11

IRMA Notes

WireShark FiltersNetwork ForensicsAdvanced Network ForensicsSecurity Information and Event Management (SIEM)Incident Response Models & Host ForensicsLive Forensics & ToolkitMemory Analysis With Volatility FrameworkIntroduction to Malware AnalysisAdvanced Static Analysis and Reverse EngineeringDynamic Malware AnalysisMalware Analysis Summary

Memory Analysis With Volatility Framework

Unit 6 - Memory Analysis

Last Update Unknown

Memory Analysis

Physical Memory Acquisition

Physical Memory Acquisition is a bit by bit dump of the RAM (as opposed to virtual address space of processes, which is also possible).

These tools do not halt the processes before live acquisition is run, so some information will transient (Paged) and some tools might contain incomplete information. The tool itself will also have an impact on the system according to the locard's exchange principle.

Hardware

  • PCI based
    • Pros - unobtrusive
    • Cons - Needs to be installed pre incident
  • Fire wire
    • Pros - Unobtrusive , fast (DMA), highly available on motherboards.
    • Cons - Proven to be erroneous in some cases, BSOD.

Virtualisation

  • Is everywhere
  • Very easy to create dumps. E.g. in vmware all you have to do is suspend the session and a .vmem is created which is very similar to a dd style raw image.
  • .vmem files can be analysed by Volatality

Hibernate File

  • Should get this file anyway- pristine state of RAM at some point of time in the past(if not current)
  • Can be induced using - psshutdown.exe -h
  • Very useful for larger the 4GB memories as some of the other tools might fail

Volatility Framework

Volatility is an open source framework, written in Python, which supports both VM and raw dd snapshots.

Analysis can generally be accomplished in five steps:

  1. Identify Rogue Processes
  2. Analyze Process DLLs and Handles
  3. Review Network Artifacts
  4. Look for Evidence of Code Injection
  5. Extract Processes, Drivers, and Objects

Commands

Getting Help

Command Description
vol.py -h Show options and supported plugins
vol.py plugin -h Show plugin usage
vol.py plugin --info Show available OS profiles

Identify System Profile

Command Description
vol.py -f mem.img imageinfo Display memory image metadata

Using Environment Variables

Command Description
export VOLATILITY_LOCATION=file:///images/mem.img Set name of memory image (takes place of -f)
export VOLATILITY_PROFILE=Win10x64_14393 Set profile type (takes place of --profile=)

Identify User Logon Sessions

Command Description
vol.py -f rdp.mem --profile=Win2003SP2x86 sessions Lists details of user logon sessions. Separates processes into their own session.

Identify Rogue Processes

Command Description
vol.py pslist High level view of running processes
PID, Parent PID, Number of threads and handles + CREATE TIME (very useful for timelining).
vol.py psscan Scan memory for EPROCESS blocks
Provides the physical address offset of a process
vol.py pstree Display parent-process relationships
Takes the output from pslist and formats it in a tree view, so you can easily see parent and child relationships

Analyse Process DLLs and Handles

Command Description
vol.py dlllist -p 1022,868 List of loaded dlls by process
-p Show information only for specific processes (PIDs)
DLLs contain code and resources that can be shared between multiple processes.
vol.py getsids -p 868 Print process security identifiers
  • Associates a process with a user account or investigate potential lateral movement attempts.
  • Is particularly important for window servers with multiple users.
  • Shows the SIDs associated with process for the current logged-on user.
vol.py handles -p 868 -t File,Key List of open handles for each process
-t Display only handles of a certain type {Process, Thread, Key, Event, File, Mutant, Token, Port}
  • A handle is a reference to an open instance of a kernel object, such as a file, registry key, mutex, process, or thread.
  • To arrive at a number of forensically relevant conclusions—such as what process was reading or writing a particular file, what process accessed one of the registry run keys, and which process mapped remote file systems.

Look for Evidence of Code Injection

Command Description
vol.py malfind --dump-dir ./output_dir Find injected code and dump sections
-o Provide physical offset of single process to scan
-D or --dump-dir Directory to save suspicious memory sections
  • The malfind command helps find hidden or injected code/DLLs in user mode memory, based on characteristics such as VAD tag and page permissions.
  • The purpose of malfind is to locate DLLs that standard methods/tools do not see.
  • When used with -p <PID> -d <directory for malware output> it will extract any executables that are hidden in the processes address space.
  • The directory will have all the hidden (unlinked processes) processes in files with syntax malfind.<PID>.
  • The hidden process dump can then be sent to virustotal to get more information.
vol.py ldrmodules -p 868 -v Detect unlinked DLLs
-v Verbose: show full paths from three DLL lists

Extract Processes, Drivers, and Objects

Command Description
vol.py dlldump --dump-dir ./output -r metsrv To extract a DLL from a process's memory space and dump it to disk for analysis, use the dlldump command.
-p Dump DLLs only for specific PIDs
-b Dump DLL using base offset
-r Dump DLLs matching REGEX name
--dump-dir Directory to save extracted files
vol.py modules
  • Lists all the modules in the resident in memory.
  • Shows physical base address, executable location and size.
  • Kernel modules have the same structure as a user land exe.
vol.py moddump --dump-dir ./output -r gaopdx Extract kernel drivers
-b Dump driver using offset address (from modscan)
-r Dump drivers matching REGEX name
--dump-dir Directory to save extracted files
  • Extracts one or more kernel modules that you identify by name or base address.
  • Can only extract currently loaded modules with valid PE headers.
  • The extracted kernel modules store in the volatile root location. The file names with syntax driver.<physical base address>.sys.
vol.py procdump --dump-dir ./output -p 868 Dump process to executable sample
-p Dump only specific PIDs
-o Specify process by physical memory offset
-n Use REGEX to specify process
--dump-dir Directory to save extracted files
  • Can be used to extract the executable if you have a suspicious process identified
vol.py memdump --dump-dir ./output -p 868 Extract every memory section into one file
-p Dump memory sections from these PIDs
-n Use REGEX to specify process
--dump-dir Directory to save extracted files
vol.py filescan Scan memory for FILE_OBJECT handles
vol.py dumpfiles -n -i -r \\.exe --dumpdir=./ Extract FILE_OBJECTs that have been cached in memory
-Q Dump using physical offset of FILE_OBJECT
-r Extract using a REGEX (add -i for case insensitive)
-n Add original file name to output name
--dump-dir Directory to save extracted files
  • These files, extracted using dumpfiles, usually include internet history and download history.
  • Cached files can also reveal clues as to what software has been running on a system prior to the memory dump being taken.
vol.py svcscan -v Scan for Windows Service record structures
-v Show service DLL for svchost instances
vol.py cmdscan Scans for command history in the conhost memory space and retrieves the commands entered.
Retrieve only the command history.
vol.py consoles Retrieve the entire command prompt window buffer (stdio) so you can observe what a potential intruder actually saw as they entered commands.

Memory Artefact Timelining

The timeliner plugin parses time-stamped objects found in memory images. Output is sorted by:

  • Process creation time
  • Thread creation time
  • Driver compile time
  • DLL / EXE compile time
  • Network socket creation time
  • Memory resident registry key last write time
  • Memory resident event log entry creation time

Parameters:

  • --output-file Optional file to write output
  • --output=body Bodyfile format (also text,xlsx)
  • --type=Registry Extract registry key last write times