Random Access Memory Forensics Methodology for Investigating Cryptocurrency Protocols
Shaimaa Sherif Ali
- 2019
- 101 p. ill. 21 cm.
Supervisor: Nashwa Abd El-Baki
Thesis (M.A.)—Nile University, Egypt, 2019 .
"Includes bibliographical references"
Contents: Abstract ..................................................................................................................... xix Chapter 1: Memory Forensics Fundamentals .............................................................. 1 1.1 Digital Forensics Discipline ...................................................................................... 1 1.2 Malware Analysis Discipline .................................................................................... 2 1.3 Memory Page Tables in Brief ................................................................................... 2 1.4 The Process Object in Windows Memory................................................................ 3 1.4.1 Windows Portable Executable (PE) Format ...................................................... 4 1.4.2 _EPROCESS Structure in Brief ........................................................................... 6 Chapter 2: Literature Review for Cryptocurrency Protocols ....................................... 9 2.1 Bitcoin Protocol ....................................................................................................... 9 2.1.1 Technical Review and Cryptographic Techniques Used. .................................. 9 2.1.2 Messages of Bitcoin Protocol ......................................................................... 10 2.1.3 Bitcoin Digital Forensics .................................................................................. 14 2.2 CryptoNote Protocol .............................................................................................. 16 2.2.1 Historical Review and Cryptographic Techniques Used. ................................ 16 2.2.2 CryptoNote Terminology ................................................................................ 17 2.2.3 RPC Calls of CryptoNote Protocol ................................................................... 18 2.2.4 Monero Digital Forensics ................................................................................ 19 x 2.3 Stratum Mining Protocol ....................................................................................... 20 2.3.1 RPC Calls of Stratum Protocol ......................................................................... 20 2.3.2 The Role of Stratum Protocol in Drive-by Mining Attack ............................... 22 Chapter 3: Case Study Construction .......................................................................... 23 3.1 Virtualization Tools ................................................................................................ 23 3.2 Memory Capture Tool: WinPMEM ........................................................................ 23 3.2.1 Prerequisites before Memory Capture ........................................................... 24 3.2.2 Procedure to Capture Physical Memory Image .............................................. 24 3.3 Digital Forensics Tool: Volatility ............................................................................ 24 3.3.1 The Four Main Categorized Volatility Plugins ................................................. 25 3.3.2 Installation of Volatility Framework ............................................................... 27 3.3.3 Writing a New Plugin ...................................................................................... 27 Chapter 4: Proposed Methodology ............................................................................ 29 4.1 The Proposed Methodology in a Flowchart Diagram ............................................ 29 4.2 The Pseudo Code for Proposed Methodology ...................................................... 33 4.3 Structure of The Developed Plugin ........................................................................ 34 4.3.1 Calculate Function .......................................................................................... 34 4.3.2 Render Function ............................................................................................. 34 4.4 Revealing Version of Wallet................................................................................... 35 4.5 Execution of The Developed Plugin ....................................................................... 36 4.6 How Forensics Artifacts Extracted? ....................................................................... 36 4.7 Case Studies Map .................................................................................................. 36 4.8 Details of Developing a Volatility Plugin .......................................................... 38 4.8.1 How Many Readable Memory Pages Exist in The Target Process? ................ 38 4.8.2 How One Memory Page Looks Like? .............................................................. 40 4.8.3 How to Manipulate The Raw Data Content of a Memory Page? ................... 40 4.8.4 How to Search a Signature in a Python String? .............................................. 41 4.8.5 How to Validate our Parsing for Memory Page Contents? ............................ 44 4.8.6 Summary for Volatility Classes/Functions Used in The Developed Plugins ... 45 4.8.7 Summary for Python Modules Used in The Developed Volatility Plugins ...... 46 xi Chapter 5: Results of Case-Study One ...................................................................... 47 5.1 Bitcoin Core Results ............................................................................................. 47 5.1.1 Artifacts Regarding Other Nodes in Bitcoin P2P Network .............................. 47 5.1.2 Artifacts Regarding Transactions .................................................................... 48 5.1.3 Revealing Version of Bitcoin Core Wallet ....................................................... 50 5.2 Monero Results...................................................................................................... 51 5.2.1 Artifacts Regarding Synchronizing Monero Wallet with The Network .......... 51 5.2.2 Artifacts Regarding Peers in Monero P2P Network ....................................... 52 5.2.3 Artifacts Regarding Blocks and Transactions .................................................. 52 5.3 A Comparison of The Methodology Proposed Against Past RAM Forensics ......... 55 5.3.1 Revealing Bitcoin Cryptocurrency Artifacts Comparison ................................ 56 5.3.2 Revealing Network Artifacts Comparison ....................................................... 56 Chapter 6: Results of Case-Study Two ...................................................................... 59 6.1 Revealing Login Identity of The Malicious Author ................................................. 59 6.2 Artifacts Regarding Malicious Pools and Ways to Communicate .......................... 63 6.3 Artifacts Regarding Mining Parameters. ............................................................... 64 Chapter 7: Conclusion and Future Work ................................................................... 67 7.1 Contributions and Findings .................................................................................... 67 7.2 Future work ........................................................................................................... 68 Appendix .................................................................................................................... 69 Addr.py plugin ............................................................................................................. 69 _EPROCESS Members .................................................................................................. 70 References ..................................................................................................................
Abstract: The growing market of cryptocurrencies and subsequently cyber-attacks involving them raises the importance of Digital Forensics in this domain. Ransomwares demand redemption in Bitcoin currency. Mining malwares exhaust processing power of infected computers to mine different types of cryptocurrencies without user permission. Many forensics researches explain cryptocurrency in terms of found addresses and wallet files/folders, without paying attention to the underlying cryptographic protocols. Our proposed algorithm covers this gap. This research aims at creating a volatile memory parser for Bitcoin and CryptoNote network protocols and Stratum mining protocol. Our parser reveals digital forensics information and correlates it to the corresponding cryptocurrency community. The proposed digital forensics methodology extracts digital evidence and forensic artifacts from system memory to assist investigations involving cryptocurrency. In addition, case studies are presented to explain the proposed methodology using our developed Volatility plugins. Each protocol’s documentation is examined to select methods helpful to retrieve information that serves into Digital Forensics discipline. The cryptocurrency memory forensics investigation methodology extracts a series of forensically valuable cryptocurrency protocols’ methods/calls. Case studies are classified into legitimate and malicious processes .The first case study involves analyzing two legitimate processes working under two cryptocurrency network protocols: Bitcoin and CryptoNote. The second case study analyzes three different malicious Monero mining processes. The mining protocol in the second case study with malware processes is Stratum. Currency transactions and revealing malicious identity are the key findings of the case studies. Other findings are listed in the results chapters.