FATKit: Detecting Malicious Library Injection and Upping the “Anti”

In this white paper, we discuss how the Forensic Analysis ToolKit (FATKit) can facilitate the process of enumerating suspicious artifacts manifested as a result of remote library injection. We discuss a number of techniques that have proven effective at elucidating artifacts that are by-products of advanced exploitation methods frequently characterized as anti-forensic or stealthy. One significant differentiator from the majority of previous work is the fact that we do not rely on the integrity of the potentially compromised operating system, but instead perform our analysis offline on a trusted capture of volatile memory (RAM) [10, 22, 7] 1. While many of the previously published techniques have focused on detecting attacks in real time, we are focused on facilitating the forensic analyst’s ability to extract memory-resident evidence from the information system under investigation. 1 FATKit: Forensic Analysis ToolKit The Forensic Analysis ToolKit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory [20, 19]. This modularity was designed to support multiple operating systems, but also with the goal of being able to support various hardware architectures as well. For example, we currently have profiles for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Linux. The framework is intended for advanced researchers, law enforcement professionals, and forensics analysts who are interested in extracting and interpreting relevant information in the wake of a crime or incident. Unlike previous work in this area, the FATKit project is working to combine the latest research in volatile memory forensics, memory informatics, static analysis, and multi-relational data mining. FATKit offers a unique ability to automatically correlate information across multiple data stores (packet captures, volatile memory, filesystem, etc.), which facilitates an ability to enumerate suspicious artifacts on a system. Recently, the offensive communities have begun to focus time and effort on “anti-forensics” and stealthy advanced exploitation techniques. Many of these techniques leverage the complexities associated with physical memory analysis and rely on the fact that volatile memory is often an opaque component of information systems. These techniques have also exploited the closed nature of investigatory tools that have pigeon-holed digital forensics examiners. Unlike previous work, which introduced FATKit’s unique visualization capabilities [19], in this white paper we will demonstrate FATKit’s powerful ability to support analysis modules and the ease of building those modules using supporting tools and APIs. This will be the first paper in a series addressing anti-forensic and stealthy exploitation techniques. Until these mechanism are uniformally adopted forensic examiners must often leverage a potentially compromised operating system to create the memory image [30]