Memory Forensics analysis

  • View

  • Download

Embed Size (px)


memory forensics is vast subject,Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

Text of Memory Forensics analysis

  • Presented by:-

    Anishka Singh

  • Everything in OS traverse RAM:-

    Network Sockets and URLs

    Windows Registry keys

    Hardware Configuration

    Password,caches and clipboards

    User generated contents





    Virtual Memory



    Goals of Digital Forensics

    Identify Digital Evidence

    Generally only a part of crime investigation


    computer intrusion

    unauthorized use of corporate computers

    any physical crime whose suspect had a computer

    Three major phases:




  • Acquisition Phase

    Which data as digital evidence ????????

    Goal is to save the state of digital system for analysis.

    Similar to taking photographs, fingerprints, blood samples, from a crime scene.

    The allocated and unallocated areas of a hard disk are copied known as image.

    Tools are used to copy data from the suspect storage device to a trusted device.

    Tools must modify the suspect device as little as possible and copy all data.

    Capture the acquired data for identifying pieces of evidence.

  • Acquistion : MoonSols Kit for obtaining memory

    image Advanced toolkit for Windows physical memory snapshot management.

    Designed to deal with :- A) Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 7 both 32-bits and 64-bits (x64) Editions). B)Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions). C)Raw memory dump files (from memory acquisition tools like win32dd or win64dd, or Virtualization application like VMWare.

    Contains new version of win32dd and win64dd.

  • C:\win32dd.exe /l /f mem1.vmem

  • Identify Context

    Find KPCR

    Parse Memory Structure

    Executive Process Blocks

    Process Environment Blocks

    Track loaded DLLs

    Virtual Address Descriptor

    Process Memory Sections

    Kernel Modules


    Scan For outliers

    Unlinked Process DLLs,sockets and threads

    Unmapped page with execute privelage

    Hook Detection

    Know Heuristics and signatures

  • Analysis of Memory through volatility

    Open collection of tools. Python implemented under GNU General Public License for the extraction

    of digital artifacts from volatile memory (RAM).

    Extraction performed are independent of system being investigated but offer unprecedented visibilty into the runtime state of system.

    Intended to introduce people:-

    Techniques and complexities associated with extracting digital artifacts from volatile memory samples

    Work into this exciting area of research.

  • Volatility Supports x86 Windows versions

    Windows XP SP 2, 3

    Windows 2003 Server SP 0, 1, 2

    Windows Vista SP 0, 1, 2

    Windows 2008 Server SP 1, 2

    Windows 7 SP 0, 1

  • Running Process

    Image Date and Time

    Open Network Sockets & connections

    DLLs Loaded For Process Open Registry Handles

    Processs addressable Memory

    OS Kernel Modules

    Mapping Physical offset to virtual address

    Virtual address Descriptor Information

    Scanning Process , threads, modules

    Extract Executables From Memory Samples

  • Static RAM analysis from an image or

    against a live system Enumerate all running processes, including those hidden by

    rootkits, and display associated DLLs, network sockets and handles in context.

    Dump a process and associated DLLs for further analysis in third-party tools.

    Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.

    Volatility provides VAD tree analysis and exposes registry artifacts in memory and will parse and display handle information from memory.

  • Image Name

    Legitimate process? Spelled correctly? Matches system


    Full Path

    Appropriate path for system executable?

    Running from

    a user or temp directory

    Parent Process

    Is the parent

    Process what you would expect?

    Command Line


    matches image


    Do arguments

    make sense?

    Start Time

    Was the process

    started at boot

    (with other system


    Processes started

    near time of known


    Analyzing Processes

  • Volatility Commands

    a)Spot hidden processes psxview

    b)List all processes pslist, psscan

    c)Show a registry key printkey -K key

    d)Extract process image procexedump

    e)Extract process memory memdump, vaddump

    f)List open handles, files, DLLs

    and mutant objects

    handles, filescan, dlllist,


    g)List services, drivers and

    kernel modules

    svcscan, driverscan, modules,


    h)View network activities connscan, connections,

    sockets, sockscan, netscan

    i)View activity timeline timeliner, evtlogs

    j)Find and extract malware malfind, apihooks

  • Imageinfo

    Used for Knowing what type of system your image came from.

    Output shows suggested profile that you should pass as the parameter to --profile=PROFILE.

    $ volatility f imagename imageinfo For most accurate and fastest results supply the profile and KDBG to other Volatility commands.

  • Pslist

    Use to list the processes of a system. Walks doubly-linked list pointed by PsActiveProcessHead. Does not detect hidden or unlinked processes.

    Syntax:- $ volatility f --profile=profilename mem1.vmem pslist

  • Pstree

    Used for viewing the process listing in tree form. Enumerates processes using the same technique

    as pslist. Child process are indicated using indention and

    periods. $ volatility profile=profilename f imagename pstree

  • Psscan

    To enumerate processes using pool tag scanning, use this command.

    Finds processes that are previously terminated (inactive) and hidden or unlinked by a rootkit.

    $ volatility f imagename psscan

  • Connscan

    Used for finding connection structures using pool tag scanning.

    Finds artifacts from previous connections that have been terminated.

    It may find false positives sometimes, you also get the benefit of detecting as much information as possible.

    $ volatility f imagename connscan

  • Malfind

    Used for:- Finding hidden or injected code/DLLs in user mode memory,

    based on characteristics such as VAD tag and page permissions.

    Locating sequence of bytes, regular expressions, ANSI strings, or Unicode strings in user mode or kernel memory.

    $ volatility f imagename malfind D directoryname

  • Apihook

    Used for finding API hooks in user mode or kernel mode. It finds IAT, EAT, Inline style hooks, and several special types of

    hooks. For Inline hooks, it detects CALLs and JMPs to direct and

    indirect locations, and it detects PUSH/RET instruction sequences.

    Special types of hooks that it detects include syscall hooking in ntdll.dll and calls to unknown code pages in kernel memory.

    $ volatility f imagename apihook

  • Dlllist

    For displaying a process's loaded DLLs, use this command. It walks the doubly linked list of LDR_DATA_TABLE

    _ENTRY structures pointed by PEB's InLoad Order Module

    List. DLLs are automatically added to this list when a process calls

    LoadLibrary and they aren't removed until FreeLibrary is called and the reference count reaches zero.

    $ volatility f imageinfo dlllist

  • Dlldump

    For extracting a DLL from a process's memory space and dump it to disk for analysis, use this command. We can: Dump all DLLs from all processes . Dump all DLLs from a specific process (with --pid=PID) . Dump all DLLs from a hidden/unlinked process (with --

    offset=OFFSET) . Dump a PE from anywhere in process memory (with --

    base=BASEADDR), this option is useful for extracting hidden DLLs.

    $ volatility f imagename dlldump D directoryname

  • Handles

    Used for displaying the open handles in a process. Process obtains a file handle by calling functions such as

    CreateFile, and the handle will stay valid until CloseHandle is called. This concept applies for registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of objects.

    $ volatility f imagename handles

  • Getsids

    For viewing the SIDs (Security Identifiers) associated with a process, use this command.

    It helps you to identify processes which have maliciously escalated privileges.

    $ volatility f imageinfo getsids

  • Memmap

    For a brief inspection of the addressable memory pages in a process use this command. $ volatility f imagename p PID memmap

  • Memdump

    To extract all data from the various memory segments in

    a process and dump them to a single file, use the

    memdump command.

    $ volatility --profile=Win7SP0x86 -f imagename p PID memdump D directoryname/

  • Procme