In the world of cybersecurity, the ability to analyze the volatile memory of a system can be the difference between identifying an ongoing attack or having a system compromised. Memory forensics is a branch of digital forensics that involves analyzing the contents of a computer’s volatile memory, often referred to as RAM. This technique can provide insight into what processes and programs are running on a system, what network connections are established, and what data is being transmitted. In this article, we will explore the basics of memory forensics, the tools and techniques used in the analysis, and some real-world examples of its use.

Why is Memory Forensics Important?

In traditional digital forensics, analysts will collect data from a computer’s hard drive, which can contain important artifacts such as logs, registry entries, and application data. However, many attacks and incidents are designed to be volatile and leave little to no trace on the hard drive. Attackers may use techniques like fileless malware or in-memory injection to avoid detection by traditional antivirus software or endpoint detection and response (EDR) tools.

Memory forensics provides a way to analyze a system’s current state, allowing analysts to identify malicious processes and network connections that may be hiding in plain sight. Furthermore, memory forensics can also provide information about an attacker’s tactics, techniques, and procedures (TTPs), allowing defenders to better understand the adversary and potentially prevent future attacks.

Memory Forensics Tools and Techniques

Memory forensics requires specialized tools and techniques to extract and analyze data from volatile memory. There are several open-source and commercial tools available that can help analysts in this process, such as Volatility, Rekall, and Redline. In this section, we will explore some of the most common techniques used in memory forensics and how they can be performed using Volatility.

Dumping Memory

The first step in memory forensics is to create a memory dump of the target system. A memory dump is a snapshot of the system’s RAM at a specific point in time. This snapshot can be used to analyze the system’s current state, even after it has been shut down. There are several ways to create a memory dump, including using third-party tools, built-in operating system features, or hardware devices.

One of the most common ways to create a memory dump is to use the LiME (Linux Memory Extractor) tool, which is a loadable kernel module that allows for the creation of memory dumps on Linux systems. Once the memory dump has been created, it can be analyzed using a tool like Volatility.

Analyzing Memory with Volatility

Volatility is an open-source memory forensics framework that provides a wide range of plugins for analyzing memory dumps. The framework supports various operating systems, including Windows, Linux, and macOS. To analyze a memory dump using Volatility, analysts can use the following steps:

  1. Identify the operating system profile - Volatility requires the correct profile to be specified to analyze a memory dump. The profile specifies the operating system and service pack level of the target system. Volatility includes a built-in tool called “imageinfo” that can be used to identify the profile of the memory dump.

    First, we need to identify the operating system profile of the memory dump. We can use the “imageinfo” plugin to list the available profiles:

    $ volatility -f memdump.mem imageinfo

    Output:

    Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
        Suggested Profile(s) : Win10x64_17134, Win10x64_10240, Win10x64_10586, Win10x64_14393, Win10x64_15063, Win10x64_16299, Win10x64_17763, Win10x64_18362, Win10x64_18363, Win10x64_19041, Win10x64_19042, Win10x64_19043
                    AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                    AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                    AS Layer3 : FileAddressSpace (/home/user/memdump.mem)
                    PAE type : No PAE
                        DTB : 0x1e8000L
                        KDBG : 0xf804e6d32010L
        Number of Processors : 1
    Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff804e6d34000L
            KUSER_SHARED_DATA : 0xfffff78000000000L
        Image date and time : 2023-02-28 12:00:00 UTC+0000
    Image local date and time : 2023-02-28 04:00:00 -0800

    Based on the output, we can see that there are several suggested profiles for the memory dump, but we will use the “Win10x64_19043” profile for this analysis.

  2. List running processes - Once the profile has been identified, Volatility can be used to list the processes that were running on the system at the time the memory dump was created.

    Next, we can use the “pslist” plugin to list the processes that were running on the system at the time the memory dump was created:

    $ volatility -f memdump.mem --profile=Win10x64_19043 pslist

    Output:

    Volatility Foundation Volatility Framework 2.6
Offset             Name                 PID             PPID            Thds     Hnds    Time
------------------ -------------------- --------------- -------------- -------- -------- --------
0xffffc0002fbc0000 System                    4               0         102       598 2023-02-28 00:22:28 UTC+0000
0xffffc00031ef8000 Registry                  144             4           4       142 2023-02-28 00:22:20 UTC+0000
0xffffc0002ff2c000 smss.exe                  408             4           2        28 2023-02-28 00:22:20 UTC+0000
0xffffc0003025a080 WmiPrvSE.exe             2760             504         7       191 2023-02-28 00:28:17 UTC+0000
0xffffc00030db0d40 csrss.exe                 504             496         9       367 2023-02

    Based on the output, we can see that the “System” process is running with a process ID (PID) of 4. We can also see that the “Registry” process is running with a PID of 144.

