AoC 2022 Day 11: Memory Forensics – Not all gifts are nice

What is Memory Forensics?

Analysis of the volatile memory that is active when a computer is turned on is known as memory forensics. Computers employ specialized storage units called Random Access Memory (RAM) to keep track of the tasks they are currently performing. RAM is the primary method of data storage and access since it is so rapid. In contrast to hard disks and other storage devices, it has limitations. Because information will be lost when the computer is turned off, this type of data is volatile. Data like your clipboard or unsaved files are stored in RAM.

We can analyse a computer’s memory to see what applications (processes), what network connections were being made, and many more useful pieces of information. For example, we can analyse the memory of a computer infected with malware to see what the malware was doing at the time.

Let’s think about cooking. You normally store all of your food in the fridge – a hard drive is this fridge. When you are cooking, you will store ingredients on the kitchen counter so that you can quickly access them, but the kitchen counter (RAM) is much smaller than a fridge (hard drive)

Why is Memory Forensics Useful?

An image of a computer memory chip

When examining a computer, memory forensics is a crucial component. A memory dump is a complete record of what was occurring on the computer at the moment, such as network  connections or things running in the background. Most of the time, malicious code attempts to hide from the user. However, it cannot hide from memory.

We can use this capture of the memory for analysis at a later date, especially as the memory on the computer will eventually be lost (if, for example, we power off the computer to prevent malware from spreading). By analysing the memory, we can discover exactly what the malware was doing, who it was contacting, and such forth.

An Introduction to Processes

A process is essentially just a running software. For instance, when launching a notepad instance, a process is generated. Multiple application processes are possible (for example, running three instances of notepad will create three processes). Knowing this is crucial because it will enable us to identify the programs that were active at the time of the capture by identifying the processes that were active on the computer.

On Windows, we can use Task Manager(pictured below) to view and manage the processes running on the computer.

A picture of Window's Task Manager

Window’s Task Manager

On a computer, processes are usually categorised into two groups:

Category Description Example
User Process These processes are programs that the user has launched. For example, text editors, web browsers, etc. notepad.exe – this is a text editor that is launched by the user.
Background Process These processes are automatically launched and managed by the Operating System and are often essential to the Operating System behaving correctly. dwm.exe – this is an essential process for Windows that is responsible for displaying windows and applications on the computer.

Introducing Volatility

Python-based memory forensics toolbox called Volatility is open-source. Volatility is a very well-liked tool in memory forensics that enables us to analyze memory dumps obtained from Windows, Linux, and Mac OS computers. For example, Volatility allows us to:

  • List all processes that were running on the device at the time of the capture
  • List active and closed network connections
  • Use Yara rules to search for indicators of malware
  • Retrieve hashed passwords, clipboard contents, and contents of the command prompt
  • And much, much more!

 

Using Volatility to Analyse an Image

Before proceeding with our analysis, we need to confirm the Operating System of the device that the memory has been captured from. We need to confirm this because it will determine what plugins we can use in our investigation.

First, let’s use the imageinfo plugin to analyse our memory dump file to determine the Operating System. To do this, we need to use the following command (remembering to include our memory dump by using the -f option): python3 vol.py -f workstation.vmem windows.info.

Note: This can sometimes take a couple of minutes, depending on the size of the memory dump and the hardware of the system running the scan. 

~ Source: Tryhackme.

Challenge Solution