ThreatResponse Workstation and Rekall

Recently I’ve been working on more automation around the use of rekall.
Think “random sampling” and analysis but more effective than the TSA.

Python volatility has always been my go-to for processing live windows Memory but rekall’s shell has a lot to offer as well. If you follow the ThreatResponse project you know that we have just released the “ThreatResponse Workstation” in concert with our friends at Ephemeral Systems provides all commercial support around aws_ir and the ThreatResponse suite.

In order to use rekall you need three things:

  1. A memory dump. ( This can be taken with MargaritaShotgun )
  2. A rekall profile for the kernel variant. One has been provided as a sample.
  3. A rekall environment. We’ll use the one from the remnux project for the sake of simplicity.

Rekall has a lot of dependencies. Using a docker container to deliver the environment makes all of that quite easy. We want to focus on analysis not on the installation.

Getting a memory capture

MargaritaShotgun is an incredibly useful tool for memory capture. It has tons of great features like jump box support, automatic kernel module resolution, and multipart S3 upload. If you type margariashotgun --help it can be kind of overwhelming if you’ve never used the tool. That’s why we stress preparation in the IR process. Know the tools or you’re going to have a bad time.

Here’s an example of just acquiring memory from a single system using margarita shotgun and the automatic kernel repository. MargaritaShotgun is provided and installed on the threatresponse workstation.

You can use our AMIs or build your own.

# margaritashotgun --server --user ec2-user --key ~/.ssh/id_rsa --filename memcapture.lime --repository

You’ve got a capture now what?

This is where the magic happens! Examiner’s always say how powerful volatile data can be. Memory analysis in linux never comes easy. Under normal circumstances you would have to build a rekall profile.

What’s rekall profile? Rekall profiles tell the the tooling how the variant of the kernel lays out the memory space so it can do things like extract network connection, process lists, and more.

The most recent version of the Amazon Linux kernel is 4.9.58-18.55 following the instructions here: along with some heavy modifications to the Makefile I was able to build a profile.

That profile is available here:

What are some things you might do with rekall?

  1. Dump the process tree and examine running processes against known good states.
  2. Dump the network connections like you would with netstat.
  3. Extract all process memory to individual dmp files for carving or running strings against.

Sample Commands

# Loading Rekall

rekall --profile 4.9.58-18.55.amzn1.json -f YOURDUMP.lime

# Getting the process tree

[1] memcapture.lime 03:00:48> pstree

# Getting netstat

[1] memcapture.lime 03:00:48> netstat

# Dumping all processes to individual files

[1] memcapture.lime 03:00:48> memdump

# Running strings ( Note: You need to exit the rekall shell )

$ strings yourfile.dmp | grep -i thing

Jam Challenge Final Format!

Your finally should be in the form of XXXX:XXXX:XXXX:XXXX

Separate them with colons!!

Video Walkthrough

See a complete video walkthrough here: