As attackers become more sophisticated, it’s becoming increasingly important to use advanced memory forensics techniques to investigate security incidents. Memory forensics can be used to identify processes that are running, network connections that have been established, and files that have been loaded into memory. In this article, we will explore some of the advanced memory analysis techniques that can be used to investigate sophisticated attacks.
Terminology
Before we dive into the advanced memory analysis techniques, it’s important to define some of the concepts and jargon that we will be using in this article. This will help ensure that everyone has a common understanding of the terms and concepts that we will be discussing.
Memory Forensics
Memory forensics is a branch of digital forensics that involves the analysis of a system’s memory to investigate security incidents. Memory forensics can be used to identify processes that are running, network connections that have been established, and files that have been loaded into memory. Memory forensics is particularly useful for investigating advanced attacks that rely on in-memory execution or rootkit-like capabilities to evade detection.
Virtual Address Space
The virtual address space is the virtual memory that a process can access. Each process has its own virtual address space, which allows it to access its own memory without interfering with the memory of other processes. The virtual address space is divided into pages, and each page is mapped to a physical address in physical memory or on disk.
Kernel-Level Rootkit
A kernel-level rootkit is a type of malware that operates at the kernel level of the operating system. Kernel-level rootkits are particularly dangerous, as they can hide their presence from traditional process monitoring tools. Kernel-level rootkits can be used by attackers to maintain persistent access to a compromised system.
Dynamic Link Libraries (DLL) Hijacking
DLL hijacking is a technique used by attackers to execute malicious code by hijacking a legitimate DLL used by a program. DLL hijacking works by placing a malicious DLL in a location that will be searched for by the program before the legitimate DLL. When the program loads the DLL, it will execute the malicious code instead of the legitimate code.
Process Hollowing
Process hollowing is a technique used by attackers to hide malicious code by replacing the memory of a legitimate process with their own code. Process hollowing works by starting a legitimate process and then replacing its memory with the attacker’s code. The attacker’s code will then execute in the context of the legitimate process, making it more difficult to detect.
Virtual Address Descriptors (VAD)
The Virtual Address Descriptors (VAD) is a data structure used by the operating system to track the virtual memory space of a process. The VAD tree is a hierarchical data structure that is used to manage the virtual memory space of a process. Each VAD describes a range of virtual memory pages and contains information about the protection and usage of the pages.
Effective Step-by-Step Memory Analysis Techniques
Using process timelining, high-low level analysis, and walking the VAD tree are essential for identifying and investigating sophisticated attacks that rely on in-memory execution or rootkit-like capabilities to evade detection.
Process Timelining
Process timelining is a powerful technique that can help us identify suspicious activity on a system by analyzing the timeline of processes that have executed. In this section, we will dive deeper into the technical details of process timelining and explore some of the advanced techniques that can be used to uncover hidden or malicious processes.
Process List vs. Process Timeline
Before we dive into the details of process timelining, it’s important to understand the difference between a process list and a process timeline. A process list is a static snapshot of the processes that are currently running on a system. A process timeline, on the other hand, is a chronological sequence of the processes that have executed on a system over a period of time.
Process timelining involves analyzing the process timeline to identify any processes that are unusual or suspicious. By analyzing the timeline, we can identify processes that may have been hidden or terminated, as well as processes that may have executed with unusual arguments or in unusual contexts.
Process Timelining Techniques
There are several techniques that can be used to create a process timeline, each with its own advantages and limitations. Some of the most commonly used process timelining techniques include:
Pslist and Pstree
One of the most basic process timelining techniques is to use the pslist plugin to list all running processes and the pstree plugin to generate a tree of the parent-child relationships between the processes. By analyzing the output of these plugins, we can identify any processes that are unusual or suspicious.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 pslist $ volatility -f memory_dump.raw --profile=Win7SP1x64 pstreePsscan and Psxview
Another process timelining technique is to use the psscan plugin to scan the memory dump for process structures and the psxview plugin to analyze the process list in greater detail. By analyzing the output of these plugins, we can identify any hidden or terminated processes.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 psscan $ volatility -f memory_dump.raw --profile=Win7SP1x64 psxviewTimeline and Mactime
A more advanced process timelining technique is to use the timeline plugin to generate a timeline of the processes that have executed on the system and the mactime tool to visualize the timeline. By analyzing the timeline, we can identify any processes that are unusual or suspicious.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 timeline > timeline.txt $ mactime -b timeline.txt -d -z local > timeline.csv
Analyzing the Timeline
Once we have generated a process timeline, the next step is to analyze the output and identify any suspicious activity. Some of the key things to look for when analyzing the timeline include:
Unusual Process Arguments
Processes that are executed with unusual arguments or in unusual contexts may be indicative of malicious activity. For example, a process that is executed with the “
-elevate” argument may be attempting to bypass User Account Control (UAC) protections.Processes with Short Execution Times
Processes that are executed and terminated quickly may be indicative of malicious activity. For example, a process that is executed and terminated in under a second may be attempting to evade detection by traditional process monitoring tools.
