After the Shmoocon talk last weekend, I was accused of accused of aiding and abetting the enemy. First, let me thank those who gave positive feedback on the talk with Alissa Torres (@sibertor). The talk was on forging artifacts in memory forensics that confuse our current tools. Those who know me know that I am not a fan of PBF (push button forensics). If you are doing forensics investigations, you are doing important work. I’m a huge advocate of you actually knowing how to do it. Crazy, I know, but the attitude among many pseudo-professionals today is that they should be able to just push the button and get the evidence. Think I’m exaggerating? Check out the Forensicator Pro April Fool’s Day gag.
The tool I introduced this weekend clearly has offensive purposes. When I announced it, I couldn’t imagine a single defensive use for it. Some have told me that they might use the tool to create training scenarios. I think that sounds pretty unlikely, but I’ll wait to see how that plays out. In general though, it’s something that will likely only ever be used by attackers. Period. End of story.
So why did I present on and release the tool? First, I feel sure that someone else is already attacking memory forensics processes. I AM NOT THAT SMART. Someone else is likely already doing this. If I am the first, someone else was going to think of it later. In any case, the concern was that without demonstrating the ability to fool our tools, investigators don’t include it in the “realm of possibilities.” I’m sick of hearing people tell me that what’s in RAM is ground truth. That can’t always be true. ADD shows pretty conclusively that many OS objects can be forged. Pushing the envelope is better for everyone in the long term, even if it causes some short term pain.
Well, I’m planning to expand the tool. After the talk, several people approached me and explained how the tool would be useful for building training scenarios, if only it implemented X or Y. I’ll be adding some features as time permits. Multiple OS support is also on the radar (as noted in the slides, the reference implementation only works on Win7x86SP1).
Shoring up testing so ADD also fools other forensics tools is also on the horizon. I tested some support against Mandiant’s Redline and it doesn’t detect the forged processes (this is a good thing). Does this mean that is has better sanity checks or does it not scan for the process structures? Because it isn’t open source, I don’t know. I haven’t checked the EULA, but I’m guessing that there’s an anit-reversing provision in there. If that’s the case, I’ll be making lots of “educated guesses.”
Memory images and tool release?
I expect to release source code on the Google code page by the end of the week. I also expect to get some memory images out there quickly as well. After those are out, I plan to step through them and show how to detect the current versions of ADD in Volatility (TM). However, for legal reasons I should note that I am not in any way associated with the Volatility team or Verizon (which holds the Volatility trademark).