  3. Analyze process memory - Once a suspicious process has been identified, analysts can use Volatility to dump the process’s memory to a file for further analysis. The “procdump” plugin can be used to dump the process memory, which can then be analyzed using a disassembler or debugger.

    In this example, we will dump the memory of the “notepad.exe” process, which has a PID of 3052:

    $ volatility -f memdump.mem --profile=Win10x64_19043 procdump -p 3052 -D output/

    Output:

    Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0xffffc0002d71a080 0x00007ffc`47f50000 notepad.exe         OK: executable.3052.exe.dmp

    The “-p” option specifies the PID of the process to dump, and the “-D” option specifies the output directory for the memory dump file.

    Based on the output, we can see that the memory of the “notepad.exe” process was successfully dumped to the “output” directory.

  4. Identify network connections - Memory forensics can also be used to identify network connections established by a target system. Volatility includes several plugins for this purpose, including “netscan” and “connscan.” These plugins can be used to identify the source and destination IP addresses, ports, and protocols associated with the network connections.

    In this example, we will use the “netscan” plugin to list the network connections:

    $ volatility -f memdump.mem --profile=Win10x64_19043 netscan

    Output:

    Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address                State            Pid      Owner          Created
------------------ -------- ------------------------------ ------------------------------ ---------------- -------- -------------- ------------------
0xffffc0005e5c5a00 UDPv4    0.0.0.0:5355                   *:*                                       1096     svchost.exe    2023-02-28 00:23:11 UTC+0000
0xffffc0005e65e580 TCPv4    192.168.1.100:51906            192.168.1.1:https              ESTABLISHED     3744     firefox.exe    2023-02-28 00:35:55 UTC+0000
0xffffc0005e65e580 TCPv6    192.168.1.100:51906            192.168.1.1:https              ESTABLISHED     3744     firefox.exe    2023-02-28 00:35:55 UTC+0000

    From the output, we can see that there are two established network connections, one over UDP and one over TCP. We can see the source and destination IP addresses, ports, and protocols associated with the network connections.

  5. Analyze registry keys - The Windows registry is a critical component of the operating system and can provide valuable information during memory forensics. Volatility includes several plugins for analyzing registry keys, such as “hivelist” and “printkey.” These plugins can be used to identify key values associated with a specific process or user.

  6. Identify file handles - In-memory analysis can also be used to identify file handles, which can be used to identify files that may have been accessed or modified during an attack. The “filescan” plugin can be used to identify file handles associated with a specific process or user.

Real-World Examples of Memory Forensics

Memory forensics has been used in many real-world examples of cyber incidents, including the following:

  1. APT29 - APT29, also known as Cozy Bear, is a Russian cyber espionage group that has been active since at least 2010. In 2015, the group was linked to a spear-phishing campaign targeting the U.S. government, which used a custom implant known as Hammertoss. Hammertoss used in-memory techniques to evade detection by antivirus software and establish a command and control (C2) channel with the attacker. Memory forensics was used to identify the Hammertoss implant and its associated network traffic.
  2. WannaCry - WannaCry was a ransomware attack that spread globally in May 2017, infecting over 200,000 computers in 150 countries. The attack exploited a vulnerability in the Windows operating system and used in-memory techniques to avoid detection by antivirus software. Memory forensics was used to identify the malware’s network traffic and its associated ransomware note.
  3. Carbanak - Carbanak is a cybercrime group that has been active since at least 2013, targeting financial institutions worldwide. In 2015, the group was linked to a series of attacks that used a custom malware known as Anunak. Anunak used in-memory injection techniques to evade detection by antivirus software and steal millions of dollars from financial institutions. Memory forensics was used to identify the Anunak malware and its associated network traffic.

Conclusion

Memory forensics is an important technique in the world of cybersecurity, providing a way to analyze a system’s current state and identify malicious processes and network connections that may be hiding in plain sight. While memory forensics can be challenging, the use of specialized tools and techniques, such as Volatility, can help analysts extract and analyze data from volatile memory. Furthermore, memory forensics has been used in many real-world examples of cyber incidents, demonstrating its value in identifying and responding to threats. As attacks become more sophisticated and use in-memory techniques to avoid detection, memory forensics will become an increasingly critical component of an organization’s cybersecurity posture.