Windows Forensic Investigation (3- Memory Analysis)
Prerequisites
We talked already about two very important steps in the Windows forensics procedure: volatile and non-volatile data acquisition, so you need to check them out before heading to next steps.
Definition
Once you’re completed the previous two phases, we can continue the forensics process by doing an analysis of memory.
The analysis of memory in Windows systems is a crucial aspect of forensic investigation, which involves obtaining a dump of the physical memory, also known as RAM. By examining these memory dumps, investigators are able to uncover hidden rootkits, identify concealed objects, and detect any anomalous processes, among other things.
1. Windows Crash Dump
A Windows crash dump file holds the information stored in a computer’s memory at the moment of a crash. This file plays a crucial role in diagnosing and pinpointing the errors in a program that caused the system to crash. It encompasses information such as stop messages, a roster of drivers that were loaded, and details about the processor that stopped.
There are 4 types of memory dumps:
- Automatic memory dump
- Complete memory dump
- Kernel memory dump
- Small memory dump
To enable memory dump setting, follow these steps:
- In Control Panel, select System and Security > System.
- Select Advanced system settings, and then select the Advanced tab.
- In the Startup and Recovery area, select Settings.
You can find the automatic memory dump file at: C:\Windows\MEMORY.DMP
· notMyfault.exe [/crash] (sysinternals)to manually generate a memory dump file
· DumpChk file (Microsoft)to analyze the memory dump
2. Collecting Process Memory
If the crush dump doesn’t reveal any valuable information, start collecting the contents of process memory available to a RAM dump file
· Task Manager (Microsoft)
· Process Dumper (github)to dump the entire process space alongside metadata and the process environment to the console; it redirects the output to a file or a socket
· Userdump.exe (microsoft)to dump processes without attaching a debugger and without affecting the process
· BinText (mcafee)
· listdlls (sysinternals)
· handle (sysinternals)Once done with the dumping process, use debugging tools to analyze the dump files
3. RAM Acquisition
• RAM Capturer (Belkasoft)
• FTK Imager (AccessData)
• dd utility (gnu.org)to reliably extract the entire contents of computer’s volatile memory
you can read this medium article for more details
Ps: use hash to verify the integrity of acquired data
4. Memory Forensics: Malware Analysis
• Redline (fireeye)
Redline is a very powerful tool used to identify malicious activities through memory and helps forensic investigators to establish the timeline and scope of an incident
• volatility & its malfind plugin (volatilityfoundation) to analyze RAM contents and retrieve information, such as processes and executable files running in the system, open ports, IP addresses, and user login information
The malfind plugin is used to identify hidden processes or injected code/DLLs in user mode memory
Ps: we will try to provide Labs for both tools soon !
5. Virtual Memory Acquisition
Virtual memory, also known as logical memory, is a concept in computing that enables programmers to access a vast range of memory addresses for storing data. On Windows operating systems, virtual memory includes:
hiberfil.sys: snapshot of the RAM data, created when hibernation is on
pagefile.sys: uses hard disk space as RAM when its out of memory
swapfile.sys: used to store the idle and non active process data
• FTK Imager (AccessData)FTK Imager can be used to traverse local system root and export these virtual memory files for analysis
• strings [options] file (gnu.org)to pull human readable text from binary files
Strings Examples
strings pagefile.sys | grep -i "^[a-z]:\\\\" | sort | uniq | lessTo list all the directories/path in a system
strings pagefile.sys | egrep "^https?://" | sort | uniq | lessTo extract all the URLs recorded in the evidence file
strings pagefile.sys | egrep '([[:alnum:]_.-]{1,64}+@[[:alnum:]_.-]{2,255}+?\.[[:alpha:].]{2,4})'To list all the Email Addresses in the evidence file
See you next time !