The following story was shared by Detective Michael Chaves. It describes how he’s used Volatility, KnTDD, and memory forensics over the past year to investigate POS breaches at local businesses. Kudos to Michael for applying his skills in an effective and meaningful way, then taking the time to share experiences with others. Without a doubt, detectives in every police department have or will encounter situations like Michael describes.
It’s been about year since I’ve taken the
Volatility Windows Malware and Memory Forensics Training in NYC. I
wanted to take this time to share some of my experiences to hopefully
help examiners/investigators early on in their exposure to Volatility
and to help identify unknown malware. Over the past 10 months I have
responded to about a dozen POS breaches at local businesses; mainly
liquor stores and restaurants. These breaches are identified rather
quickly from local banks that call me with the details and I usually
respond to a location within 2 days. It should come as no surprise that I
have yet to respond to a location that was anywhere near being PCI
compliant.
The large majority of POS terminals were running Windows XP some with
SP2, most with SP3. Two machines were even running Windows 2K and all
had direct connections to the Internet. Antivirus IF present was either out of
date or turned off. I still have yet to see a firewall present or any
security policy in place. My RAM capture tool of choice is Kntdd and
I’ll use FTK Imager Lite to obtain all registry files, App Data
directory, $log, $MFT and prefetch directory. I carry with me several
portable drives to make the acquisition from each POS location in the
shortest amount of time possible as the store still needs to process
customer purchases.For
most of these breaches I have been able to identify the malware pretty
easily. I usually begin by running, pslist, psscan, psxview and
connections (if supported). In the majority of the breaches, the
processes were not hidden and had an active process listed, usually
called by ‘explorer’. If I was not able to easily identify the malware
process, I’d run dlllist to locate any programs running from odd
locations followed by malfind and yarascan. Once I have identified a
suspect process, I’d dump that process usually by procdump or dlldump.During
the early part of the investigation, I am not too concerned how the
malware works or what the Initial Infection Vector was. I want
to know where the credit cards are going and how are they getting out.
I’d run strings on the exported out suspected malware file and I would
generally find, the URL used to send out the cards via POST, an e-mail
address associated with the malware and/or IP addresses. The majority
of my cases the POST command was used to send out the cards, in others
it was via SMTP. In 5 of my 12 breaches, the malware family was JACKPOS
or Alina variants. I will search the Internet on file names, URL’s and
artifacts that usually result with great write ups that show what I may
be investigating, as well researching with Virustotal. It should also
be noted that there have been a few times that I sought assistance from
the Volatility community and other students from the NYC class. They
have been extremely receptive to my questions and information provided
to was invaluable!I
realize there are many readers out there that have a far greater
understanding of malware and memory forensics. I’m slowly getting
there, but I hope this helps out the people just beginning, like I
am/was by describing my workflow and perhaps give confidence to some
that may otherwise doubt their ability.