In the world of cybersecurity, the ability to analyze the volatile memory of a system can be the difference between identifying an ongoing attack or having a system compromised. Memory forensics is a branch of digital forensics that involves analyzing the contents of a computer’s volatile memory, often referred to as RAM. This technique can provide insight into what processes and programs are running on a system, what network connections are established, and what data is being transmitted. In this article, we will explore the basics of memory forensics, the tools and techniques used in the analysis, and some real-world examples of its use.
Why is Memory Forensics Important?
In traditional digital forensics, analysts will collect data from a computer’s hard drive, which can contain important artifacts such as logs, registry entries, and application data. However, many attacks and incidents are designed to be volatile and leave little to no trace on the hard drive. Attackers may use techniques like file-less malware or in-memory injection to avoid detection by traditional antivirus software or endpoint detection and response (EDR) tools.
Memory forensics provides a way to analyze a system’s current state, allowing analysts to identify malicious processes and network connections hiding in plain sight. Furthermore, memory forensics can also provide information about an attacker’s tactics, techniques, and procedures (TTPs), allowing defenders to understand the adversary better and potentially prevent future attacks.
Memory Forensics Tools and Techniques
Memory forensics requires specialized tools and techniques to extract and analyze data from volatile memory. Several open-source and commercial tools, such as Volatility, Rekall, and Redline, can help analysts in this process. In this section, we will explore some of the most common techniques used in memory forensics and how they can be performed using Volatility.
Dumping Memory
The first step in memory forensics is to create a memory dump of the target system. A memory dump is a snapshot of the system’s RAM at a specific point in time. This snapshot can be used to analyze the system’s current state, even after it has been shut down. There are several ways to create a memory dump, including using third-party tools, built-in operating system features, or hardware devices.
One of the most common ways to create a memory dump is to use the LiME (Linux Memory Extractor) tool, which is a loadable kernel module that allows for the creation of memory dumps on Linux systems. Once the memory dump has been created, it can be analyzed using a tool like Volatility.
Analyzing Memory with Volatility
Volatility is an open-source memory forensics framework that provides a wide range of plugins for analyzing memory dumps. The framework supports various operating systems, including Windows, Linux, and macOS. To explore a memory dump using Volatility, analysts can use the following steps:
Identify the operating system profile - Volatility requires the correct profile to be specified to analyze a memory dump. The profile defines the operating system and service pack level of the target system. Volatility includes a built-in tool called “imageinfo” that can be used to identify the profile of the memory dump.
First, we need to identify the operating system profile of the memory dump. We can use the “imageinfo” plugin to list the available profiles:
$ volatility -f memdump.mem imageinfo
Output:
Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win10x64_17134, Win10x64_10240, Win10x64_10586, Win10x64_14393, Win10x64_15063, Win10x64_16299, Win10x64_17763, Win10x64_18362, Win10x64_18363, Win10x64_19041, Win10x64_19042, Win10x64_19043 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS) AS Layer3 : FileAddressSpace (/home/user/memdump.mem) PAE type : No PAE DTB : 0x1e8000L KDBG : 0xf804e6d32010L Number of Processors : 1 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff804e6d34000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2023-02-28 12:00:00 UTC+0000 Image local date and time : 2023-02-28 04:00:00 -0800
Based on the output, we can see that there are several suggested profiles for the memory dump, but we will use the “Win10x64_19043” profile for this analysis.
List running processes - Once the profile has been identified, Volatility can be used to list the processes that were running on the system at the time the memory dump was created.
Next, we can use the “pslist” plugin to list the processes that were running on the system at the time the memory dump was created:
$ volatility -f memdump.mem --profile=Win10x64_19043 pslist
Output:
Volatility Foundation Volatility Framework 2.6 Offset Name PID PPID Thds Hnds Time ------------------ -------------------- --------------- -------------- -------- -------- -------- 0xffffc0002fbc0000 System 4 0 102 598 2023-02-28 00:22:28 UTC+0000 0xffffc00031ef8000 Registry 144 4 4 142 2023-02-28 00:22:20 UTC+0000 0xffffc0002ff2c000 smss.exe 408 4 2 28 2023-02-28 00:22:20 UTC+0000 0xffffc0003025a080 WmiPrvSE.exe 2760 504 7 191 2023-02-28 00:28:17 UTC+0000 0xffffc00030db0d40 csrss.exe 504 496 9 367 2023-02
Based on the output, we can see that the “System” process is running with a process ID (PID) of 4. We can also see that the “Registry” process is running with a PID of 144.
