Intro to Memory Forensics

Introduction

Memory Analysis Tools - Volatility, Redline, Rekall
Memory Acquisition Tools - FTKimager, Dumpit, Live RAM capture
Memory doesn’t have a filesystem associated with it like ext4 or NTFS we’d see for disk-based forensics.
Have to use plugins to parse the contents of a memory dump and extract the artifacts

volatility -f {memory_image} imageinfo

Using imageinfo plugin allows the software to make a best guess as to the correct memory profile to use to parse the memory.
Volatility searches for the KDGB (Kernel debugger) block - structure of memory used by Windows kernel for debugging purposes.
Analysis of this structure will allow the software to determine the OS form which the memory dump originated.
Getting this wrong will result in unexpected results or no results.

Plugins

volatility -f {memory_image} --profile=Win10x64_14393 {plugin}

Process list

PLUGIN

DESCRIPTION

pslist

allows us to see the running processes within the memory image

psscan

shows in-depth and addtional processes that pslist did not find and even exited processes

pstree

shows a hierarchical view of the processes that were running at the time of memory acquisition

svchost.exe should always have the parent process as services.exe
Redline tool has MRI (Malware Risk Index) which scores the process like if svchost.exe did not have the appropriate parent process, it would have a high score.

Command line

PLUGIN

DESCRIPTION

cmdscan

prints the commands that the attacker typed

consoles

shows the commands the attacker typed as well as the i/o buffer

Dumping

PLUGIN

DESCRIPTION

procdump -p {pid} --dump-dir=./

dump the process (actual executable) mentioned in the given directory

memdump -p {pid} --dump-dir=./

dump the memory associated with the process to disk

dumpfiles --dump-dir=./

dump all files, including cached, available out of memory

Once you dump a process, you get a Windows PE file. Use file {file_name} to confirm it.
If you think that it is a malware, you can run strings, hash it and search in VirusTotal and find other IOCs.
Programs that are frequently run are cached in memory.
a process that’s running has no mapped file on disk associated with it (only exists in memory) can be a redflag that indicates a process injection occured

Network connections

can see data exfiltration using netscan.
run abbebus.py against the file and it will find IP addresses within the netscan output ignoring private addresses.
if you see a process listening and you think that is evil, you can take the “PID” and use procdump or memdump and dump the process to analyze it further.

Registry information

PLUGIN

DESCRIPTION

userassist

show evidence of GUI based application execution

shellbags

shows which windows explorer file paths have been viewed in the GUI

hivelist, hivescan, hivedump, shimcache
these plugins are not only available for disk-based forensics, but also for memory-based forensics.

Others

PLUGIN

DESCRIPTION

imagecopy

performs a conversion of existing address space

For example - a hibernation file, a crash dump file, a VMware snapshot file etc to a raw memory image
So, if we use image copy, we can then take that output and then run volatility on it as if it was a memory dump file

PLUGIN

DESCRIPTION

timeliner

extracts timestamped artifacts out of memory

You can then feed that into super timeline and create a comprehensive view of things that not only occured on disk but also on memory that have timedata associated with it.

PreviousMemory Forensics - 13cubed NextWindows Memory Analysis

Last updated 1 year ago

Intro to Memory Forensics

Introduction

Memory Analysis Tools - Volatility, Redline, Rekall
Memory Acquisition Tools - FTKimager, Dumpit, Live RAM capture
Memory doesn’t have a filesystem associated with it like ext4 or NTFS we’d see for disk-based forensics.
Have to use plugins to parse the contents of a memory dump and extract the artifacts

volatility -f {memory_image} imageinfo

Using imageinfo plugin allows the software to make a best guess as to the correct memory profile to use to parse the memory.
Volatility searches for the KDGB (Kernel debugger) block - structure of memory used by Windows kernel for debugging purposes.
Analysis of this structure will allow the software to determine the OS form which the memory dump originated.
Getting this wrong will result in unexpected results or no results.

Plugins

volatility -f {memory_image} --profile=Win10x64_14393 {plugin}

Process list

PLUGIN

DESCRIPTION

pslist

allows us to see the running processes within the memory image

psscan

shows in-depth and addtional processes that pslist did not find and even exited processes

pstree

shows a hierarchical view of the processes that were running at the time of memory acquisition

svchost.exe should always have the parent process as services.exe
Redline tool has MRI (Malware Risk Index) which scores the process like if svchost.exe did not have the appropriate parent process, it would have a high score.

Command line

PLUGIN

DESCRIPTION

cmdscan

prints the commands that the attacker typed

consoles

shows the commands the attacker typed as well as the i/o buffer

Dumping

PLUGIN

DESCRIPTION

procdump -p {pid} --dump-dir=./

dump the process (actual executable) mentioned in the given directory

memdump -p {pid} --dump-dir=./

dump the memory associated with the process to disk

dumpfiles --dump-dir=./

dump all files, including cached, available out of memory

Once you dump a process, you get a Windows PE file. Use file {file_name} to confirm it.
If you think that it is a malware, you can run strings, hash it and search in VirusTotal and find other IOCs.
Programs that are frequently run are cached in memory.
a process that’s running has no mapped file on disk associated with it (only exists in memory) can be a redflag that indicates a process injection occured

Network connections

can see data exfiltration using netscan.
run abbebus.py against the file and it will find IP addresses within the netscan output ignoring private addresses.
if you see a process listening and you think that is evil, you can take the “PID” and use procdump or memdump and dump the process to analyze it further.

Registry information

PLUGIN

DESCRIPTION

userassist

show evidence of GUI based application execution

shellbags

shows which windows explorer file paths have been viewed in the GUI

hivelist, hivescan, hivedump, shimcache
these plugins are not only available for disk-based forensics, but also for memory-based forensics.

Others

PLUGIN

DESCRIPTION

imagecopy

performs a conversion of existing address space

For example - a hibernation file, a crash dump file, a VMware snapshot file etc to a raw memory image
So, if we use image copy, we can then take that output and then run volatility on it as if it was a memory dump file

PLUGIN

DESCRIPTION

timeliner

extracts timestamped artifacts out of memory

You can then feed that into super timeline and create a comprehensive view of things that not only occured on disk but also on memory that have timedata associated with it.

PreviousMemory Forensics - 13cubed NextWindows Memory Analysis

Last updated 1 year ago