Memory Forensics Baselines
Baselining
Baselining involves comparing memory from a known good configuration with potentially compromised system memory
When a user reports a system issue, acquire the memory of the compromised system and compare it with memory of a golden image of your enterprise’s workstation
Plugins
processbl compares the running processes in 2 memory images - can be used to detect newly started processes - can be used to detect newly loaded DLLs
servicesbl compares the services in 2 memory images - can be used to detect modification of service configuration - can be used to detect newly installed services
driverbl compares the kernel drivers in 2 memory images - can be used to detect newly installed / loaded drivers
Steps
./vol.py -f ./infected.raw --profile Win10x64_15063 {plugin} -B clean.raw -U 2>/dev/null
-B to specify the Baseline image
-U to display the processes and dlls that cannot be found in the baseline image
Immediately you can see some processes that don’t look right, like svchost.exe without a parent of services.exe
Further analyze by using
pslistand grep for those PIDsUse
malfindand see if those potentially malicious PIDs are detected by this plugin (might also contain false positives)Dump those PIDs using
procdumpand useshasumto find the hashes and look for matches in Virustotal.
Last updated