Recently I’ve been working on more automation around the use of rekall.
Think “random sampling” and analysis but more effective than the TSA.
Python volatility has always been my go-to for processing live windows Memory but rekall’s shell has a lot to offer as well. If you follow the ThreatResponse project you know that we have just released the “ThreatResponse Workstation” in concert with our friends at ephemeralsystems.com. Ephemeral Systems provides all commercial support around aws_ir and the ThreatResponse suite.
In order to use rekall you need three things:
Rekall has a lot of dependencies. Using a docker container to deliver the environment makes all of that quite easy. We want to focus on analysis not on the installation.
MargaritaShotgun is an incredibly useful tool for memory capture. It has tons of
great features like jump box support, automatic kernel module resolution, and multipart
S3 upload. If you type margariashotgun --help
it can be kind of overwhelming if you’ve
never used the tool. That’s why we stress preparation in the IR process. Know the tools
or you’re going to have a bad time.
Here’s an example of just acquiring memory from a single system using margarita shotgun and the automatic kernel repository. MargaritaShotgun is provided and installed on the threatresponse workstation. https://github.com/EphemeralSystems/threatresponse-ws
You can use our AMIs or build your own.
# margaritashotgun --server 52.37.143.97 --user ec2-user --key ~/.ssh/id_rsa --filename memcapture.lime --repository
This is where the magic happens! Examiner’s always say how powerful volatile data can be. Memory analysis in linux never comes easy. Under normal circumstances you would have to build a rekall profile.
What’s rekall profile? Rekall profiles tell the the tooling how the variant of the kernel lays out the memory space so it can do things like extract network connection, process lists, and more.
The most recent version of the Amazon Linux kernel is 4.9.58-18.55
following the instructions
here: https://github.com/google/rekall/tree/master/tools/linux along with some heavy modifications
to the Makefile I was able to build a profile.
That profile is available here:
https://s3-us-west-2.amazonaws.com/reinvent2018-west.threatresponse.cloud/4.9.58-18.55.amzn1.json
What are some things you might do with rekall?
Sample Commands
# Loading Rekall
rekall --profile 4.9.58-18.55.amzn1.json -f YOURDUMP.lime
# Getting the process tree
[1] memcapture.lime 03:00:48> pstree
# Getting netstat
[1] memcapture.lime 03:00:48> netstat
# Dumping all processes to individual files
[1] memcapture.lime 03:00:48> memdump
# Running strings ( Note: You need to exit the rekall shell )
$ strings yourfile.dmp | grep -i thing
Your finally should be in the form of XXXX:XXXX:XXXX:XXXX
Separate them with colons!!
See a complete video walkthrough here:
https://vimeo.com/244460871