Running head: VOLATILE MEMORY FORENSICS AND VOIP

Volatile Memory Forensics and VoIP Matt Plass INFA 650 April 12, 2011 Dr. David Dampier

VOLATILE MEMORY FORENSICS AND VOIP

Volatile Memory Forensics and VoIP When looking into topics within the digital forensics field that have become important to the science or discipline within the past half-decade I would have to lean towards the emerging science of volatile memory forensic analysis and its relationship to Voice over IP (VoIP). Volatile memory forensics deals primarily with the recovery of data from the area of a systems memory that is lost when a system is powered down or is overwritten by other running processes (it is the work area of memory which are areas such as a systems random access memory (RAM) or a systems virtual memory). Why are researchers now looking to access these untapped areas of forensics data? The main reason is that typically systems collected for forensics analysis are powered down to move to a laboratory for work to be performed on it. When shutting these systems down the volatile memory areas are destroyed and unrecoverable but if one can analyze the data in a live state it has been determined that researchers could gain a greater picture of the run time state of the system (Simon & Slay, 2009, pg. 996). These run time states can give an examiner an idea of the systems network connections, the encryption keys being used by the user on the system, access to decrypted data, access to the system processes running on the system and their utilization as well as any possible modified applications that could be running within this memory area (Nance, Hay & Bishop, 2009, pg. 4). Memory Forensics in Investigations Why is there a need for memory forensics? The reason is that the amount of devices being used in both business and commercial sectors is growing at a rate that is not only proving the validness of Moores Law but also eclipsing it and unfortunately, the existing forensic processes in use today are not growing at the same rate (Simon &Slay, 2009, pg. 995). Because

VOLATILE MEMORY FORENSICS AND VOIP

of these differences in growth, it is leading us to inadequate or complex methodologies in digital forensics (Simon & Slay, 2009, pg. 995). Memory Forensic Techniques Due to the difficulty of obtaining data from volatile memory most investigators were content with obtaining data from the more conventional methodologies, which focuses on hard drives, optic media and flash memory (Simon & Slay, 2009, pg. 995). The difference between static media (non-volatile media) and physical memory (volatile media) is that static media will contain all the data and executables that a user might use on their system while physical memory is the work space of the computer and it is temporary and frequently written over when executing applications and processes or when the system losses power (Simon & Slay, 2009, pg. 995). With the introduction of newer applications such as voice over internet protocol (VoIP), social media and instant messaging more data is being stored in this temporary storage that if obtained by an examiner might yield more information for their investigation as the data from these applications can be used as a breadcrumb trail for the examiner (Simon & Slay, 2009, pg. 995). There are many reasons why volatile memory forensics has become necessary for example criminals now have a better understanding of how to conceal their activities, they have access to encryption, the size of physical disks are increasing, and then there is the introduction of RAID arrays, network attached storage (NAS) and storage area networks (SAN) all of which make the job of the examiner more difficult (Simon & Slay, 2009, pg. 996). Currently most of the techniques currently used for volatile memory forensics are geared towards the Microsoft Operating System with the main objective to determine the current state of the system as well as any previous states before acquisition and with secondary objectives to collect information on any viruses, malware or rootkits (Simon & Slay, 2009, pg. 997). The main issues with some of

VOLATILE MEMORY FORENSICS AND VOIP

the older tools was that we ran into issues with obtaining data as hashing methods (such as MD5) yielded differing results making it difficult to compare two files (Simon & Slay, 2009, pg. 997). This issue was resolved with the introduction of the tool ssdeep which was able to find files that only had a few bits of difference in the hashing and gives the examiner a percentage of differences in the files to be used for comparison (Simon & Slay, 2009, pg. 997). There is also the cold boot attack that was able to recover encryption keys for images stored in volatile memory even if encrypted with AES or RSA keys (Simon & Slay, 2009, pg. 998). More recently there was the introduction of a set of tools called Volatility which is capable of recovering the date and time of image files, open sockets, currently running system processes, any DLL files loaded, open files and registry handles to name a few (Simon & Slay, 2009, pg. 998). Simon and Slay in 2009 stated that the usage of memory forensics was not suitable for all applications or with all types of computer crimes, this is because the internet is pervasive by nature and some of the forensic methodologies may not identify that a criminal activity has actually taken place. However volatile memory forensics does have the potential to recover data missed in the more conventional techniques of analysis of non-volatile memory, and can be used to augment the currently accepted evidence collection and analysis techniques being used (Simon and Slay, 2009, pgs. 999-1000). Forensic Patterns within VoIP Next, I want to discuss voice over internet protocol (VoIP), then bring it full circle, to how it relates to volatile memory forensics, and then discuss one of the most popular applications used for VoIP communications, Skype.

