Basic Memory Forensics with Volatility
Memory Forensics is the analysis of a computer’s memory. This is a fast growing area of research that is necessary for digital forensics investigations. Memory Forensics overcomes some of the limitations of old forensics analysis, as well as addressing problems that occur with the latest technologies such as encryption during dead-box examination.
In this context, computers have two types of memory; volatile and nonvolatile memory. Volatile memory or Random Access Memory (RAM), only maintains its data while the computer or device is powered on. Nonvolatile Memory, or NVRAM, is for longer-term storage. When a computer is powered off, evidence in RAM is lost and normally cannot be recovered, however, the data in NVRAM often remains after the system is powered off and can be analyzed after the fact.
Like any other type of analysis, memory forensics happens in at least three stages: Evidence Collection, Analysis, and Reporting. Before starting this process, there are few important factors to consider that can save some trouble later on.
First, ensure no one shuts down or restarts any system that is possibly compromised until a memory image has been collected and tested as valid. It is also a good idea to take pictures of the running system, document its condition at the time of the investigation, and retain a log of all actions taken on the running system. Take notes about system date, any commands or tools used, and anything else thought to be noteworthy. During the report writing or report presentation stage, it is nice to have a detailed set of notes for all of the steps and actions that were taken just in case someone asks the tough questions about the chain of custody.
By conducting memory analysis and examining running processes and services, system information, and open network connections; we may be able to find malware, cleartext passwords, open files, or other evidentiary artifacts that are not located on disk or in centrally stored log files.
There is a relevant saying from Sun Tzu, the Chinese general, and military strategist.
Therefore, we should be familiar with our competitor, memory image file system before we are conducting further investigations. Consequently, we should collect system information and network information. Gathering volatile information can reveal legitimate or rogue processes, unauthorized applications and identify anomalous filenames.
The Volatility framework is an excellent open source tool to analyze memory in 32bit and 64 bit systems and it’s our memory forensics platform of choice here at Horangi. It supports many operating systems such as Linux, Windows, and Mac systems and is written in Python. We can use volatility to analyze raw dumps, .img files, VMware dumps (.vmem) and many others. Volatility comes with many useful plugins such as Pslist, Kdbgscan, Kpcrscan, and Dllist.
First of all, we need to first set up a profile to let Volatility know what operating system the dump or memory image file comes from ie. Windows XP, Vista or Linux distros.
For this example, I have a memory dump file but don’t know what the operating system of the image file is. Therefore, we need to use imageinfo plugin to detect the operating system.
To do this type the following command:
Vol.py imageinfo -f <Location of the memory dump>
The PSLIST plugin gives the general list of all running processes on the primary system from the memory dump. This is useful when hunting malware, we can easily detect legitimate processes or programs that were running at a specific time-frame.
To do this type the following command:
Vol.py — profile=<memory OS> pslist -f <location of the memory dump>
Psscan plug-in is useful when we are hunting the malware and scanning rootkit actions. It scans for every single process including hidden, inactive and unlinked processes.
Some malware has properties to inject the dll files to each process. In 2011, Trustwave forensics analysts worked on a project involving some pieces of malware. They analyzed two types of data; searcher.dll and sr.exe. Sr.exe is a command line interface that injects the searcher.dll into each process (Eric Merritt, 2015). By using the Dlllist plug-in, we can view all kinds of dll files.
The CONNSCAN plug-in helps to find active and inactive connections while the system was running.
References
- Eric Merritt, (2015). Shining the Spotlight on Cherry Picker POS Malware. Retrieved from https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/
- Aditya Balapure, (2013). Memory forensics and analysis using volatility. Retrieved from http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/