Analyze process memory - Once a suspicious process has been identified, analysts can use Volatility to dump the process’s memory into a file for further analysis. The “procdump” plugin can be used to dump the process memory, which can then be analyzed using a disassembler or debugger.
In this example, we will dump the memory of the “notepad.exe” process, which has a PID of 3052:
$ volatility -f memdump.mem --profile=Win10x64_19043 procdump -p 3052 -D output/
Output:
Volatility Foundation Volatility Framework 2.6 Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0xffffc0002d71a080 0x00007ffc`47f50000 notepad.exe OK: executable.3052.exe.dmp
The “-p” option specifies the process’s PID to dump, and the “-D” option specifies the memory dump file’s output directory.
The output shows that the memory of the “notepad.exe” process was successfully dumped into the “output” directory.
Identify network connections - Memory forensics can also be used to identify network connections established by a target system. Volatility includes several plugins for this purpose, including “netscan” and “connscan.” These plugins can be used to identify the source and destination IP addresses, ports, and protocols associated with the network connections.
In this example, we will use the “netscan” plugin to list the network connections:
$ volatility -f memdump.mem --profile=Win10x64_19043 netscan
Output:
Volatility Foundation Volatility Framework 2.6 Offset(P) Proto Local Address Foreign Address State Pid Owner Created ------------------ -------- ------------------------------ ------------------------------ ---------------- -------- -------------- ------------------ 0xffffc0005e5c5a00 UDPv4 0.0.0.0:5355 *:* 1096 svchost.exe 2023-02-28 00:23:11 UTC+0000 0xffffc0005e65e580 TCPv4 192.168.1.100:51906 192.168.1.1:https ESTABLISHED 3744 firefox.exe 2023-02-28 00:35:55 UTC+0000 0xffffc0005e65e580 TCPv6 192.168.1.100:51906 192.168.1.1:https ESTABLISHED 3744 firefox.exe 2023-02-28 00:35:55 UTC+0000
The output shows two established network connections, one over UDP and one over TCP. We can see the source and destination IP addresses, ports, and protocols associated with the network connections.
Analyze registry keys - The Windows registry is a critical component of the operating system and can provide valuable information during memory forensics. Volatility includes several plugins for analyzing registry keys, such as “hivelist” and “printkey.” These plugins can identify critical values associated with a specific process or user.
Identify file handles - In-memory analysis can also be used to identify file handles, which can be used to identify files that may have been accessed or modified during an attack. The “filescan” plugin can be used to identify file handles associated with a specific process or user.
Real-World Examples of Memory Forensics
Memory forensics has been used in many real-world examples of cyber incidents, including the following:
- APT29 - APT29, also known as Cozy Bear, is a Russian cyber espionage group that has been active since at least 2010. In 2015, the group was linked to a spear-phishing campaign targeting the U.S. government, which used a custom implant known as Hammertoss. Hammertoss used in-memory techniques to evade detection by antivirus software and establish a command and control (C2) channel with the attacker. Memory forensics was used to identify the Hammertoss implant and its associated network traffic.
- WannaCry - WannaCry was a ransomware attack that spread globally in May 2017, infecting over 200,000 computers in 150 countries. The attack exploited a vulnerability in the Windows operating system and used in-memory techniques to avoid detection by antivirus software. Memory forensics was used to identify the malware’s network traffic and its associated ransomware note.
- Carbanak - Carbanak is a cybercrime group that has been active since at least 2013, targeting financial institutions worldwide. In 2015, the group was linked to a series of attacks that used a custom malware known as Anunak. Anunak used in-memory injection techniques to evade detection by antivirus software and steal millions of dollars from financial institutions. Memory forensics was used to identify the Anunak malware and its associated network traffic.
Conclusion
Memory forensics is an essential technique in the world of cybersecurity, providing a way to analyze a system’s current state and identify malicious processes and network connections that may be hiding in plain sight. While memory forensics can be challenging, specialized tools and techniques, such as Volatility, can help analysts extract and analyze data from volatile memory. Furthermore, memory forensics has been used in many real-world examples of cyber incidents, demonstrating its value in identifying and responding to threats. As attacks become more sophisticated and in-memory techniques are used to avoid detection, memory forensics will become an increasingly critical component of an organization’s cybersecurity posture.