VOLATILE MEMORY FORENSICS AND VOIP

Misuse Patterns and Steganalysis VoIP is sometimes called IP Telephony but to put it more simply it is the transmission of voice communications over the internet. It is a bit more complicated than this but that is beyond the scope of this paper. However, the converged nature of this technology is what makes VoIP more susceptible to those who wish to conceal messages, secretly embedded into the payload of the voice communications packets (Pelaez, 2009, pg. 160). One of the ways that this can be done is by incorporating a technique of embedding secret messages into another less obvious message; this is called steganography (Pelaez, 2009, pg. 160). The high speed and bandwidth usage required for VoIP communications is what makes these converged (data and voice) networks more vulnerable to steganographic attacks (Pelaez, 2009, pg. 160). The ways that examiners are trying to be able to detect or find these hidden messages is by looking for known misuse patterns. These misuse patterns will then describe to the examiner how the information misuse was performed, it allows an examiner to analyze how it can be stopped and ultimately how to trace it once it has occurred (Pelaez, 2009, pg. 160). There are typically two ways that VoIPs standard protocols (signaling and media transport) can be manipulated. In regards to VoIPs signaling protocols, the attacker will typically exploit unused free fields in the data stream to hide their messages (Pelaez, 2009, pg. 161). The difficulty in detecting misuse in the signaling protocol is that this data is typically encrypted using the secure session initiation protocol (SIPS) (Pelaez, 2009, pg. 161). In the media transport protocol the attacker embeds messages into the real time protocols (RTP) media packets during the call (Pelaez, 2009, pg. 162). These typical misuse patterns allow an examiner to utilize a structured method for locating steganographic information (Pelaez, 2009, pg. 163). Examiners can utilize things such as a VoIP Evidence Collector by setting up filtering rules, using network sensors with an intrusion

VOLATILE MEMORY FORENSICS AND VOIP

detection system (IDS) to flag fields that typically have no data in them but currently do, or by using steganalysis algorithms to analyze packets in the VoIP traffic (Pelaez, 2009, pg. 163). To tie this discussion to whole of the paper we must understand why volatile memory forensics comes into play when handling VoIP traffic. In this case, if we are utilizing an application such as Skype we could ultimately lose the ability to obtain this steganographic data when the machine is powered down and the volatile memory is thus destroyed. The next section will discuss some of the network patterns associated with VoIP forensics as it relates to volatile memory forensics. Network Forensic Patterns in Voice over IP When looking at network forensic patterns within VoIP traffic examiners are primarily concerned with obtaining the systematic descriptions of the steps an attack followed or the overall objective of the attack within the VoIP data stream (Pelaez & Fernandez, 2009, pg. 175). Using the VoIP Evidence Collector the examiner is able collect packets, which were selected by the initial setup of rules by the examiner and then with this data the examiner, is able to reconstruct the behavior of the attack (Pelaez & Fernandez, 2009, pg. 176). The typical way that this works is by utilizing an intrusion detection system (IDS) and other sensors on the network (Pelaez & Fernandez, 2009, pg. 176). These sensors and IDS configurations will then send an alert to an examiner when there are illegal attempts to utilize the VoIP call service (Pelaez & Fernandez, 2009, pg. 176). Once the data has been collected, the examiner utilizes the VoIP Evidence Analyzer, which defines the process and structure for analyzing the data, and can be used to trace attacks back to their origin (Pelaez & Fernandez, 2009, pg. 178). By using these tools the examiner can determine areas where the VoIP network is more prone to attack, can locate a location and originating phone number of the user or attacker, they can also possibly

VOLATILE MEMORY FORENSICS AND VOIP

attain the IP address, MAC address or possible geographic location of the IP address (Pelaez & Fernandez, 2009, pg. 179). This correlation of evidence can then be used to determine the attack behavior and signature and it will allow the examiner to have a structured method in which to use for searching and analyzing forensic data on the network (Pelaez & Fernandez, 2009, pg. 179-180). In the next section of this paper, I will begin to relate the misuse patterns, steganalysis and network patterns in VoIP communications to volatile memory forensics and the necessity for further research on the topic of volatile memory forensics. VoIP Forensics and Skype The main issues that law enforcement officials run into with the emergence of VoIP communications is that wiretapping is just not an option for this technology and the matter is further complicated in that the voice data is typically encrypted (Slay & Simon, 2008, pg. 1). The reason that VoIP has emerged as a dominate form of communication is due in part to its low call cost for local, long and international calling. It also allows for the avoidance of companies spending money on new infrastructure for cabling and phone systems (Slay & Simon, 2008, pg. 1). Network Forensics of Skype Traffic Skype is an application that anyone can download from the internet and upon opening, an account can place free phone calls to other Skype users or for a fee can place calls to more conventional telephony sources. Skype is a voice over IP (VoIP) peer-to-peer (P2P) application that runs as a background application on a users computer. The issues that most network administrators run into with this application are that it uses excessive amounts of bandwidth, can traverse network address translation (NAT) rules and can ultimately bypass an organizations firewall (Leung & Chan, 2007, pg. 1). The issues for a forensic examiner and Skype is that the