Processes with Unusual Names or Locations
Processes that have unusual names or locations may be indicative of malicious activity. For example, a process with a name that is similar to a legitimate process, but located in an unusual directory, may be attempting to masquerade as a legitimate process.
Unusual Parent Processes
Processes that are spawned from unusual parent processes may be indicative of malicious activity. For example, a process that is spawned from a system process such as
svchost.exemay be attempting to blend in with legitimate system activity.Processes with Unusual Network Activity
Processes that establish unusual network connections or transfer unusual amounts of data may be indicative of malicious activity. For example, a process that establishes a connection to a known Command and Control (C2) server may be part of a botnet.
By analyzing the timeline and looking for these indicators of malicious activity, we can identify processes that are unusual or suspicious and investigate them further.
High-Low Level Analysis
High-low level analysis is a powerful technique that involves analyzing both high-level and low-level data to identify suspicious activity on a system. In this section, we will dive deeper into the technical details of high-low level analysis and explore some of the advanced techniques that can be used to uncover hidden or malicious activity.
High-Level Data
High-level data includes information such as network connections, running processes, and loaded modules. This information can be collected using tools such as Volatility or Rekall, which can analyze memory dumps and provide a snapshot of the system at the time the memory dump was taken.
To analyze high-level data, we can use Volatility’s netstat plugin to list all network connections and identify any suspicious connections.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 netstat
We can also use Volatility’s pslist plugin to list all running processes and identify any suspicious processes.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 pslist
Finally, we can use Volatility’s dlllist plugin to list all loaded modules and identify any suspicious modules.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 dlllist
Low-Level Data
Low-level data includes information such as process memory, file system activity, and registry activity. This information can be collected using tools such as Volatility or Rekall, as well as file system forensics tools such as Autopsy or The Sleuth Kit.
To analyze low-level data, we can use Volatility’s memdump plugin to dump the memory of a specific process and analyze it using a disassembler such as IDA Pro or Radare2.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 memdump -p <pid> -D dump_dir/
We can also use Volatility’s filescan plugin to search the memory dump for file system structures and identify any suspicious activity.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 filescan
Finally, we can use Volatility’s printkey plugin to list all registry keys that are present in the memory dump and identify any suspicious keys.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 printkey
Combining High-Low Level Analysis
By combining high-level and low-level analysis, we can identify suspicious activity that may be hidden from traditional process monitoring tools. For example, an attacker may use a rootkit to hide a malicious process from the process list, but this process may still be present in the memory dump and can be identified using low-level analysis.
Likewise, an attacker may use process hollowing to inject malicious code into a legitimate process, but this activity may be identified using high-level analysis by looking for unusual network connections or file system activity.
Walking the VAD Tree
Walking the Virtual Address Descriptors (VAD) tree is a powerful technique that can help us identify suspicious activity on a system by analyzing the memory allocation of processes. In this section, we will dive deeper into the technical details of walking the VAD tree and explore some of the advanced techniques that can be used to uncover hidden or malicious activity.
Virtual Address Descriptors (VAD)
A Virtual Address Descriptor (VAD) is a data structure that is used by the Windows operating system to manage the memory allocation of processes. Each process has its own VAD tree, which is a hierarchical structure that represents the memory space of the process.
By analyzing the VAD tree of a process, we can identify the memory regions that have been allocated by the process and the characteristics of each region, such as its protection level (read, write, execute) and its backing file on disk.
Walking the VAD Tree
To walk the VAD tree of a process, we can use Volatility’s vadtree plugin. This plugin takes a process ID (PID) as input and generates a hierarchical representation of the VAD tree for the process.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 vadtree -p <pid>
The output of the vadtree plugin shows the VAD tree of the specified process, with each node representing a memory region that has been allocated by the process. The output also shows the protection level of each region and the backing file on disk, if one exists.
Analyzing the VAD Tree
Once we have generated the VAD tree of a process, the next step is to analyze the output and identify any suspicious activity. Some of the key things to look for when analyzing the VAD tree include:
Unusual Memory Regions
Memory regions that have unusual protection levels or are not backed by a file on disk may be indicative of malicious activity. For example, a memory region that is marked as executable and writable may be used by an attacker to inject malicious code into a process.
Memory Regions with Unusual Names
Memory regions that have unusual names may be indicative of malicious activity. For example, a memory region that is named “hollowed” may be part of a process hollowing attack.
