Intro to Memory Forensics

Introduction

  • Memory Analysis Tools - Volatility, Redline, Rekall

  • Memory Acquisition Tools - FTKimager, Dumpit, Live RAM capture

  • Memory doesn’t have a filesystem associated with it like ext4 or NTFS we’d see for disk-based forensics.

  • Have to use plugins to parse the contents of a memory dump and extract the artifacts

volatility -f {memory_image} imageinfo

  • Using imageinfo plugin allows the software to make a best guess as to the correct memory profile to use to parse the memory.

  • Volatility searches for the KDGB (Kernel debugger) block - structure of memory used by Windows kernel for debugging purposes.

  • Analysis of this structure will allow the software to determine the OS form which the memory dump originated.

  • Getting this wrong will result in unexpected results or no results.

Plugins

volatility -f {memory_image} --profile=Win10x64_14393 {plugin}

Process list

PLUGINDESCRIPTION

pslist

allows us to see the running processes within the memory image

psscan

shows in-depth and addtional processes that pslist did not find and even exited processes

pstree

shows a hierarchical view of the processes that were running at the time of memory acquisition

  • svchost.exe should always have the parent process as services.exe

  • Redline tool has MRI (Malware Risk Index) which scores the process like if svchost.exe did not have the appropriate parent process, it would have a high score.

Command line

PLUGINDESCRIPTION

cmdscan

prints the commands that the attacker typed

consoles

shows the commands the attacker typed as well as the i/o buffer

Dumping

PLUGINDESCRIPTION

procdump -p {pid} --dump-dir=./

dump the process (actual executable) mentioned in the given directory

memdump -p {pid} --dump-dir=./

dump the memory associated with the process to disk

dumpfiles --dump-dir=./

dump all files, including cached, available out of memory

  • Once you dump a process, you get a Windows PE file. Use file {file_name} to confirm it.

  • If you think that it is a malware, you can run strings, hash it and search in VirusTotal and find other IOCs.

  • Programs that are frequently run are cached in memory.

  • a process that’s running has no mapped file on disk associated with it (only exists in memory) can be a redflag that indicates a process injection occured

Network connections

  • can see data exfiltration using netscan.

  • run abbebus.py against the file and it will find IP addresses within the netscan output ignoring private addresses.

  • if you see a process listening and you think that is evil, you can take the “PID” and use procdump or memdump and dump the process to analyze it further.

Registry information

PLUGINDESCRIPTION

userassist

show evidence of GUI based application execution

shellbags

shows which windows explorer file paths have been viewed in the GUI

  • hivelist, hivescan, hivedump, shimcache

  • these plugins are not only available for disk-based forensics, but also for memory-based forensics.

Others

PLUGINDESCRIPTION

imagecopy

performs a conversion of existing address space

  • For example - a hibernation file, a crash dump file, a VMware snapshot file etc to a raw memory image

  • So, if we use image copy, we can then take that output and then run volatility on it as if it was a memory dump file

PLUGINDESCRIPTION

timeliner

extracts timestamped artifacts out of memory

  • You can then feed that into super timeline and create a comprehensive view of things that not only occured on disk but also on memory that have timedata associated with it.

PreviousMemory Forensics - 13cubedNextWindows Memory Analysis

Last updated