Skip to main content

Part 1.2: Memory Analysis

 

Part 1.2: Memory Analysis 

Investigating Malware Using Memory Forensics

 

Memory forensics is a technique used in digital forensics that involves the analysis of a computer's volatile memory (RAM) to obtain information about running processes, open network connections, system configurations, and other valuable data. This technique is particularly useful in investigating malware, as malware often tries to hide its presence on a system, making it difficult to detect using traditional methods.

When investigating malware using memory forensics, there are several steps to follow:

1.      Acquisition: The first step is to acquire the volatile memory from the infected system. This can be done using tools such as FTK Imager or Volatility.

2.      Analysis: Once the memory has been acquired, it is time to analyze it. This involves examining the memory for suspicious processes, network connections, and other indicators of malware. This can be done using memory forensics tools such as Volatility or Rekall.

3.      Malware Identification: The next step is to identify any malware that is present on the system. This can be done by searching for known malware signatures, analyzing code snippets or strings, and looking for suspicious behavior such as attempts to modify system files.

4.      Malware Decoding: Once malware has been identified, the next step is to decode it. This involves analyzing the malware's code to understand its behavior, capabilities, and intent.

5.      Reporting: Finally, it is important to document the findings of the investigation in a report. This report should include details about the malware, its behavior, and any actions taken to mitigate its effects.

Overall, memory forensics is a powerful tool in the fight against malware. By analyzing the volatile memory of an infected system, investigators can gain valuable insights into the behavior of malware and take steps to prevent further infections.

Crash Dumps vs. Raw Dumps for Memory Analysis 

Crash dumps, also known as core dumps, are a type of full memory dump. They are interoperable with other tools like crash, drgn, or WinDbg. They contain additional information in the header, and they can also contain a full copy of the memory. For this reason, they are superior to raw dumps and are the preferred format for memory analysis.

Crash/core dump files are the foundation of troubleshooting for Microsoft Windows, Linux, and BSD systems. They are composed of a file header, which is parsed by troubleshooting tools developed by system engineers, and multiple formats—full memory, kernel, or userland—which vary in size depending on the amount of memory in the system. For example, multi-TBs of RAM are becoming more common in critical assets.

 

Scenario: Let's consider a hypothetical scenario for investigating malware using memory forensics:

A company's network security team receives an alert from their antivirus software indicating that a workstation has been infected with malware. The team immediately isolates the workstation from the network and starts investigating the incident.

Acquisition: The first step is to acquire the volatile memory from the infected workstation. The security team uses FTK Imager to create a memory dump of the system's RAM. Or use Dumpit.exe

Analysis: Next, the team analyzes the memory dump using Volatility. They discover that there are several suspicious processes running on the system, including a process with a random name that is using a lot of CPU resources. They also find evidence of network connections to known malicious domains. We can use vol.py : $ python vol.py -f  memimage  imageinfo (if we don’t now the profile)

Investigating Malware Using Memory Forensics - A Practical Approach - YouTube

Its important to specify profile  https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles#profile-lists

 

·        We list process to see the parent process :

·        Dump memory using Dumpit or FTK which we copy to USB

 $vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile= Win2016x64_14393 pstree

 

·        $ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 psscan

·        python vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw windows.psscan.PsScan >output.txt

 

·        python vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw  cmdline -p process ID

·        To dump a process (get a file)

·        List network connection

python vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw   netscan

Malware Identification: Based on the analysis, the security team suspects that the system has been infected with a Trojan that is communicating with a command and control server. They search for known malware signatures and find a match with a variant of the Dridex Trojan.

·        $ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 procdump -p 1036 --dump-dir=/home/sansforensics/Downloads/volatility3/

 

now we can upload to virus total

·        Visual view of process

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64_18340 psscan --output=dot --output- file=hi.dot

 

·        List dll file associated with process ID

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64   -p 2852  dlllist

 

If there is a hidden dll it will show

·        To dump dll for reverse engineering and check with virus total  -b is the base

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 dlldump  -p  3968 -b 0x00007ff7d4670000 -D /home/sansforensics/Downloads/volatility3/dll/

·        Find subspecies memory location  and dump it  and check it with virus total ( if there is some thing wrong we can find Hook address , to see if inject malicious code to legitimate process)

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 -p  3968 malfind

 

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 -p  3968  vaddump -b address -D / home/sansforensics/Downloads/volatility3/dll/

 

·      Use memory forensics to investigate a RootKit

We looking for a path doesn’t running in windows system path, normal the drivers create device

 

·        The rootkit use a callback to monitor the system events, the auspices usually point to unknow

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 devicetree

 

·        $ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 callbacks

·        List & dump all device that created by driver

$ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 devicetree > devicetree.txt

 

·        vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 modules

or can use

·        $ vol.py -f /home/sansforensics/Desktop/cases/WIN-9DOREUOSU7I-20230308-200844.raw --profile=Win8SP1x64 driverscan

·        To dump driver

 

 

https://tryhackme.com/room/memoryforensics

https://github.com/digitalisx/awesome-memory-forensics

 

·        every things user type maybe available in memory in last session

·         

 

 

 

 

