Memory Forensics

Memory Forensics

Memory forensics is the process of analyzing and investigating data stored in the memory (RAM) of a computer system. This can be crucial for understanding how an attack occurred and what actions were performed by the attacker. Memory forensics is divided into the analysis of volatile and non-volatile memory.

Volatile Memory

Volatile memory refers to storage that is temporarily used and requires power to maintain the stored information. Examples include:

• RAM (Random Access Memory)

• Cache

• Buffer

• Registers

Non-Volatile Memory

Non-volatile memory refers to storage that retains information even when the power is turned off. Examples include:

• Hard Disk

• SD Card

• Memory Card

RAM Forensics

Importance of RAM Forensics

RAM forensics focuses on analyzing the data stored in RAM, which is crucial as it holds information on active processes, open network connections, cached data, and more. Since RAM is volatile, this data can be lost when the power is turned off, making timely acquisition and analysis essential.

RAM Artifacts

RAM can contain various types of data, including:

• Current and terminated processes

• Open TCP/UDP ports and raw sockets

• Active connections

• Executable files, shared objects (modules/drivers), and DLLs

• Caches, web addresses, typed commands, and passwords

• Clipboards and hidden data

Acquisition Tools

Tools used for acquiring RAM images include:

• Belkasoft Live RAM Capture

• FTK Imager

• Lime (Linux Memory Extractor)

Analysis Tools

Tools used for analyzing RAM images include:

• Volatility

• Autopsy

• Rekall

Volatility Framework

Overview

The Volatility Framework is an open-source collection of tools for extracting digital artifacts from RAM samples. Implemented in Python, it supports memory analysis for various operating systems, including Windows, Linux, Mac, and Android.

Key Features

• Multi-OS Support: Analyzes memory from 32- and 64-bit Windows, Linux, and Mac systems.

• Open Source: The source code is available under GPLv2, allowing for community contributions and extensions.

• Python-Based: Leverages Python’s extensive libraries for forensics and reverse engineering.

• Cross-Platform: Runs on any system where Python can be installed.

• Extensible API: Offers a scriptable interface for advanced memory analysis.

• Comprehensive File Format Coverage: Supports raw dumps, crash dumps, hibernation files, and more.

• Efficient Algorithms: Optimized for fast analysis of large memory dumps.

Community and Use Cases

Volatility has a robust community involving contributors from commercial companies, law enforcement, and academic institutions. It's used for forensics, incident response, and malware analysis, and is supported by organizations like Google, National DoD Laboratories, and many security firms.

Limitations

• Not a Memory Acquisition Tool: Volatility does not capture memory from target systems.

• No GUI: It operates as a command-line tool and Python library without a graphical user interface.

• Potential Bugs: Given the complexity of supporting multiple OS versions and third-party software, occasional bugs may arise.

Demonstration Commands

Basic Commands

• imageinfo: Identifies the OS, service pack, and hardware architecture. bash Copy code $ python vol.py -f sample.vmem imageinfo

• pslist: Lists running processes. bash Copy code $ python vol.py -f sample.vmem --profile=Win7SP0x64 pslist

• pstree: Displays processes in a tree format. bash Copy code $ python vol.py -f sample.vmem --profile=Win7SP0x64 pstree

• psscan: Finds terminated and hidden processes. bash Copy code $ python vol.py --profile=Win7SP0x86 -f sample.vmem psscan

DLL and Handle Analysis

• dlllist: Lists loaded DLLs. bash Copy code $ python vol.py --profile=Win7SP0x86 -f sample.vmem dlllist

• dlldump: Dumps DLLs to disk. bash Copy code $ python vol.py --profile=Win7SP0x86 -f sample.vmem dlldump -D dlls/

• handles: Displays open handles. bash Copy code $ python vol.py --profile=Win7SP0x86 -f sample.vmem handles

Command and Console Analysis

• cmdscan: Finds command history. bash Copy code $ python vol.py --profile=Win7SP0x86 -f sample.vmem cmdscan

• consoles: Captures full command output. bash Copy code $ python vol.py --profile=Win7SP0x86 -f sample.vmem consoles

Network Analysis

• connections: Views active TCP connections (for specific Windows versions). bash Copy code $ python vol.py -f sample.vmem --profile=Win2K3SP0x64 connections

• connscan: Finds artifacts from previous connections. bash Copy code $ python vol.py -f sample.vmem --profile=Win2K3SP0x64 connscan

• sockets: Detects listening sockets. bash Copy code $ python vol.py -f sample.vmem --profile=Win2K3SP0x64 sockets

• netscan: Scans for network artifacts in newer Windows versions. bash Copy code $ python vol.py -f sample.vmem --profile=Win7SP0x64 netscan

Registry and File Analysis

• hivelist: Lists registry hives. bash Copy code $ python vol.py -f sample.vmem --profile=Win7SP0x64 hivelist

• printkey: Displays registry key values. bash Copy code $ python vol.py -f sample.vmem --profile=Win7SP0x64 printkey -K "Microsoft\Security Center\Svc"

Miscellaneous

• crashinfo: Prints crash dump header information. bash Copy code $ python vol.py -f sample.vmem --profile=Win7SP0x64 crashinfo

• mftparser: Scans for Master File Table entries. bash Copy code $ python vol.py -f sample.vmem mftparser