Memory Regions with Unusual Sizes
Memory regions that have unusual sizes may be indicative of malicious activity. For example, a memory region that is much larger than it needs to be may be used by an attacker to store stolen data.
Unusual Backing Files
Memory regions that are backed by unusual files may be indicative of malicious activity. For example, a memory region that is backed by a file that is not normally used by the process may be part of a fileless malware attack.
By analyzing the VAD tree and looking for these indicators of malicious activity, we can identify memory regions that are unusual or suspicious and investigate them further.
How to Find Malice in Memory
Detecting malice in memory can be a challenging task, especially for advanced attackers who may use sophisticated techniques to hide their presence on a system. In this section, we will explore some of the techniques that can be used to identify malicious activity in memory, including detecting rogue, hidden, and injected processes, kernel-level rootkits, Dynamic Link Libraries (DLL) hijacking, process hollowing, and sophisticated persistence mechanisms.
Detecting Rogue, Hidden, and Injected Processes
One of the most common techniques used by attackers to hide their presence on a system is to inject malicious code into a legitimate process, creating what is known as a process injection attack. This technique can be used to bypass traditional process monitoring tools and evade detection.
To detect rogue, hidden, and injected processes, we can use Volatility’s psscan plugin to scan the memory dump for process structures and identify any suspicious activity.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 psscan
By analyzing the output of the psscan plugin, we can identify any hidden or terminated processes, as well as processes that may have been injected with malicious code.
Detecting Kernel-Level Rootkits
Kernel-level rootkits are a type of malware that operate at the kernel level of the operating system, allowing them to hide their presence and evade detection by traditional process monitoring tools. These rootkits can be extremely difficult to detect and remove.
To detect kernel-level rootkits, we can use Volatility’s ldrmodules plugin to list all loaded modules and identify any suspicious modules.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 ldrmodules
By analyzing the output of the ldrmodules plugin, we can identify any modules that are not signed or are otherwise suspicious. We can also use the malfind plugin to search for known signatures of rootkits.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 malfind
Detecting DLL Hijacking
Dynamic Link Libraries (DLL) hijacking is a technique used by attackers to replace legitimate DLL files with malicious versions. These malicious DLL files can be used to execute arbitrary code and evade detection.
To detect DLL hijacking, we can use Volatility’s dlllist plugin to list all loaded DLL files and identify any suspicious DLL files.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 dlllist
By analyzing the output of the dlllist plugin, we can identify any DLL files that are not signed or are otherwise suspicious.
Detecting Process Hollowing
Process hollowing is a technique used by attackers to create a new process by hollowing out an existing, legitimate process and replacing its code with malicious code. This technique can be used to bypass traditional process monitoring tools and evade detection.
To detect process hollowing, we can use Volatility’s malfind plugin to search for known signatures of process hollowing.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 malfind
By analyzing the output of the malfind plugin, we can identify any memory regions that have been hollowed out and replaced with malicious code.
Detecting Sophisticated Persistence Mechanisms
Sophisticated persistence mechanisms are techniques used by attackers to maintain their presence on a system even after it has been rebooted or reimaged. These persistence mechanisms can be extremely difficult to detect and remove.
To detect sophisticated persistence mechanisms, we can use Volatility’s hivelist plugin to list all registry hives and identify any suspicious hives.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 hivelist
By analyzing the output of the hivelist plugin, we can identify any hives that are not part of the standard Windows configuration or are otherwise suspicious.
We can also use Volatility’s svcscan plugin to list all Windows services and identify any suspicious services.
$ volatility -f memory_dump.raw --profile=Win7SP1x64 svcscan
By analyzing the output of the svcscan plugin, we can identify any services that are not part of the standard Windows configuration or are otherwise suspicious.
Conclusion
Advanced memory analysis techniques are essential for identifying and investigating sophisticated attacks that rely on in-memory execution or rootkit-like capabilities to evade detection. By using process timelining, high-low level analysis, and walking the VAD tree, we can identify suspicious activity that may be hidden from traditional process monitoring tools. By detecting rogue, hidden, and injected processes, kernel-level rootkits, DLL hijacking, process hollowing, and sophisticated persistence mechanisms, we can find evil in memory and protect our systems from advanced attacks.
In this article, we have covered some of the most important advanced memory analysis techniques used by security professionals and hackers alike. While this is just the tip of the iceberg, we hope that it will help you gain a better understanding of how to investigate and analyze memory-related security incidents.
When it comes to memory forensics, the most important thing is to be thorough and methodical in your analysis. Don’t be afraid to dig deep into the memory dump, and use as many different tools and techniques as possible to uncover suspicious activity.
Remember, attackers are constantly evolving their tactics and techniques, so it’s important to stay up-to-date with the latest tools and trends in the industry. With the right skills and knowledge, you can stay one step ahead of the bad guys and keep your systems secure.