VOLATILE MEMORY FORENSICS AND VOIP

data is encrypted from end to end making it much more difficult to determine if any wrong doing is or has taken place (Leung & Chan, 2007, pg. 1). The approach taken by Leung and Chan was to reverse engineer the process that Skype took to complete a call and perform a forensic analysis on those activities. They collected the digital evidence to compare the timestamps to activities that were taking place at the application level (Leung & Chan, 2007, pg. 2). They were able to distinguish entities and stages of communications within their forensic analysis. They were able to obtain information such as the HTTP Server, the end client host (who was using Skype), and the network location information of the users (Leung & Chan, 2007, pg. 3). Thus, the research yielded the ability to identify the sockets used by Skype; they were able to create detection rules for intrusion detection systems, and the ability to block Skype traffic if needed (Leung & Chan, 2007, pg. 6). This research could be used by examiners to better understand how possible interception could be completed of VoIP traffic and how to locate information on a live station that was utilizing Skype for potential criminal activities. Recovery of Skype Data As discussed above the Skype data is encrypted which makes it very difficult to analyze or exploit but the majority of Skypes data in located on the system drives and in the registry of the system (also encrypted), but there is valuable information that can be extracted (Dodge, 2008, pg. 3). This extraction now brings us full circle in that we can extract this data from the volatile memory areas on the system being examined. Previously, the extraction of evidence from volatile memory was thought to provide very little benefit to an examiner considering the high cost involved with trying to pull the data from the system (Simon & Slay, 2010, pg. 283). The issue currently is that volatile memory could be the source of some of the most valuable evidence needed for examiners in their recovery (Simon & Slay, 2010, pg. 283). Some of the

VOLATILE MEMORY FORENSICS AND VOIP

data that examiners are hoping to recover from VoIP and Skype applications is the ability to recover communications histories, contact information and actual data from the communications session (Simon & Slay, 2010, pg. 284). Another large recovery potential for the examiner is the passwords or encryption keys being used by the application (Simon & Slay, 2010, pg. 284). Here, the tool of choice was Volatility as it can be used to extract information contained within volatile physical memory (Simon & Slay, 2010, pg. 286). The memory was analyzed to determine how it changed over time and if recovery of passwords or encryption keys was obtainable (Simon & Slay, 2010, pg. 286). Simon and Slays research determined that even though the application was terminated that there was remnant process objects in memory for some time allowing for extraction and this may help examiners obtain and recover information from volatile memory used for VoIP and Skype communications (Simon & Slay, 2010, pg. 286). The research also determined that if analysis was performed while the application was still running that an examiner could obtain the Skype login password as it resided in the volatile memory space that was deleted once the application was terminated (Simon & Slay, 2010, pg. 286). Through this research, it was determined that volatile memory forensics of VoIP and Skype applications was a viable source for evidence collection (Simon & Slay, 2010, pg. 288). With the introduction of new technologies, there always seems to be one group that finds the best way to exploit the strengths and with VoIP and Skype, that group is the criminal elements of our society. They have been drawn to this new technology, as it often requires no verification to use the service (Slay & Simon, 2008, pg. 3). The fact that they feel more protected by Skypes ability to full encrypt the data adds to their exploitation of the technology as they can have complete anonymity (Slay & Simon, 2008, pg. 2). However, with the leaps being made in volatile memory forensics this anonymity is slowly eroding as examiners can now

VOLATILE MEMORY FORENSICS AND VOIP

10

extract information and can recreate portions of the conversations (Slay & Simon, 2008, pg. 5). It is apparent that there is still a lot of work and research still needed in volatile memory forensics but from the research that I have looked at it would appear that with the growth of technology this is becoming a necessity in our society. In addition, many of the devices that we are currently running on a daily basis are not typically shut down when we are completed using them and this just adds to the ability of an examiner to be able to extract the necessary data from the device if the need should arise.

VOLATILE MEMORY FORENSICS AND VOIP

11

Bibliography Arasteh, A. Forensic analysis of Windows physical memory. M.Comp.Sc. dissertation, Concordia University (Canada), Canada. Retrieved April 1, 2011, from Dissertations & Theses: Full Text.(Publication No. AAT MR42529). Dodge, R. C. (2008). Skype Fingerprint. Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), 485. Leung, C. & Chan, Y. (2007). Network Forensic on Encrypted Peer-to-Peer VoIP Traffics and the Detection, Blocking, and Prioritization of Skype Traffics. 16th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE 2007), 401-408. Nance, K., Hay, B., & Bishop, M. (2009). Digital Forensics: Defining a Research Agenda. 42nd Hawaii International Conference on System Sciences, 1-6. Pelaez, J. C. (2009). Using Misuse Patterns for VoIP Steganalysis. 2009 20th International Workshop on Database and Expert Systems Application, 160-164. Pelaez, J. C. & Fernandez, E. B. (2009). VoIP Network Forensic Patterns. 2009 Fourth International Multi-Conference on Computing in the Global Information Technology, 175-180. Simon, M. & Slay, J. (2009). Enhancement of Forensic Computing Investigations through Memory Forensic Techniques. 2009 International Conference on Availability, Reliability and Security, 995-1000. Simon, M. & Slay, J. (2010) Recovery of Skype Application Activity Data from Physical Memory. 2010 International Conference on Availability, Reliability and Security, 283288. Slay, J. & Simon, M. (2008). Voice over IP forensics. Proceedings of the 1st international conference on Forensic applications and techniques in telecommunications, information, and multimedia and workshop (e-Forensics '08).