory.This research presents "Outspect", a new tool set to perform memory forensic and incident response
for live virtual machine (VM). By running Outspect outside of the inspected VM, we can solve the
above-mentioned problems of traditional memory forensic. While Outspect and its architecture is
designed to support all kind of guest OSes and hypervisors, in this presentation we focus on Windows
guests running on Xen hypervisor.The talk dedicates some time to discuss the advantages and challanges of our approach. The mechanism
to inspect and extract important system objects from raw memory will also be examined. We will go
into detail on our architecture, and prove that it is useful for many things other than just live
memory forensic.The presentation includes some live demos to demonstrate the effectiveness of Outspect. We will use
Outspect to inspect and detect some popular kernel rootkits and userspace malware on Windows VM. The
demo will also show that it is trivial to detect exploitation using sophisticated attack technique
like Metaspoit with Meterpreter payload (which cannot be detected by any anti-virus at the moment).