Intro to Memory Forensics
Introduction
Memory Analysis Tools - Volatility, Redline, Rekall
Memory Acquisition Tools - FTKimager, Dumpit, Live RAM capture
Memory doesn’t have a filesystem associated with it like ext4 or NTFS we’d see for disk-based forensics.
Have to use plugins to parse the contents of a memory dump and extract the artifacts
volatility -f {memory_image} imageinfo
Using
imageinfo
plugin allows the software to make a best guess as to the correct memory profile to use to parse the memory.Volatility searches for the KDGB (Kernel debugger) block - structure of memory used by Windows kernel for debugging purposes.
Analysis of this structure will allow the software to determine the OS form which the memory dump originated.
Getting this wrong will result in unexpected results or no results.
Plugins
volatility -f {memory_image} --profile=Win10x64_14393 {plugin}
Process list
pslist
allows us to see the running processes within the memory image
psscan
shows in-depth and addtional processes that pslist did not find and even exited processes
pstree
shows a hierarchical view of the processes that were running at the time of memory acquisition
svchost.exe should always have the parent process as services.exe
Redline tool has MRI (Malware Risk Index) which scores the process like if svchost.exe did not have the appropriate parent process, it would have a high score.
Command line
cmdscan
prints the commands that the attacker typed
consoles
shows the commands the attacker typed as well as the i/o buffer
Dumping
procdump -p {pid} --dump-dir=./
dump the process (actual executable) mentioned in the given directory
memdump -p {pid} --dump-dir=./
dump the memory associated with the process to disk
dumpfiles --dump-dir=./
dump all files, including cached, available out of memory
Once you dump a process, you get a Windows PE file. Use
file {file_name}
to confirm it.If you think that it is a malware, you can run strings, hash it and search in VirusTotal and find other IOCs.
Programs that are frequently run are cached in memory.
a process that’s running has no mapped file on disk associated with it (only exists in memory) can be a redflag that indicates a process injection occured
Network connections
can see data exfiltration using netscan.
run abbebus.py against the file and it will find IP addresses within the netscan output ignoring private addresses.
if you see a process listening and you think that is evil, you can take the “PID” and use
procdump
ormemdump
and dump the process to analyze it further.
Registry information
userassist
show evidence of GUI based application execution
shellbags
shows which windows explorer file paths have been viewed in the GUI
hivelist
,hivescan
,hivedump
,shimcache
these plugins are not only available for disk-based forensics, but also for memory-based forensics.
Others
imagecopy
performs a conversion of existing address space
For example - a hibernation file, a crash dump file, a VMware snapshot file etc to a raw memory image
So, if we use image copy, we can then take that output and then run volatility on it as if it was a memory dump file
timeliner
extracts timestamped artifacts out of memory
You can then feed that into super timeline and create a comprehensive view of things that not only occured on disk but also on memory that have timedata associated with it.
Last updated