Fast password cracking - Hashcat wordlists from RAM

 


·        Download Dumpit

·        Dump memery using Dumpit for raw or AccessData FTK Imager for full memory dump

·        Install python to windows 3.8 https://www.python.org/downloads/release/python-3811/

·        PS C:\Users\ME\Downloads> pip install .\python_snappy-0.6.1-pp37-pypy37_pp73-win_amd64.whl

·        Download & Install  https://github.com/volatilityfoundation/volatility3

·        PS C:\volatility3-develop> pip install -r  .\requirements.txt

·        PS C:\volatility3-develop> pip install -r  .\requirements-dev.txt

·        Make sure to run cmd or powershell as administrator

·        Or can use same steps on ubuntu or kali

·        Python vol.py -f -/path.raw imageinfo

·        Command Reference · volatilityfoundation/volatility Wiki · GitHub

·        Image info

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.info.Info

 

So we know we well deal with windows and use its plugin

·        Then find process list

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.pslist.PsList

 

 

 

By looking for process ID we can construct the process how it start know the parent and how it come.

·        To what file process access:

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.handles.Handles --pid 2124

 

 

·        C:\volatility3-develop> .\vol.py  -f 'C:\WIN-HK0FJTBCNM7-20230506-185200.raw'  windows.psscan.PsScan >output.txt

·        PS C:\volatility3-develop> .\vol.py  -f 'C:\WIN-HK0FJTBCNM7-20230506-185200.raw'  windows.psscan.PsScan

 

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.psscan.PsScan

PS C:\\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.pstree.PsTree

·        Memory hashdump

PS C:\\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.hashdump.Hashdump

 

 

PS C:\\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem lsadump

 

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem lsadump | select-string me

 

 

Registry

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.registry.userassist.UserAssist

 

PS C:\volatility3-develop> python.exe .\vol.py -f C:\Users\ME\Desktop\Cases\case2\memdump.mem windows.registry.hivelist.HiveList --filter ME\ntuser.dat --dump

 

 

 

 

volatility:

https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles#profile-lists

 

volatility: error: argument plugin: invalid choice windows.plist.Plist (choose from banners.Banners, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.envars.Envars, linux.envvars.Envvars, linux.iomem.IOMem, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.mountinfo.MountInfo, linux.proc.Maps, linux.psaux.PsAux, linux.pslist.PsList, linux.psscan.PsScan, linux.pstree.PsTree, linux.sockstat.Sockstat, linux.tty_check.tty_check, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes, mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof, mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.socket_filters.Socket_filters, mac.timers.Timers, mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner, windows.bigpools.BigPools, windows.cachedump.Cachedump, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.crashinfo.Crashinfo, windows.devicetree.DeviceTree, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.drivermodule.DriverModule, windows.driverscan.DriverScan, windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan, windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs, windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info, windows.joblinks.JobLinks, windows.ldrmodules.LdrModules, windows.lsadump.Lsadump, windows.malfind.Malfind, windows.mbrscan.MBRScan, windows.memmap.Memmap, windows.mftscan.MFTScan, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.netscan.NetScan, windows.netstat.NetStat, windows.poolscanner.PoolScanner, windows.privileges.Privs, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.sessions.Sessions, windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan, windows.vadinfo.VadInfo, windows.vadwalk.VadWalk, windows.vadyarascan.VadYaraScan, windows.verinfo.VerInfo, windows.virtmap.VirtMap, yarascan.YaraScan)

Labels:

Comments

Post a Comment

Popular posts from this blog

Part 1.3 :Disk Analysis, Autopsy & Redline

  Disk Analysis, Autopsy & Redline Autopsy: Autopsy  gives you the option to acquire data from both live systems or from a disk image. After adding your data source, navigate to the location of the files you want to extract, then right-click and select the Extract File(s) option. It will look similar to what you see in the screenshot below How to start Digital forensics Investigations with Autopsy 1.       Download Autopsy 2.       Download Hxd 3.       Download md5sum 4.       Download dd.exe 5.       Create disk image using dd.exe PS C:\Users\ME\Desktop\Tool\tools source> .\dd.exe if=\\.\e: of=c:\users\me\desktop\cases\image.dd bs=1M –-progress 6.       Create hash for image using md5sum or hasher PS C:\Users\ME\Desktop\Tool\tools source> .\md5sums.exe c:\users\me\desktop\cases\image2.dd  ...
Post a Comment
Read more

Step1: Identification & Preparation

Step 1:Identification and preparation Identification involves recognizing and documenting potential digital evidence, which includes identifying devices, storage media, and files that may contain relevant information. This step often involves creating a forensic image of the storage media to preserve the data for analysis. Preparation involves ensuring that the digital evidence is collected and handled properly to maintain its integrity and admissibility in court. This includes using proper tools and techniques to collect and preserve the data, documenting the chain of custody, and ensuring that the evidence is not altered or destroyed during the collection process . Both identification and preparation are critical to the success of a digital forensic investigation, as they lay the foundation for the analysis and interpretation of the data. 1.  Identification &   Preparation : The first step is to identify the scope of the investigation and create a plan for the investi...
Post a Comment
Read more