Memory Forensics Baselines
Baselining
Baselining involves comparing memory from a known good configuration with potentially compromised system memory
When a user reports a system issue, acquire the memory of the compromised system and compare it with memory of a golden image of your enterprise’s workstation
Plugins
processbl
compares the running processes in 2 memory images - can be used to detect newly started processes - can be used to detect newly loaded DLLs
servicesbl
compares the services in 2 memory images - can be used to detect modification of service configuration - can be used to detect newly installed services
driverbl
compares the kernel drivers in 2 memory images - can be used to detect newly installed / loaded drivers
Steps
./vol.py -f ./infected.raw --profile Win10x64_15063 {plugin} -B clean.raw -U 2>/dev/null
-B
to specify the Baseline image
-U
to display the processes and dlls that cannot be found in the baseline image
Immediately you can see some processes that don’t look right, like svchost.exe without a parent of services.exe
Further analyze by using
pslist
and grep for those PIDsUse
malfind
and see if those potentially malicious PIDs are detected by this plugin (might also contain false positives)Dump those PIDs using
procdump
and useshasum
to find the hashes and look for matches in Virustotal.
Last updated