Memory Forensics 101 - The What, Why and How
What is it?
Most people know about traditional computer forensics where you analyze the artifacts on disk such as files, folders, registries, seen processes, etc. You’re usually trying to find evidence that the computer has been compromised and what malicious actions have been taken. Memory Forensics is the same analysis except you are examining the computer’s memory. (RAM)
Below is a definition I found on Wikipedia:
“Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.”
Why do we need it?
One of the goals of a computer forensics investigator is to gather as much information as they can in an effort to account for all the (usually malicious) actions that may have occurred leading up to an incident on a device. Much of that information can be found doing disk forensics, however due to the continuous efforts of the bad guys to hide their malware just relying on disk forensics is not enough. The results of their efforts are threats such as fileless malware, dll injection and of course rootkits. Fileless malware such as Powerliks and Kovter are resident in memory only but do leave residue on disk. These threats will typically use a combination of software already present on the windows device such as PowerShell and the registry to load and run purely in memory only. Software like PowerShell is often leveraged by the adversaries to move laterally within the network to compromise additional machines. Some folks call this “living off the land”. In a future blog I hope to dive a bit deeper into fileless malware, but for now just know that they reside in memory only and to fully understand what they are doing often times you will need to perform memory forensics.
In addition to fileless malware many threats will hide processes, dlls and other memory objects through a variety of techniques making it harder to identify the threat with just disk forensics. RAM is the beaten path of the operating system so anything you can’t find using disk forensics it’s quite possible you will find it by analyzing memory.
How does it work?
The first step in memory forensics is to acquire an image of the device’s memory (RAM). You can do this in a variety of ways. If you are acquiring from a live system you will need to load a system driver that will allow you to access the memory. Many tools can achieve this for you such as FTK, F-Response, DumpIT, Redline and many more. For example, if you were to use FTK imager which is free you would download it onto a USB stick run the program and select “Capture Memory” fill in the appropriate information and off you go. Below (figure 1) is a screenshot of FTK imager acquiring the memory.
For a down system the hibernation (hiberfil.sys) files, swap and page (pagefile.sys, swapfile.sys) files can be used. For those of you that may not be familiar with the hibernation file on windows it’s a compressed copy of the memory when the system last went into hibernation. It’s the file responsible for returning your computer back to its original state when you wake it up out of hibernation. Because of this it can be used by tools such as Volatility to search for artifacts. Be careful using it to much as its compress and although Volatility can read it as is it will have to be decompressed each time you want to search for something, so you could be waiting a bit. With that said Volatility does have a plugin called copyimage to convert into a raw memory image. The swap and page files are not able to be used with Volatility, but they may have bits and pieces of information that may not be found in the memory image as some of the information may have been swapped to these files. You could use your basic strings command to get a quick peak at interesting text that may warrant further investigation.
Another option is if you are analyzing a virtual machine, each one of them has a file that is dedicated to keeping a copy of the memory for that VM. Below are the file extensions for the various VMs that will have a copy of the memory image.
VMware - .vmem
Hyper-V - .bin
Parallels - .mem
VirtualBox - .sav
I use this quite often when I am analyzing malware on a VM in my lab and I want to examine the memory. I just suspend my VM, copy the .vmem file to a machine that has Volatility installed and off I go.
Once we have the memory image the next obvious step is to start analyzing the memory image file itself. To grab the artifacts we want to see in memory you need to understand how the memory is structured. The structure can be very complicated, but once a few elements are initially identified it gets a bit easier as they have pointers to the other memory objects.
The first component needed to discover is the Kernel Debugger Datablock (KDBG). This will point you to the Executive Process Block list (EPROCCES) which holds a list of the data structure for each process such as all dlls that may be linked to that process among other things. So, when you go to your task manager on a windows device and see a list of processes running that information is coming from the EPROCCES. Another important element to mention is the Virtual Address Descriptor tree (VAD). The VAD is responsible for recording the usage of virtual addresses by a process. It will become more apparent why we need to know both the EPROCCES and VAD tree when we get into part 2 & 3 where we discuss the plugins. The good news is a tool like Volatility will do most of this for you. Below (figure 2) is a very simplified view of the memory structure.
Introduction to Volatility
Volatility is very popular open source tool used to analyze your memory dumps. Its built on python and support Windows, OSX and Linux. http://www.Volatilityfoundation.org/ will give you the documentation, downloads and many other pieces of information about Volatility.
Below is a definition I found on Wikipedia:
“Volatility is an open source memory forensics framework for incident response and malware analysis. It is written in Python and supports Microsoft Windows, Mac OS X, and Linux as of version 2.5”
Let’s go over some basics of Volatility before you begin to use it. We will start with how to run the application. Once you installed the program it’s a very simple command line to run the it.
Python vol.py [plugin] –f [file name] -- profile=[profile]
Python vol.py pslist –f memory.img -- profile=Win7SP0x86
Since it is a python program you simply start with python “vol.py”. The plugin you want to use would be next then the filename of the memory image followed by the appropriate profile. We will get into plugin’s more in the coming memory analysis blogs, so I will not go into that but did want to touch upon the “profile” option. Volatility needs to know the operating system the memory image came from. Reason being is not all memory structures are the same for each OS and versions. If you don’t supply the profile Volatility will not work. So, what if you don’t know the OS it came from? You could try each profile one at a time which could take a while or you could use the imageinfo plugin within Volatility. This plugin will scan the memory image to try to determine the OS. I say try because it’s a best effort and is not always 100% accurate, but it’s pretty darn close. Below is an (figure 3) example of the results Volatility will give you after you use the imageinfo plugin. Review the “Suggested Profile(s) and give them a try.
You might notice in the figure above I am using the command “Volatility”. This is because in Kali there is a distribution of Volatility already installed and to run it you can just type “Volatility”. There are a few other options such as help and info that can be used. Help option will give you information like other command line options and what each plugin can do. The info option will give you some additional information such as the profiles supported. I will note that since this tool is open source you can create your own plugin to use. Many people have created good ones over the years so if you come across a plugin you would like to use it might not be in the default version you have installed. If you want to use the plugin, you would simply copy the information into a .py file and paste into the plugins directory. The directory is usually located at Volatility/plugins. Again, if you are using the latest Kail Linux at the time of this posting the directory will be found at /usr/lib/python2.7/dist-packages/Volatility/plugins.
So that’s a very quick introduction into memory forensics and the tool Volatility. Stay tuned for my next few blogs which will dive into the analysis of a memory image. Using a memory image from a device infected with fileless malware we will walk through some plugins to look for malicious processes, signs of dll injections, rootkits and more.