Use Cases
Investigating Malware Using Memory
Forensics
Memory forensics is a technique used in digital forensics
that involves the analysis of a computer's volatile memory (RAM) to obtain
information about running processes, open network connections, system
configurations, and other valuable data. This technique is particularly useful
in investigating malware, as malware often tries to hide its presence on a
system, making it difficult to detect using traditional methods.
When investigating malware using memory forensics, there are
several steps to follow:
1.
Acquisition: The first step
is to acquire the volatile memory from the infected system. This can be done
using tools such as FTK Imager or Volatility.
2.
Analysis: Once the memory
has been acquired, it is time to analyze it. This involves examining the memory
for suspicious processes, network connections, and other indicators of malware.
This can be done using memory forensics tools such as Volatility or Rekall.
3.
Malware Identification: The
next step is to identify any malware that is present on the system. This can be
done by searching for known malware signatures, analyzing code snippets or
strings, and looking for suspicious behavior such as attempts to modify system
files.
4.
Malware Decoding: Once
malware has been identified, the next step is to decode it. This involves
analyzing the malware's code to understand its behavior, capabilities, and
intent.
5.
Reporting: Finally, it is
important to document the findings of the investigation in a report. This
report should include details about the malware, its behavior, and any actions
taken to mitigate its effects.
Overall, memory forensics is a powerful tool in the fight
against malware. By analyzing the volatile memory of an infected system,
investigators can gain valuable insights into the behavior of malware and take
steps to prevent further infections.
Scenario:
Let's consider a hypothetical scenario for investigating malware using memory
forensics:
A company's network security team receives an alert from
their antivirus software indicating that a workstation has been infected with
malware. The team immediately isolates the workstation from the network and
starts investigating the incident.
Acquisition: The first step is to acquire the
volatile memory from the infected workstation. The security team uses FTK
Imager to create a memory dump of the system's RAM. Or use Dumpit.exe
Analysis: Next, the team analyzes the memory dump
using Volatility. They discover that there are several suspicious processes
running on the system, including a process with a random name that is using a
lot of CPU resources. They also find evidence of network connections to known
malicious domains. We can use vol.py : $ python vol.py -f memimage
imageinfo (if we don’t now the profile)
Investigating
Malware Using Memory Forensics - A Practical Approach - YouTube
Its important to specify
profile https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles#profile-lists
·
We list process to see
the parent process :
·
Dump memory using Dumpit or
FTK which we copy to USB
·
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64_18340 psscan
·
python vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw windows.psscan.PsScan
>output.txt
·
python vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw cmdline -p process ID
·
To
dump a process (get a file)
python vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw netscan
Malware Identification: Based on the analysis, the security
team suspects that the system has been infected with a Trojan that is
communicating with a command and control server. They search for known malware
signatures and find a match with a variant of the Dridex Trojan.
·
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 procdump -p 1036
--dump-dir=/home/sansforensics/Downloads/volatility3/
now we can upload to virus total
·
Visual
view of process
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 psscan --output=dot --output-
file=hi.dot
·
List dll file associated
with process ID
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 -p 2852 dlllist
If there is a hidden dll it will show 
·
To dump dll for reverse
engineering and check with virus total
-b is the base
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64
dlldump -p 3968 -b 0x00007ff7d4670000 -D
/home/sansforensics/Downloads/volatility3/dll/
·
Find subspecies memory
location and dump it and check it with virus total ( if there is
some thing wrong we can find Hook address , to see if inject malicious
code to legitimate process)
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 -p 3968 malfind
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64
-p 3968 vaddump -b address -D / home/sansforensics/Downloads/volatility3/dll/
·
Use memory forensics to investigate a RootKit
We looking for a path doesn’t running in
windows system path, normal the drivers create device
·
The rootkit use a callback
to monitor the system events, the auspices usually point to unknow
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 devicetree
·
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 callbacks
·
List & dump all device
that created by driver
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 devicetree > devicetree.txt
·
vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 modules
or can use
·
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 driverscan
·
To dump driver
Registry Analysis:
·
List all hives loaded into
memory: $ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 hivelist
To Dump registry
·
$ vol.py -f
/home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw
--profile=Win8SP1x64 dumpregistry -D
/home/sansforensics/Downloads/volatility3/dll/
Now download tool: windows registry recovery MiTeC Homepage we can copy it to USB
Malware Decoding: The team analyzes the code of the Dridex
Trojan to understand its behavior. They discover that the Trojan is designed to
steal banking credentials and other sensitive information from the infected system.
They also find evidence that the Trojan is using advanced obfuscation
techniques to evade detection.
Reporting: The security team documents their findings in a
report, including details about the malware, its behavior, and any actions
taken to mitigate its effects. They recommend that all systems on the network
be scanned for the presence of the Dridex Trojan and that all users be advised
to change their banking passwords as a precaution.
Based on the findings of the investigation, the security
team is able to remove the malware from the infected system and take steps to
prevent further infections. By using memory forensics, they were able to
quickly identify and analyze the malware, helping to protect their network from
further attacks.
Regenerate response
volatility:
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles#profile-lists
, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo,
isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash,
linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds,
linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall,
linux.elfs.Elfs, linux.envvars.Envvars, linux.iomem.IOMem,
linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg,
linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind,
linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux,
linux.pslist.PsList, linux.psscan.PsScan, linux.pstree.PsTree,
linux.sockstat.Sockstat, linux.tty_check.tty_check, mac.bash.Bash,
mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl,
mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig,
mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes,
mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof,
mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps,
mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree,
mac.socket_filters.Socket_filters, mac.timers.Timers,
mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner,
windows.bigpools.BigPools, windows.cachedump.Cachedump,
windows.callbacks.Callbacks, windows.cmdline.CmdLine,
windows.crashinfo.Crashinfo, windows.devicetree.DeviceTree,
windows.dlllist.DllList, windows.driverirp.DriverIrp,
windows.drivermodule.DriverModule, windows.driverscan.DriverScan,
windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan,
windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs,
windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info,
windows.joblinks.JobLinks, windows.ldrmodules.LdrModules,
windows.lsadump.Lsadump, windows.malfind.Malfind, windows.mbrscan.MBRScan,
windows.memmap.Memmap, windows.mftscan.MFTScan, windows.modscan.ModScan,
windows.modules.Modules, windows.mutantscan.MutantScan,
windows.netscan.NetScan, windows.netstat.NetStat,
windows.poolscanner.PoolScanner, windows.privileges.Privs,
windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree,
windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList,
windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey,
windows.registry.userassist.UserAssist, windows.sessions.Sessions,
windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT,
windows.statistics.Statistics, windows.strings.Strings,
windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan,
windows.vadinfo.VadInfo, windows.vadwalk.VadWalk,
windows.vadyarascan.VadYaraScan, windows.verinfo.VerInfo,
windows.virtmap.VirtMap, yarascan.YaraScan
Comments
Post a Comment